Gas Lines Unmask Ransomware Crisis: Where Next?

America finally woke up to the reality that we have a ransomware emergency worthy of real attention. How did events unfold and what will happen next?  

A car being filled with fuel at a gas station.
Shutterstock
All across the southeast, the results of our collective failure to protect critical infrastructure were on display last week. As gas shortages and long lines of vehicles snaked through Virginia, North Carolina, South Carolina, Georgia and other states, more Americans than ever before were learning the definition of “ransomware.” And, perhaps, what critical infrastructure insecurity truly means.

Many cyber experts started predicting that cyber attack troubles were coming to one or more of our critical infrastructure sectors more than a decade ago, and indeed, sporadic online attacks made occasional headlines in areas such as the electric grid out west or the water supply in a Florida town.

But those events, and many other similar attacks, seem like lab experiments when compared to the Colonial Pipeline system disruption that occurred on May 7th courtesy of the DarkSide ransomware gang.

HITTING HOME


I can easily picture this conversation between a six-year-old girl in the back seat of a car and her father driving her to school last week in North Carolina:

“Daddy, why are the cars all lined-up at the gas station? It wasn’t like this yesterday. What happened?”

“Well honey, it was ransomware.”

“What’s ransomware?”

A NEW PHASE OF RANSOMWARE DISRUPTION


In some ways, it is amazing that it has taken this long. Somehow, the ransomware events of the past two or three years never crossed that magical line of “getting the nation’s collective attention.”

Sure, there have been plenty of ransomware attacks on hospitals and philosophical debates about paying ransoms. You can blame it on COVID-19 preoccupation or the disparate cities around the country that were hit, or perhaps the large number of unreported ransomware incidents.

But regardless of the reasons, the ransomware crisis has now reached a new phase in the United States of America (USA). No longer can cyber pros be called fearmongers, chicken littles or even FUD addicts.

None of that will do anymore. America has now lived through these real-life headlines:


We are in a new phase of this global cyber battle, and the public and private sectors face new challenges. There are many, many ramifications to the events that have occurred over the past two weeks, but here are a few items to highlight:


QUICK BIDEN ADMINISTRATION RESPONSE SHOWS LEVEL OF ATTENTION — AND CONCERN


There was a quick recognition that this mini crisis, perhaps the first in the Biden administration, required prompt action. The whole of government response included many parts:


PRESIDENT'S EO RECOGNIZES WIDER RAMIFICATIONS FOR ALL CRITICAL SECTORS


No doubt, the most substantial ongoing response was the release of President Biden’s Executive Order on Improving the Nation’s Cybersecurity. This EO deserves a blog of its own, but needless to say it is well-written and a powerful set of directives with teeth and hard-to-meet deadlines.

This fact sheet is a good executive summary, and my friend Richard Stiennon provided an excellent commentary here. I also wish Chris DeRusha and his team all the best in coordinating these important EO efforts. He is the right person for that job.

I will have much more to say on this in coming months, but when combined with the recent Ransomware Task Force Recommendations, there is a lot of work to do. More than just a road map for federal government actions in the year ahead, the EO really provides a guide for state and local governments and much of the private sector as well.

Challenges will include the fact that resources will need to be provided to perform all of these tasks, and the implementation authority does not exist for the private sector and state and local governments. Nor does the ability to remediate challenges exist for most of the companies which own and operate critical infrastructure, such as Colonial Pipeline. These cyber vulnerability issues have been known for years, and, based on media reports, it appears that the company was behind in cybersecurity protections, to say the least.

INDUSTRY RESPONSE TO THE EO


The immediate response to the EO from many industry executives shows broad support for this approach, and here are some of the industry reactions:

MJ Shoer, senior vice president and executive director of the association’s Information Sharing and Analysis Organization (ISAO), regarding the Executive Order on Improving the Nation’s Cybersecurity announced by President Joseph R. Biden:

“Our nation is at an inflection point in terms of cybersecurity policy, regulation and legislation. The SolarWinds incident, Colonial Pipeline hack and scores of other cyber attacks that didn’t make the headlines magnify the need for a national discourse on cybersecurity issues. As we continue to integrate emerging technologies into our federal cyber framework, it is essential to have a modernized architecture built on information sharing and real-time incident response. It is also a national imperative to move away from ‘cyber shaming’ agencies and private organizations that are victims of attacks. Instead, we should practice and promote more real-time information sharing about potential threats to create more ‘noise’ in the search for bad actors.

