Ransomware protection for the long haul

After the slew of ransomware attacks on logistics companies in 2020, it’s time for the industry as a whole—both service providers and customers—to take the threat seriously and employ a prevention strategy that works.

A ransomware attack occurs when a company’s computers are encrypted by a hacker and the hacker holds the decryption key until a ransom is paid. During the attack, production and/or the movement of goods shuts down. No one can work on company servers, computers, or software until either the ransom is paid or the company manages to restore its production servers from backups. Even if the ransom is paid, there is no guarantee the company will get its data back, nor does it enjoy any “immunity” from a second attack. Furthermore, ransomware is insidiously contagious; once installed, the malware can unknowingly be transferred to the victim’s client companies days before it knows an attack has occurred.

Worldwide, ransomware attacks occur once every 11 seconds, according to Cybersecurity Ventures, and unfortunately logistics companies (and those “logistics adjacent”) have recently become new favorite targets for hackers. The most notable case was the September attack on the French container line CMA CGM, which ultimately cost the company $50 million. Logistics companies are a tempting target for cyber criminals because their immediate need for data on products in transit makes them more likely to pay a ransom.

As a cybersecurity specialist, I’d suggest that IT security in the logistics space is not what it should be in 2021 and that each successful attack further imperils the industry as a whole. Having worked with many companies after a ransomware attack, I can assure you that the consequences are devastating: some companies go out of business, others face lawsuits from customers for failing to adequately protect cargo from cybertheft, and still others have to deal with vital data being posted to the dark web.

The costs of ransomware

Let’s admit upfront that IT security is expensive, and it doesn't drive revenue, making it hard sometimes to get buy-in from senior executives. However, ransomware attacks have many lasting costs associated with them beyond just the ransom, including the cost of:

• Specialists to restore systems,
• Downtime,
• Computers needing to be rebuilt,
• Inability to complete freight settlement payments,
• Inability to roll trucks,
• Loss of signed bills of lading,
• Increased driver turnover (due to the sometimes vengeful and personal nature of the attacks), and
• Loss of customer confidence

Whether you pay the ransom or not, every company computer will need to be formatted and reinstalled to ensure that the ransomware software is not still floating around your environment. That usually requires top-tier IT cybersecurity teams for a series of tense, difficult, 24-hour workdays, because rebuilding needs to be done both rapidly and carefully. Depending on how many computers need to be formatted and reinstalled, your tab could easily run into the six-figure range.

Additionally, the amount of downtime that you experience will only multiply your costs. For example, staff will still need to be paid, even if they are unable to work. While sending your staff home without pay could reduce the cost, there’s frequently a lasting loss of company morale that accompanies that decision. Then there are the problems and confusion over shipments already in progress: freight settlements cannot be completed because the EDI system is broken; contact information for customers, vendors, and drivers is often lost; and bills of lading cannot be collected from customers, halting new shipments from being dispatched.

And in most cases, it's going to be weeks for systems to be restored.

Perhaps the most lasting cost of a ransomware attack is the reputation of your company. As Warren Buffet once famously said, “It takes 20 years to build a reputation and five minutes to ruin it.” Ransomware attacks can not only cost you customers but also generate customer lawsuits claiming negligence due to your lack of ransomware protocols.

Given the potentially fatal volume of risk, it’s ultimately more economical to invest in your security.

Your ransomware protection roadmap

Unfortunately, there is no lone software solution that can protect your company from a Ransomware attack. To avoid (or decrease) the costs associated with a potential ransomware attack, companies need to create a comprehensive protection plan. Protecting your company will require some technical solutions, as well as training. From a technical perspective, there are several things that can, and should, be done.

Implement multi-factor authentication (MFA). MFA combines something that you know, such as your username and password, with something that you have with you, typically your cell phone. Upon logging in to your email, VPN (virtual private network), company chat application, or even your desktop computer, the user will receive a unique one-time code either within an application installed on their phone or via text message that enables them to log on. Using MFA makes hacking the system more challenge because even with a password, the attacker generally doesn’t have access to the employee’s cell.

Prevent unnecessary access to servers. Typically, employees have much greater access to servers than they need to do their job. Adopting “least privilege” access protocol involves giving staff access only to what they need. This way, if there is a breach of the company, the attacker would only have access to a minimal number of resources throughout the company.

Block server access to the internet, if possible. Ideally, no servers should have any sort of internet access. This prevents any ransomware software that gains access via employee error from being able to talk to the command-and-control server, which sends commands to the software and encrypts all the files on your file system. By blocking this function, you can stop the attack in its tracks. If internet access is essential, such as an application which needs to import data from a vendor’s system, a specific-use server can be adopted that is entirely separate from the rest of your environment.

Use a “ringed network” design. Proper network design is a “ringed network,” where workstations and servers are placed in different sections of the network and those network segments have specific rules designed to protect them. A ringed network is not difficult to implement. The outermost ring—where users’ desktops and laptops are—has internet access as well as access to the next ring in the environment. The second ring consists of servers that users need to access directly, such as file servers and domain controllers. While users can access services on these servers, any network ports not specifically needed are closed by firewalls. And in order to prevent these servers from talking to a command-and-control server during a ransomware attack, these servers do not have internet access. The innermost ring of the network design is the servers that users do not have direct access to, such as the phone system as well as any backend processing servers.

Typically, these innermost servers do not have access to the middle ring of servers either, except for very specific needs. Likewise, the servers in the middle ring do not have access to the servers in the innermost ring of the network unless there is a specific need. This protects the servers in the innermost ring, in the event that the servers within the outer rings are infected and means you can still do such essential activities as make calls and process accounting issues.

Route email through an inbound email filtering and scanning system. One that inspects all attachments, as well as URLs included in the emails to ensure that there is no clandestine attack delivered. There are several software packages that can perform this task.

Employ an internet threat management software package. Installed at the network edge, this type of software can review all network traffic to the internet, as well as block any suspicious network traffic before it gets there. This level of security can help prevent workstations that have been compromised by ransomware from being able to control the command-and-control server.

Train, train, train. So many of these attacks begin with human error, predominantly phishing schemes where employees open suspicious email links. Have your IT department remind your staff never to give out a username or password to anyone, ever, even to the HelpDesk, and only login screens that are an official company login prompt. Also remind them to never give out the names of company resources like server names and VPN servers. And never open an email attachment unless they are expecting one and, of course, not to ever run an executable file (.exe) that is sent as an attachment. There are IT industry standard tests which can be performed to ensure that employees respond correctly to the kinds of emails that can be the root cause of ransomware attacks.

System protection is company protection

You know your ransomware strategy is working if after a year nothing bad has happened, and it feels like you wasted your money. The reality is that these protocols are vital and can be the difference between a dull, but successful year and being next year’s cautionary tale.