Ransomware Reality Check for Critical Infrastructure Sectors

Before this week's targeted ransomware attack against NEW Cooperative, and a second farming cooperative in Minnesota, the food and agriculture sector had already been asked to be at a heightened state of readiness. An FBI Private Industry Notification (PIN) published on Sept. 1 warned that ransomware attacks targeting this critical infrastructure sector were unlikely to abate, and that successful attacks could disrupt the food supply chain.

The attack against NEW Cooperative, an Iowa-based farming and grain cooperative, mirrors other ransomware incursions targeting large companies the attackers perceive would pay an exorbitant ransomware demand. In addition to encrypting critical systems, BlackMatter, an offshoot of the DarkSide ransomware-as-a-service operation that was used in the Colonial Pipeline attack, allegedly threatened to leak stolen source code for its SOILMAP software, proprietary research data, employee and company financial information, and a password database if a $5.9 million ransom demand was not met.

NEW Cooperative in its negotiations with the attackers said its proactive shutdown of production systems in an effort to contain the attack could indeed affect the grain, pork, and chicken supply chains, and that millions of animals' feedings are scheduled through the organization's software. NEW Cooperative is the 49th ranked cooperative on the National Cooperative Bank's Top 100 list for 2020; the list also includes cooperatives from industries such as finance, healthcare, energy, hardware, and pharmaceuticals.

"This will break the supply chain shortly," NEW Cooperative's negotiator told BlackMatter representatives, according to chats seen by several news outlets.

Register for an Upcoming Claroty/Booz-Allen Webinar on Ransomware Here.

While the FBI PIN singled out food and agriculture specifically, it also reinforces what industrial enterprises across sectors have come to expect as reality: As more automation, connected devices, and smart technology is introduced into manufacturing operations, criminals and state operators have more targets of opportunity at their disposal. Ransomware is an attacker's most direct line to profits, and today's most active groups, such as REvil and Ryuk, go after large companies with the the resources to pay hefty ransom demands. They have also added tactics such as lateral network movement, domain controller compromises, data theft, and "double-extortion" threats, according to the FBI.

"As of 2019, sensitive data files are commonly exfiltrated prior to encryption, and the attacker demands a payment not to publish the sensitive data on a 'name-and-shame' website," the FBI wrote in its PIN to food and agriculture. "This double extortion potentially gives the attacker more leverage to ensure payment, based on the potential damage caused by a significant data breach of sensitive information."

Food Production in Ransomware Actors' Crosshairs

JBS Foods, one of the world's largest food processing companies, fell victim in late May to a ransomware attack that shut down meat availability in the U.S. and elsewhere. REvil was allegedly behind the attack, and reports indicate the attackers were on the network as early as February before beginning to exfiltrate data in March and eventually encrypting key IT systems in May. Andre Nogueira, CEO of JBS' U.S. meat division told the Wall Street Journal the company paid an $11 million ransom, likely to prevent an online leak of stolen data.

JBS wasn't alone in meeting an attacker's ransom demands. Colonial Pipeline reportedly paid $4.4 million to recover its IT systems after a ransomware attack forced it to shut down its operational technology network in order to contain the attack, the company said. Ransom demands on average have been doubling since 2019, the FBI said, adding that alarmingly, between 50% and 80% of victims who paid ransoms were victimized again by the same attacker, or a different group.

Attacks against food and agriculture have spiked since November. The FBI's PIN describes five attacks in the sector, including JBS, that disrupted operations and kept employees from accessing key systems for days or weeks in some cases.

For example, a U.S.-based farm lost more than $9 million after temporarily shutting down farming operations after a ransomware attack in which the threat actor was able to steal administrator credentials and access internal servers. In other attacks, a U.S.-based bakery was victimized by REvil through a managed IT service provider with access to the baker's IT network. It was forced to shut down production, shipping and receiving, delaying customer orders for more than a week. The PIN also describes an attack against a U.S.-based beverage company where business systems were impacted yet the company took down production systems in order to contain the spread of the malware. The FBI warns that this trend shows little signs of slowing down.

"Cyber actors may gradually broaden their attack from just information technology (IT) and business processes to also include the operational technology (OT) assets, which monitor and control physical processes, impacting industrial production regardless of whether the malware was deployed in IT or OT systems," the bureau said in its PIN.

Ransomware Resources on the Rise

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has been ramping up initiatives to improve the resilience of critical infrastructure networks, with a particular focus on ransomware. In June, CISA published a fact sheet citing a growing ransomware threat to OT assets, and also added a Ransomware Readiness Assessment module to its Cyber Security Evaluation Tool (CSET). CERT New Zealand (CERT NZ), meanwhile, published a document, below, explaining common attack paths for human-operated ransomware incidents. These types of attacks, as described by Microsoft, are highly targeted and involve lateral network movement, credential theft, and extensive reconnaissance on the part of the attackers.

Source: CERT NZ

Within the industry, last week a crowdsourced list of vulnerabilities used to gain an initial foothold by ransomware operators and affiliates was made public, below. According to Allan Liska of Recorded Future who began this initiative, and a researcher known as Pancak3, this list will grow to include other vulnerabilities heavily targeted by ransomware groups for post-exploitation activity.

Source: Pancak3

Recommendations

Security companies such as Claroty, along with law enforcement and government organizations such as CISA stress that victim organizations do not pay ransoms; doing so only funds criminal enterprises. A much better strategy is a mix of proactive techniques and practices, mitigations, and responses:

• A complete inventory of industrial control systems, connected devices, and IT assets must be available in order to adequately assess the risk to industrial processes

• Organizations should also map OT networks in order to understand where crossover points exist with IT networks

• Network segmentation should be a best practice in order to reduce dependencies between business and industrial networks

• IT and OT networks should be resilient in the event of a ransomware attack; organizations should have business continuity plans for production networks and industrial processes

• Incident response plans should be documented, understood by affected parties, and exercised regularly

• Available, reliable, offline backups should be a best practice to mitigate against ransomware; many organizations are able to recover from a previous best state in order to resume operations with minimal downtime and loss of data

• Vulnerability management programs must include ICS and OT; attackers target web-facing applications, and exploitable security flaws are a beacon to threat actors

• Privileged identity management and two-factor authentication must be standard practices to reduce unnecessary access to critical systems Remote access solutions must be purpose-built for OT networks, and provide adequate monitoring and live-session capabilities

Register today for an upcoming webinar, Sept. 30, 2 p.m. EDT, "Increase Resiliency of your OT Environment from a Ransomware Attack," featuring Claroty's Galina Antova and Rockwell Automation CISO Dawn Capelli. Register here.