Manufacturers Beware: Machine Controlling Malware and “Double Extortion” Ransomware Is Looking For YOU!
As if being locked out of your sensitive commercial data wasn’t enough. Now, cybercriminals promise to either publicly publish or sell your designs, strategic plans, and valuable trade secrets to the highest bidder if you do not pay. Or they lock out critical manufacturing systems to pull the plug on vehicle production. This month alone, several major companies have hit the headlines for double extortion or for the locking down of production processes. What do you need to know to be ready to face this evolution in cybercrime?
In the News: Recent Events Show Trend of Targeting Manufacturers
On Tuesday, June 9, 2020, Honda Motor Company confirmed that its global operations were hit by the “Ekans” ransomware targeting systems that control machinery and production equipment. News sources indicate that employees in the U.S. were sent home from work after discovering that equipment and phones were not working.
In another example, ST Engineering, a global engineering design firm, and its VT San Antonio Aerospace division was attacked by the “Maze” ransomware in early June. In addition to locking the company out of its data, the cybercriminals were able to obtain copies of VT’s data including client information, contracts, and details of relationships with foreign countries and U.S. governmental agencies.
ST Engineering fell victim to one of the latest tactics in a cybercriminal’s arsenal: double extortion. But they are not alone. Several prominent A-List celebrities also had information exposed when a hacker group used “REvil” ransomware to attack a well-known entertainment law firm. The criminals demanded $21 million in exchange for the stolen data. When the demand was not met, the hackers released a first batch of data that included promotional agreements, expense sheets, and other contracts as they raised their demand to $42 million.
What is “Double Extortion” Ransomware?
“Double extortion” is the latest strategy employed by ransomware operators. In a traditional ransomware attack, the cybercriminals access your corporate network and encrypt your files and databases. It is possible that you may be able to restore your system and data from uninfected backups. You may also choose to pay the cybercriminals, although many may not keep their word and you may get only some of your data, if you receive a valid decryption key at all. This is why many security experts, including the FBI, recommend against paying the ransom. In the end, the best-case scenario may take you days or weeks to become operational again and you may lose valuable data, even if you do pay.
As more and more companies are taking aggressive strategies to prepare for this eventuality, the cybercriminals have doubled down on their extortion demands. Before these criminals encrypt your systems, they extract large quantities of sensitive commercial data. In addition to the demand for cryptocurrency to unlock your system, they will also increase the pressure with the added threat that they will publish your data or auction it off to the highest bidder if you do not comply. Initially, the cybercriminals will typically publish enough information to prove it had access to a company’s system. Often, they save the “crown jewels” for a later release to incentivize companies to pay the increased demand.
One of the first victims of a double extortion was a large American security staffing company. In November 2019, the company refused to pay a 300 Bitcoin ransom (approximately $2.3 million at the time). In response, the attackers published samples of the stolen files including contracts and medical records as they issued a new ransom demand that was 50% higher than the original figure.
Targeting Production Systems
Industrial systems have always been a target of cybercriminals. Over the years, many state-sponsored attacks have targeted industrial operations including an attack at a petrochemical plant in Saudi Arabia and other critical infrastructure systems around the globe. But as of February 2020, the advent of the “Ekans” ransomware (also known as “Snake” – Ekans spelled backward) sparked a “deeply concerning evolution” in malware, according to security researchers.
The “Ekans” malware specifically targets industrial control systems (ICS) and is one of the first known file-encrypting malware that was built to directly infect computer networks that control operations in manufacturing and utilities environments with ransomware. This form of ransomware is highly devastating to manufacturers as the ransomware can lock or delete ICS processes while locking out the team and stopping production.
What Should We Do?
1. Have knowledgeable counsel at the ready:
Your response team should consult with counsel as soon as an attack is realized. Counsel can assist with:
- Determining whether notification requirements exist. As a manufacturer in the automotive or aerospace and defense space, you may have regulatory requirements to notify your customers or a governmental agency of the nature of the event. Industry records show that when reported too early—before the forensic team is satisfied with all the details necessary for an informed report—companies pay more per compromised record than those companies who wait to make a more informed report. Also, contacting the authorities before a team is able to collect and preserve relevant data makes it difficult, if not impossible, to correctly identify “patient zero” or to determine what digital records are involved.
- Determine contractual obligations. Beyond regulatory requirements, you may have to notify your customers. For example, in its Terms and Conditions, BMW requires notification “without undue delay” when a supplier obtains “knowledge of an incident which involves breach to the Information Security … and which could concern” BMW.
2. Assess the risk:
The risks of double extortion and ICS attacks provide a good reason to check your plans and conduct needed assessments. At this time, you should:
- Conduct a risk assessment. A risk assessment can aid in identifying, estimating, and prioritizing the cyber risks an organization is facing. It provides an opportunity to identify the assets that could be affected by an attack, including the hardware, systems, customer data, and company intellectual property.
- Test your backup and recovery plan. Check the ICS-CERT Alerts https://www.us-cert.gov/ncas/alerts to keep abreast of news and security warnings. The need for segregated back-up systems is clear when ransomware encrypts your system. When a solid back-up plan is in place, the consequences of a ransomware attack on an entity’s system may potentially be minimized.
- Update your Incident Response Plan. A good plan is one that evolves with new challenges. With the emerging threats in double extortion and ICS attacks, you should develop new tactics and security controls to mitigate these risks while taking the opportunity to incorporate lessons learned from other recent events.
3. Protect your assets:
- Train your workforce. Make sure that your entire workforce has sufficient training (at least annually) and education about security and, in particular, phishing attacks. While there may be patches to help alleviate the risks of ransomware, there are no patches for human error.
- Review your insurance policies. Now is the time to verify your cyber-event insurance coverages, including coverage for damages including the costs of breach notification expenses and remediation activities and costs.
Of course, if you have any questions at all, our Butzel Long Cybersecurity and Privacy team is here to help.