My career has taken me through a winding road of many areas including finance, manufacturing, education, and, today, information security. My career has included 24 years in the manufacturing world, where I managed many risks including employee theft (check kiting and manipulation) and mail fraud (vendor checks taken out of the US Mail and altered). And in the past eight years, while serving in higher education and now information security, we have all seen an increase in cybercrime. While working in print manufacturing, I can recall walking through our plants where we kept pounds of pure silver flake sitting in buckets on the shop floor, never thinking that theft was a risk. Where did that silver come from, and why would we keep silver flake in plain sight in buckets on the shop floor? Well, for those of you old enough to remember, film, back in the day, contained actual silver. Before direct-to-plate technologies were developed, our plants burned through thousands of pounds of film annually. If you have never seen metals being extracted from film, it was pretty simple: we ran the film processing solutions through a magnetized auger spinning in buckets. Whenever the press crew got around to it, the augers would be scraped, and the silver flake bagged and locked in a file cabinet until someone got around to calling the recycler. There was always so much going on our business that theft was not on our risk radar; taking care of our employees and serving our customers was always our focus.
While today’s businesses should be aware of the risks of theft of physical assets, greater risks may be lurking in the dark web and from sophisticated cybercriminals (both internal and external). Are the managers of your operations just as complacent and trusting as my management team and I were over protecting thousands of dollars’ worth of silver? Back in April, Sophos announced the findings of its global survey of over 5,000 IT decision makers worldwide: that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. The average ransom paid is $170,404. The global findings also show that only 8% of organizations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data. These remediation costs include business downtime, lost orders, operational costs and more.
The typical ransomware attack follows a path, one that does not require working around physical security controls:
- Initial access (spam email, brute force, stolen credentials, or exploiting a vulnerability).
- Network oversight and lateral movement. Lateral movement refers to the techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data. Left undetected, data theft might occur for weeks or even months after the original breach.
- Data removal or manipulation.
- Ransomware deployment execution and data encryption.
- DDOS on your business’ website or network until negotiation of payment.
- Publication of data to a leaked web site (if the ransomware is not paid).
Organizations should take action to cultivate amongst their employees an understanding of the technological and regulatory responsibilities, resources available to them, and how to apply the acquired knowledge to their departments.
Today more than ever, manufacturing companies are the most likely targets of double-extortion ransomware attacks, according to a report from research team ThreatLabZ. In a double-extortion attack, criminals not only encrypt data but steal it too, enabling them to blackmail victims into preventing its publication. A few ransomware threats that the manufacturing sector should be aware of include, Ragnar Locker ransomware, which sets up a virtual machine on its target machine, with 22% of its attacks hitting those manufacturers; Doppelpaymer was also focused on manufacturing, targeting manufacturers in 15.1% of its incidents; and Conti's top target also has been manufacturing, attracting 12.4% of its attacks. 
This year, the world has incurred record-setting ransomware attacks on critical infrastructures of manufacturer’s networks, the following lists just a few examples.
- An attack on Taiwan-based PC manufacturer Acer resulted in the highest ransom demand ever: $50 million. On March 18, a post on REvil's dark website contained a long list of financial records that allegedly came from its target. The REvil ransomware came with a demand for $50 million in Monero cryptocurrency.
- REvil ransomware operators struck again on April 20 – this time, against Apple laptop manufacturer Quanta Computer. Quanta confirmed that it was attacked by threat actors, who reportedly attempted to extort both Quanta and Apple.
- On May 7, Colonial Pipeline Co. learned that it was the victim of a ransomware attack, which disrupted fuel supply to much of the U.S. East Coast for several days. While the ransomware affected only IT systems, the company shut down its pipeline operations as a precautionary measure. It was later revealed that Colonial paid a $4.4 million demand, despite having backups, in an effort to get back online as soon as possible. The FBI attributed the attack to the DarkSide ransomware gang, known to use double extortion tactics to persuade victims to pay.
As we have been confronted with shortages in almost every area of life this past year, from organic almond milk to toilet paper, we were reminded of the real implications of continuous strain on factories and the manufacturing supply chain. We all should also be aware that increases in malware associated breaches (61.2%) are likely attributable to the continued rise of “name and shame” tactics of ransomware actors. In most cases, your organization’s data will be compromised as well as rendered inaccessible in place. During this year, personal data (consisting of customer PII) has been the most compromised data type in the manufacturing sector, possibly related to increased automation and the ease of attack. The data suggests that more actors are achieving their final goals, since credential breaches happen naturally as an attacker moves within an environment. Lastly, we should be aware that the number of ransomware attacks related to Malware incidents last year surpassed both DoS and Phishing as the most common varieties of attacks. 
So, what are some of the best practices to protect against and mitigate ransomware attacks?
- Perform regular system backups. Key policy elements should include the minimum frequency of backups and storage of back up media, including onsite and offsite. (NIST 800-34)
- Segment your network using multi-path (redundant networks) for protection to ensure availability and leverage different classes of virtualized firewalls. (NIST 800-125)
- Conduct regular network security assessments. A security assessment is the process of determining how effectively an entity’s controls, or lack thereof, are working. Three types of assessment methods should be used: testing, examination, and interviewing. (NIST 800-115)
- Conduct employee security training. Management should regularly communicate that it is everyone’s job to ensure online safety at work. Everyone should be an IT risk manager. (NIST 800-50)
- Get your password security under control. Stronger authentication requires malicious actors to have better capabilities and expend greater resources in order to successfully subvert the authentication process. (NIST 800-63)
FoxPointe Solutions is Here to Help
To learn more about how to protect your business from a ransomware attack and how FoxPointe Solutions can help your organization get started, contact us today.
 Several ransomware families prioritized the manufacturing sector in the last year by Danny Bradbury, May 2021 (https://www.itpro.co.uk/security/hacking/359533/report-finds-ransomware-hitting-manufacturers-hardest).