How suppliers trigger ransomware attacks, cripple your business

The pandemic has driven a huge surge in ransomware, increasing by 485% globally in 2020 compared to 2019, making it one of the fastest growing threats in cybersecurity. 

While many organisations increased their IT security in response, fewer seemed to prioritise managing risk posed by their suppliers. Even though 44% of organisations reported a third party breach in the past 12 months and 74% of those said the incident came about because they didn’t sufficiently manage privileged access. 

This year, attackers will continue to target companies under pressure from the post-pandemic economic recession. In fact ransomware is expected to attack a business every 11 seconds by the end of this year, making it critical that organisations manage risk across their supply chain or risk their business being crippled by an attack. 

Triggering a ransomware attack

In the majority of cases, ransomware is enabled by human error and social engineering, which is the use of deceptive tactics to manipulate someone, in this instance, to click on malware. A prime example is phishing, whereby a user is encouraged to open and click on a malicious email. Phishing is typically the first step in a ransomware attack enabling hackers to gain access to your network, especially since 30% of phishing messages are opened by targeted users, and 12% of those users click on the malicious attachment or link. Once hackers have gained access to your network, they often sit on it for days or even weeks looking for high-value data to encrypt or opportunities to plant a malicious software update (if you’re a tech vendor) before they initiate their attack. 

But the impact of a ransomware attack is eye watering. The average cost of recovery from one attack is now close to $2 million, and includes the ransom (if you pay it), downtime and lack of productivity by a business, people time, device cost, network cost, loss of revenue and other associated financial loss. A single attack can cripple your business taking you out for days or even weeks.

Largest ransomware attacks in history

Some of the largest ransomware attacks in history started from a supplier breach.

In July, the REvil gang, a major Russian-speaking ransomware syndicate, conducted a ransomware attack against US tech vendor Kaseya. The hackers are suspected of hijacking Kaseya’s desktop management tool VSA and pushing a malicious update that infected tech management providers serving thousands of organisations around the world. It’s estimated that hundreds of organisations were affected including the Swedish Coop grocery store chain which was forced to close all 800 stores because it couldn’t operate its cash registers. Hackers then demanded $70m in Bitcoin to restore the data. 

However, one of the most significant attacks in recent times was the Danish integrated shipping company, Maersk, who became a victim of a ransomware attack back in 2017. Maersk’s entire network was affected including almost 50,000 endpoints and thousands of applications and servers across 600 sites in 130 countries. The attack cost Maersk between US$200M to US$300M in loss of revenue and recovery costs. Many wondered how such an enormous and seemingly robust organisation could come to a grinding halt from a cyber attack. But on closer inspection, it all came down to one of their suppliers. 

Russian military hackers hijacked the update servers of The Linkos Group, a Ukrainian software business (Source: Wired 22/8/18). This provided the hackers with a back door into thousands of PCs around the world that had M.E.Doc installed, a commonly used piece of accounting software. Hackers then used this back door to release a vicious piece of malware called ­NotPetya, which infected thousands of organisations around the world. It’s suspected that a Linkos employee clicked on a phishing email. That gave the hackers access to their network and their entire customer portfolio.  

Related:   You weren’t hacked, you were spoofed.

Managing risk across your supply chain

Hundreds if not thousands of suppliers pose a degree of risk, depending on the data you share with them. So thinking ahead and being prepared is key. To find them, identify risk levels using open-source intelligence (OSINT) to monitor, assess and segment each one by risk. OSINT is the analysis of publicly available information about your suppliers from their website, email address, and social media accounts. This process will enable you to focus on those that pose the highest risk to your organisation first. 

Next evaluate each supplier’s policies and data security certifications to ensure they’re comprehensive, relevant and up to date. Provide them with an online questionnaire to fill in which will enable you to collate relevant security information. Analyse the data to assess their security controls, identifying areas of weakness and the potential risk impact. Assign a risk score to each supplier to outline areas requiring action and provide recommendations on how to address them. If a particular supplier seems high risk, conduct a penetration test with them to identify more detailed vulnerabilities.

You can then ask the supplier to perform some remediation actions to improve their security. These can be as basic as activating two-factor authentication across their accounts or ensuring segregation of duties for Admins. Once the supplier has made security improvements, keep monitoring them using a vendor risk management (VRM) dashboard. This includes both OSINT monitoring and immediate visibility of risk criticality, allowing you to identify changes and trends.

Importance of being prepared

Ransomware attacks will accelerate this year. Organisations need to realise they’re only as secure as their weakest link. So, closing out the weak links right across your supply chain is critical.

Ransomware attacks can happen in any country, across any industry and at any time. Attacks are becoming more sophisticated making the battleground darker, fiercer and bloodier. Organisations that don’t invest in securing their supply chain are putting themselves in the firing line, risking their entire business. Those that do, can sleep well at night knowing they’re prepared.  

Jonathan Wood is the CEO of C2 Cyber, a provider of Vendor Risk Management solutions which helps organisations reduce risks and vulnerabilities across their supply chain.

Leave a Reply

Your email address will not be published. Required fields are marked *