The Ransomware Menace Continues

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

OVERVIEW

Since the last CyberSense edition highlighting global and local ransomware trends for 2020 Q1-Q3 back in November 2020, cybersecurity researchers have observed that the number of organisations impacted by ransomware globally has more than doubled in the first half of 2021, as compared to 2020, with this trend showing no sign of abatement currently.

This edition of CyberSense looks at some key takeaways from major ransomware attacks, observed in May 2021, that were targeting organisations running critical systems in the US, Ireland and New Zealand.

RANSOMWARE HAS BECOME A GROWING GLOBAL CYBER SECURITY THREAT

Although ransomware has been an enduring feature of the cyber threat landscape, its impact has been frequently considered as primarily criminal or financial. However, cybercriminals and their affiliates are becoming increasingly bolder and brazen, as they leverage effective tactics and both user and network vulnerabilities to score successful ransomware hits targeting large organisations and essential services providers. The following high-profile ransomware incidents observed in May 2021 demonstrate their potential of holding critical systems at ransom and crippling these systems’ abilities to deliver essential services:

      a. On 7 May 2021, the Colonial Pipeline Company, which operates the largest fuel pipeline in the US carrying gasoline, diesel fuel and natural gas from Texas to New Jersey, suffered a DarkSide ransomware attack. The ransomware is believed to have hit only Colonial’s corporate IT network – which facilitates aspects such as internal communications, data storage, payroll, etc. – and not its operational network that transports fuel to the entire US East Coast. Nonetheless, Colonial shut down the pipeline’s operations for nearly a week, as a precautionary measure to contain the extent of the intrusion. The company also paid a ransom of nearly 75 Bitcoins (~SGD$3.6 million), to prevent nearly 100GB of stolen data from being leaked and restore business operations as soon as possible. Notably, any prolonged pipeline shutdown leading to a shortage of natural gas could present significant threats to the US civilian power grid, as almost half of the US’s electricity in 2020 was produced by burning natural gas.

      b. On 14 May 2021, Ireland’s health service provider Health Service Executive (HSE) shut down all its IT systems after a Conti ransomware attack “as a precaution in order to assess and limit the impact”. The cybercriminals sought a US$20 (~SGD$26.5) million ransom, claiming to have stolen 700GB of sensitive data (including patient documents and financial statements) over two weeks. They even provided HSE a free decryptor, but threatened to sell or publish the stolen data if the ransom was not paid. However, the Irish government stated that they “will not be paying any ransom”, while Irish High Court issued an injunction preventing the stolen data from being shared, processed, or sold. Delivery of key healthcare services across Ireland remained disrupted nearly two weeks after the attack. HSE highlighted that it would take many weeks to restore all its IT systems, while working to get priority systems back online.

      c. On 18 May 2021, New Zealand’s Waikato District Health Board (DHB) were affected by a cybersecurity incident, causing a shutdown of all IT systems across all its five hospitals in the Waikato region. Although Waikato DHB did not reveal the incident’s exact nature, various New Zealand media outlets reported that Waikato DHB’s IT systems were crippled by a ransomware attack. Waikato DHB Chief Executive Kevin Snee emphasised that “no ransom will be paid”. Surgeries were postponed due to inaccessible patient records, in addition to disruptions to outpatient services, testing laboratories, cancer treatments, phone and e-mail services, and staff payroll systems. Waikato DHB remained uncertain as to when normalcy would return for all affected systems, but said that they were working to isolate the problem and reset their computer systems as quickly as possible.

CONSIDERING LINKAGES/INTERDEPENDENCIES BETWEEN SYSTEMS FROM A TECHNICAL AS WELL AS BUSINESS PERSPECTIVE

In the recent high-profile ransomware incidents covered earlier, we saw a “simple” ransomware attack on Internet-facing IT systems resulted in the shutting down of essential services. The exact reason why the operators opted to shut down operations remains unclear, but had been speculated to be prompted by (a) actual linkages between the operations systems and the ransomware-infected IT systems, and concern over the ransomware moving laterally to infect the former; (b) the companies’ inability to actually confirm if there are linkages between the operations and IT systems, and choosing to shutdown out of caution; or (c) that the operations systems were in fact isolated from the ransomware-infected IT systems, but the latter also comprised key operational or business-dependant functions (e.g. billing systems, customer database, etc.) that compelled the company to shut down operations anyway. Regardless, it means that organisations have to ensure that in addition to essential systems, key, business-dependent functions in the provision of essential services must also be adequately protected from such attacks.

KEY TAKEAWAYS

It is imperative that organisations maintain full asset visibility through reviewing their network architecture. Organisations should be fully cognisant of their system dependencies, and not be pressed into injudicious decision-making as they try to contain cyber incidents. The mapping out of linkages and planning for all contingencies in Business Continuity Plans (BCP) and IT Disaster Recovery (IT DR) plans (including situations where perceived “non-critical” systems or “periphery systems”, such as clinic queue systems which could have considerable impact on business operations), would give decision-makers alternatives to extreme decisions such as the complete shutdown of systems. The latter could potentially lead to a crippling of the ability to deliver essential services, which subsequently transpired following the ransomware attacks affecting Colonial and the Irish and New Zealand healthcare systems.

In mitigating ransomware attacks, it is recommended that organisations check their systems (e.g. IT-OT) for dependencies and linkages. This review of system dependencies falls under the implementation of cyber hygiene practices to secure the infrastructure against ransomware attacks, which include formulating a backup and recovery plan for critical data and performing offline data backups regularly. Please refer to SingCERT’s advisory for recommended cyber hygiene practices.

REFERENCES:

BBC, Blackfog, Bloomberg, Check Point, Elliptic, Guardian, New York Times, Radio New Zealand, RTE News, Staff, The Irish Times, The New Zealand Herald, Threatpost, US Cybersecurity and Infrastructure Security Agency, Wall Street Journal, Washington Post, ZDNet