In March 2021, CNA Financial Corp., one of the largest insurance companies in the country, suffered a ransomware attack by a cybercriminal group called Phoenix.

The attackers pressured the insurer to pay quickly by increasing the ransom note, claiming the data they had was critical and promising it would help restore everything if the company paid.

The hackers originally told the insurer that the ransom was “999 bitcoins,” or about $ 55 million. The criminals later raised the price and said, “A waste of time. The costs have increased, 1099 BTC. “

The attackers warned the insurer that the CNA data they had was important. “It will hit hard if it is leaked,” they wrote. The attackers also told CNA that they would not publish anything or speak to the press about the incident if the company paid the ransom.

CNA reportedly a. paid $ 40 million ransom with bitcoins.

The ransomware attack on CNA was among the largest attacks reported in 2021. Two more were:

  • In May 2021, Colonial Pipeline Co., operator of the pipeline that provides nearly half of the east coast’s fuel supply, paid DarkSide, a ransomware gang believed to be operating out of Russia, $ 4.4 million with bitcoins.
  • In June 2021, JBS Foods USA, which owns factories that process one-fifth of the country’s meat supply, paid a $ 11 million ransom in Bitcoin after it suffered a ransomware attack attributed by the Federal Bureau of Investigation to the criminal ransomware gang REvil (aka Sodinokibi).

Colonial and JBS, like CNA, had to grapple with cybercriminals who kept raising the ransom price to pressure them to promptly pay millions of dollars for decryption tools and return of their data.

In each case, the criminals’ strategies included assurances that paying the ransom would fix the situation, result in their data being returned, and avoid negative publicity for the company. They promised to provide decryption keys and erase their copies of the stolen data after the ransom was paid.

Exactly how pressurized companies were pressured to pay ransom quickly is a key lesson from a House Committee on Oversight and Reform Congressional investigation into multi-million dollar ransomware attacks. The research looked at how attackers infect companies’ systems and trick companies into paying millions of dollars for insecure decryption tools and data return. It also examined how companies attempt to restore compromised systems after the ransom is paid.

While learning how the crimes unfolded in these cases, the committee also called for further investigation into factors favoring ransom payments, “including the role of cyber insurance and the costs businesses can bear even after paying a ransom, especially if the Cyber ​​criminals cannot keep their promises. “

A memorandum dated November 16, 2021 on the investigation by the House Committee on Oversight and Reform identified two other important lessons from the investigation: Small security gaps led to major breaches and some companies lacked clear initial points of contact with the federal government.

The committee said neither the FBI nor the Justice Department had any concerns about the disclosure of the information in its memo.

Small failures

In all three of the costly attacks, the cybercriminals appear to have exploited “small flaws” in security systems. In Colonial’s case, the attack began with a single stolen password for an old user profile. In the case of JBS, the problem was an old network administrator account that had not been disabled and had a weak password. The CNA attackers convinced a single employee to accept a fake web browser update from a commercial website.

Ransomware can quickly paralyze IT systems and the attack may not be detected immediately. It took CNA two weeks to discover it was hacked.

“Even large organizations with seemingly robust security systems have fallen victim to simple initial attacks.

Report ransomware

The committee’s investigation found that reporting an attack to the government can present a logistical challenge for companies and may vary depending on the company’s industries. Each of the three companies notified a variety of different federal agencies, including law enforcement, and faced delays in responding. Colonial contacted at least seven federal agencies or offices. CNA was referred first to one FBI field office and then to another. An email from a JBS officer to an FBI field office was forwarded to various agents, delaying the FBI response for several hours. The Treasury Department answered one company’s questions about sanctions, while the FBI provided the information for another company.

“Some companies lacked clear links to the federal government. Depending on the industry, companies were confronted with a patchwork of federal authorities that had to get involved in the attacks, ”noted the committee, emphasizing the importance of having“ clearly established contacts at the federal level ”.

