Amid a recent wave of malicious activity from nation-states and criminal actors, key industrial sectors are at heightened risk of ransomware, as supply chain constraints add enormous pressure to provide essential components, agricultural products, medical supplies and other goods.
Sierra Wireless, a Richmond, Canada-based provider of IoT devices, was the target of a March 20 attack that forced it to shutdown production facilities until March 26.
"While the investigation of the incident is ongoing, we believe at this time that the incident was limited to our internal systems and website only as we maintain a clear separation between our internal IT systems and our customer-facing products and services," Kent Thexton, president and CEO of Sierra Wireless, told analysts on the company's fiscal first-quarter earnings call last month.
The Sierra Wireless attack highlights a critical set of questions for private sector companies in the current security environment: Pay millions of dollars in ransom to an untrustworthy criminal actor, or ride out a criminal extortion attempt that may do serious harm to the brand and cut off critical supplies to customers.
Businesses can take certain precautionary steps, including backing up critical data to work around hackers from encrypting all essential files as well as maintain the ability to continue processing payments. Organizations can also also set up a plan for workers to resort to manual operations at plants that rely on automation. But in many cases, businesses either fail to put those options in place, or cannot make the business case that those options are sufficient.
Top executives need to fully understand which operations can function under a potential ransomware scenario, according to Paul Proctor, distinguished VP analyst at Gartner.
"Security and risk people need to be working with executives right now to ensure that they are making the business decisions necessary to prepare them for ransomware," he wrote in a May blogpost.
Chris Rouland, founder and CEO of Phosphorous Cybersecurity, has analyzed the network and security profiles for almost a million IoT and security devices across corporate and government agencies. Nearly half of those firms use default credentials, about 50% of the devices use vulnerable firmware that is not getting updated and more than one-quarter of the devices are at the end of life and no longer getting regular security updates, he said.
The current environment for malicious cyber activity is the worst Rouland has ever seen in his career, he said.
"The bottom line is you're talking about a crime, mostly committed by people who never get caught, so the downside, the risk is very low," Rouland said.
Behind the attack
Sierra Wireless attributed the March ransomware attack to Ragnar Locker, Thexton said during the earnings call. But he did not provide details about the method of attack, what the ransom amount was or whether it was paid. Sierra Wireless officials did not return requests for comment.
Researchers at Mandiant have observed about 30 organizations appearing on the Ragnar Locker shaming site between April 2020 and this month, according to Kimberly Goody, senior manager, financial crime analyst at Mandiant Threat Intelligence. Most of the organizations were based in the U.S. and varied across disparate industries, however some Asian and European organizations have appeared on the site.
"In comparison to some other ransomware operations, this volume is relatively low, accounting for 1% of the victims we've seen appear on all ransomware shaming sites we track in 2021," Goody said.
Multiple threat clusters have deployed the Ragnar Locker ransomware, and therefore intrusion tactics may vary, she said.
The FBI had issued an alert about Ragnar Locker in November 2020, citing a prior April 2020 attack where a threat actor demanded $11 million after encrypting files and threatening the release of 10 TB of sensitive company information. Ragnar Locker also reportedly used a Facebook pressure campaign against Italian beverage company Campari Group.
Sierra Wireless incurred $5 million in direct costs related to the attack and $18 million in indirect impact, with most of the latter from being unable to factor its receivables, CFO Samuel Cochrane told analysts. "I believe there was about $500,000 of net cost, and that was about the insurance deductible." Factoring is when companies sell accounts receivables to third-party finance companies as a means of maintaining cash flow.
Law enforcement guidance has historically been for companies not to pay ransom, but that message has not resonated with many corporate executives who are more concerned about their ability to maintain operations, particularly at a time when supply chain bottlenecks are putting enormous pressure on manufacturers.
Six out of every 10 companies would be willing to pay ransom in the event of an attack, according to a report released last week from Neustar International. One in five respondents said they would be willing to pay more than 20% of annual revenue to recover from an attack.
The results were based on a May survey of 304 IT and senior level security executives across six EMEA countries and in the U.S.
Organizations have a heightened level of concern about the impact of ransomware, with 69% of respondents calling ransomware their top concern across more than a dozen different threat vectors, according to Neustar data. This represented a 16% spike in concern across the two-year average of the survey.
The pressure to maintain operations in a critical industry or the threat of severe financial disruption in an industrial setting will place additional pressure on a company to move forward with a ransom payment rather than risk an extended break in operations, according to Rodney Joffe, senior vice president and fellow at Neustar and chairman of Neustar International Security Council.
"A company fears or believes that if they do not pay the ransom, then they will go out of business, either because of the delay in getting back up and running rapidly enough from remediation or backups, or the belief that they will not be able to recover because they have no working backups or technical solution," he said, via email.
The ransomware attack at the North American affiliate of JBS, the world's largest meat supplier, highlights the potential risks involved in the critical, but often overlooked, agriculture and food supply.
Officials in the agriculture industry have warned of such a potential cybersecurity threat for years, according to John Hoffman, a retired colonel and senior research fellow at the Food Protection and Defense Institute at the University of Minnesota.
"The food and agriculture sector has been targeted for many years," he said via email. "But you do not hear much about it, because firms are reluctant to have their brand associated with news of such attacks."
More recently, cybersecurity firm Crowdstrike in late 2020 identified agriculture as a potentially lucrative target of threat actors linked to the Democratic People's Republic of Korea as well as China. The activity observed in the agriculture industry appeared to be related to international trade tension and concerns about food security at a time when numerous industries were dealing with supply chain concerns linked to the COVID-19 pandemic.
An attack in June 2020 was linked to a threat actor called Labyrinth Chollima, a threat actor with long ties to North Korea. In the June 2020 incident, a phishing lure against a North American agricultural business led to the installation of a malicious loader, which allowed a hands-on operator to perform various discovery activities.
The Biden administration issued an executive order that is designed to help standardize the process in certain critical industries, because the rash of recent ransomware attacks exposed a lack of minimum standards and practices that would help protect some of these industries from extended disruption.