Anatomy of a ransomware attack

Chris Saucier is the Strategic Alliance Development Director for Cybersecurity and Secure Communications at the Roux Institute. In the wake of two recent high-profile ransomware attacks—both of which posed a threat to national security— we spoke with Saucier to shed some light on the what, where, why, and how.

A recent article from CNBC said, “A month ago, the hack of the Colonial Pipeline, which controls 45% of fuel in the Eastern U.S., led to panic buying of gas. This week’s ransomware attack on the world’s biggest meat processing company, JBS, escalated concerns about the potential for a spike in meat prices and food supply as a national security threat.”

Can you explain what happened in each attack?

In both instances, the company’s networks were breached. Withholding the specifics of how the attackers successfully gained access is often one of the demands they levy on their victims as part of the ransom. Most often networks are breached through ‘phishing’ attacks sent through email or through nefarious websites that entice employees to click on website links. These website links give the criminals the access they need to install the software. Once on the victim’s network, they will look for files or data that appear to have value. This can range from intellectual property to financial documents, and often to be of particular interest is data that the victims may have about their customers. Third party data like this is extremely valuable to the criminals as it can add an extra level of importance to paying the ransom to protect their customers’ information.

Where were the major security lapses that allowed them to be successful?

Without close knowledge of the cases, it’s hard to speculate where the breaches occurred, but more than likely it was because an employee accessed something or clicked on a phishing link.

The group behind the Colonial Pipeline breach were allegedly paid the ransom they demanded, though there is some information that suggests that U.S. Government investigators were able to retrieve a portion of the ransom.

As for the JBS attack, the company responded by isolating the infected portion of their network and were able to restore their data using backups,. Company sources claim that they only lost a day’s worth of production as a result of the breach. On Wednesday evening, JBS released a statement announcing that they paid an $11M ransom after most of the company’s facilities were back online. Of the decision, Andre Nogueira, CEO of JBS USA said, “This was a very difficult decision to make for our company and for me personally, however, we felt this decision had to be made to prevent any potential risk for our customers.”

In both cases, the attackers were successful in gaining notoriety for their organizations, which can sometimes serve as a recruiting tool for new hackers. Both groups were successful in meeting their monetary goal, at least partially. When these groups achieve their financial goals, it incentivizes others to join the cause.

Why were the attackers successful?

Ransomware attackers have some interesting tricks up their sleeves and their tactics are constantly evolving. When they encrypt a victim’s data, they often make a copy and store it on their own systems. If the victim pays the ransom, they’ll often promise to destroy the backup and have even been known to provide advice to their victims on how to prevent being a victim in the future.

If the victim does not pay the ransom, the attackers will often threaten to make their data publicly available and destroy the encrypted data. So, imagine if attackers gain access to some of your sensitive data such as healthcare records or financial information, or intellectual property with no backup, a victim could suffer a long list of downstream effects. Loss of a years’ worth of work or more, reputation damage, and in the future, as legislation catches up, companies could be liable for damages to their customers for losing data in their possession.

How do we prevent these attacks in the future?

Being prepared requires an investment in people, a change in processes, and use of the right technologies. For businesses, it may require an investment in newer technologies and hiring or developing the employees that know how to build strong cyber resilience. A lot of companies I’ve worked with over the years outsource their information technology to third party vendors. This a fine practice, but I recommend that companies should be very particular about how their information will be managed. Do you know what your service agreement says? How are they managing your systems? Are you backing up your data daily? As for processes, organizations should revisit what they allow their employees to do on their company computers. Also, do you have a process to follow in the event of a breach? What are you going to do if something goes wrong?

The biggest challenge is the people element. People need better education on how to make smart decisions online, especially when they’re using a company computer, but also in their daily lives. There are a lot of social engineering tactics popular right now that are getting people to share information online. The most common one I’ve seen lately where people are asked to provide a few pieces of information to produce a funny combination of names that they’ll call your “professional wrestling name”, or something similar. Information such as “what was your first car” or “what’s your mother’s middle” name? All the data you’re sharing is being captured! Don’t those questions sound like the questions you’re asked by websites when you need to recover your password?

How do the cybersecurity programs at the Roux Institute prepare learners to enter the workforce and the cybersecurity field?

The cyber programs at the Roux Institute are geared toward developing well-rounded cyber leaders; ones that understand the big picture of how security fits into an organizations’ operations. It covers technology aspects, of course, but also policy and cyber law. The programs are very well-balanced and give learners the ability to build the skill sets needed to advance as leaders in their chosen fields. With the Align Program, there are even options for those without a computer science background to build the necessary skills to succeed in some of the more technical courses.

About Chris Saucier

Chris Saucier is the Strategic Alliance Development Director for Cybersecurity and Secure Communications for the Roux Institute, where he serves as the central point of contact for the institute’s efforts to develop and advance innovation-focused research alliances for cybersecurity and communications. Before joining Northeastern, Saucier served as a strategy consultant with ‘Big 5’ consulting firms Accenture and Deloitte before joining Portland’s Beacon Group where he led the company’s Aerospace, Defense and Government consulting practice.

Saucier is also a 20+ year Air Force Veteran and continues to serve as a Lieutenant Colonel in the Air Force Reserves. His military assignments have included the Air Force Warfare Center, United States Cyber Command, and the National Security Agency (NSA) among others.