The consequences

Attackers assured the companies that they would keep promises to provide a decryption key and delete their copies of the stolen data when the ransom was paid. But the companies couldn’t really know if the hackers were destroying their copies, and the companies found that the decryption keys weren’t always useful.

CNA recovered its data with the help of consultants who located a repository used by the attackers. The REvil attackers never provided JBS with evidence that they destroyed all copies of the stolen data.

Although the decryption keys provided by the cyber criminals appear to have worked, it is unclear whether using the decryption keys was the most effective option. Companies said using the keys ran the risk of deleting legitimate files and in other cases they worked too slowly. Colonial told investigators that it ended up using its own backup tapes to restore its systems.

Committee hearing

Carolyn B. Maloney, DN.Y., Chair of the Oversight and Reform Committee convened a hearing on November 16 on the cyber memo and hearing of federal officials on the government’s cyber threat strategy.

“Ransomware attacks pose serious threats to our economy, public health, infrastructure and national security, and recent incidents show the increasing number and sophistication of attacks,” said Maloney.

In addition to the CNA, JBS and Colonial attacks, she cited others involving SolarWinds and Kaseya as “spotlighting this growing national security threat”.

Maloney expressed concern about “competitive pressures that face private sector companies – especially those who perform important public functions – and state and local governments when exposed to ransomware attacks, which often lead them to comply with attackers’ demands.” “.

Chris Inglis, National Cyber ​​Director, one of several government cyber experts who testified before the committee, outlined the Biden government’s strategy to increase the government’s efforts and its collaboration with the private sector and other countries to combat cyberattacks prioritize and coordinate.

“This strategy starts with an understanding of what makes ransomware so effective. Ransomware exploits key features of the modern cyber ecosystem, ”Inglis told the committee.

Inglis said the government is targeting these areas of the cyber ecosystem that ransomware is exploiting:

  • Ransomware actors can buy their tools on the black market and carry out their attacks from a leased and disposable cloud-based virtual infrastructure that they can quickly tear down and rebuild once discovered.
  • The systems these criminals target are too often susceptible to failure in patching and upgrading, properly backing up data, making reliable backups, or ensuring that frontline workers are consistently applying basic cybersecurity practices.
  • The inconsistent application of anti-money laundering controls to virtual currency allows criminals to arbitrage and use permissive jurisdictions to launder the proceeds of their crimes.
  • After all, all too often ransomware criminals can operate with impunity in the nation-states they reside in without actually being held accountable for their actions.

“The government is using the full weight of the US government capacity to disrupt ransomware actors, intermediaries, networks and to combat the misuse of financial infrastructure to launder ransom,” said Inglis.

He said the government has urged the private sector to increase its cyber defense investments. The government has also set the expected cybersecurity thresholds and critical infrastructure requirements.

The government continues to enforce anti-money laundering controls and laws as it works to “acquire new skills to track and prevent ransomware proceeds,” Inglis said.

Finally, Inglis said the government was working with international partners to disrupt ransomware networks, draw conclusions and hold states accountable that allow criminals to operate within their jurisdiction.

“These are daunting endeavors, and to overcome them we need to create a digital ecosystem that is inherently resilient, a political and economic environment that aligns action, and ensures that the public and private sectors do too a proactive and determined cooperation are set up “, so the national cyber director told the legislature.

November 8, 2021, DOJ announced Charges against two foreign hackers associated with the criminal ransomware group REvil, responsible for thousands of ransomware attacks, including JBS Foods and Kaseya. The DOJ also announced that it will $ 6.1 million ransom seized received from the attackers.

According to the committee, ransomware attacks on public and private institutions in the United States cost an estimated $ 19.5 billion in 2020. In addition, recent data shows that financial institutions in the first six months of 2021 reported $ 590 million in ransomware-related transactions. Current trends suggest that in 2021 alone, ransomware transactions will outperform the past 10 years combined.


Source link
#Memo #cites #lessons #learned #ransomware #payments #CNA #JBS #Colonial #Pipeline

Leave a Reply