“President Biden’s executive order specifically calls for information-sharing improvements within the federal government by enacting a governmentwide endpoint detection and response system. CompTIA supports the elimination of barriers that hamper information sharing so IT service providers doing business with the federal government can report cybersecurity breaches without the fear of legal consequences. But public/private information sharing must go beyond companies with federal contracts. …”

Hitesh Sheth, president and CEO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:

“President Biden’s executive order is a good start. We’re better off for it. Mandating endpoint detection and response as a new governmentwide focus is particularly important yet we can’t forget about threat detection and response for cloud, data center and IoT. Too many agencies still rely on obsolete prevention strategies. That said, cybersecurity must remain a bipartisan legislative priority. Executive orders can only accomplish so much, and as the Colonial Pipeline case just proved, we’re in a security emergency that demands more.”

Sounil Yu, chief information security officer at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions:

“Several of the directives have been in discussion for a long time and many of us are glad to finally see it appear in the executive order. For example, the inclusion of a Software Bill of Materials (SBOM) requirement and a Cyber Safety Review Board are significant steps forward. For SBOMs, this is as momentous as when ingredient labels were added to food products that we buy. We've needed an equivalent for the IT products that we buy and the SBOM is a big step towards that.”

THE CURRENT QUESTION IS, WHAT WILL BE DONE NOW?


Many comments on LinkedIn posts were very desperate. People want to know if there is anything that can be done. Of course, there are many lists and many action items, as mentioned above, but the right question is: What will actually be done?

Clearly, the White House understands the serious nature of this challenge. They are taking bold steps within the federal government space that have very tight (perhaps unachievable) deadlines.

However, the rest of the country is what I am most worried about. The smaller owners and operators of critical infrastructure – all the way from banks to electricity transmission lines to local government computer servers – are still vulnerable to ransomware and other cyber attacks.

Only time will tell how far behind we are as a nation – and a world. What is clear is that the bad actors have a decisive current advantage and they are emboldened.

While the quick responses by the administration were impressive, and the EO was clearly ready to go, I can’t help but sense a bit of rushed timing and the need to change the subject after last week’s events. When added to the latest announcements surrounding mask-wearing, this perspective has even more clout.

In my personal opinion, they probably wanted that EO (initially) to come out sometime in June on a sunny day with nothing else in the headlines – especially not multistate gas shortages.

OTHER SIGNIFICANT RANSOMWARE ATTACKS


Behind the scenes in the past 10 days, and not getting nearly the attention of the Colonial Pipeline attack, another significant ransomware incident hit D.C. Police, and the criminals threatened to release police records and knock 911 offline.

Here’s an excerpt: “The group, Babuk, already had posted on the dark web lengthy dossiers of several officers. It claimed it stole more than 250 gigabytes of data late last month and is threatening to release more information as well as share files containing the names of confidential informants with criminal gangs if officials don’t pay a ransom.

The most recently posted documents contain sensitive information about 22 officers, such as fingerprints, dates of birth, polygraph test results and residential, financial and marriage history, according to NBC News. The hackers claim that they demanded $4 million in ransom and the department countered with $100,000, which they deemed unacceptable. …”

At the same time, the city of Tulsa was hit by a ransomware attack that was “affecting city services and impacting many citizens. For instance, people can't pay their utility bills or get a copy of accident reports. …”

Also, Zscaler released a report featuring analysis of key ransomware trends and details from the past few years about the most prolific ransomware actors. The attack tactics and the most vulnerable industries being targeted are included. The report highlighted the “double extortion” attack trends that are now targeting victims.

FINAL THOUGHTS


On Friday morning, May 14, we learned about another headline-grabbing, “very sophisticated” ransomware attack in Ireland that was impacting their nationwide health service.

“Ireland's health service operator shut down all its IT systems on Friday to protect them from a ‘significant’ ransomware attack, crippling diagnostic services, disrupting COVID-19 testing and forcing hospitals to cancel many appointments.

An international cyber crime gang was behind the attack, Ireland's minister responsible for e-government said, describing it as possibly the most significant cyber crime attempt against the Irish state. …”

The relentless nature of these ransomware attacks continues to grow. They are now impacting life-sustaining services, travel and much more in ongoing ways.

The differences from earlier attacks is that the public is watching closely, the societal impacts are wider, the ransoms are more expensive and the call for action is growing louder.

Nevertheless, I expect more disruptions from ransomware before things improve. Our cyber battles are more like a marathon than a sprint, and the bad actors are way ahead in the race at the moment.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
Special Projects
Sponsored Articles