The Colonial Pipeline case shows that ransomware is more sophisticated; so is protecting yourself from it

When a giant like Colonial Pipeline, the largest oil pipeline operator in the United States, falls victim to ransomware with such catastrophic results, even triggering a crisis in the fuel market, the warning goes out to all other companies around the world. And it can no longer be ignored.

The Colonial Pipeline case is evidence that ransomware has become a web, made up of interconnected problems, in which there are no easy solutions to the complexity that this type of attack has gained over time. It has long since left the virtual world. It's affecting the physical world too, with the strength to stop cities and affect entire markets. And it's likely to get worse from now on.

The $5 million ransom paid by Colonial Pipeline to the threat actors is likely to encourage other attackers to carry out similar attacks on critical infrastructure networks, not just in the United States. A recently released study shows that, in the second quarter of 2021, a thousand organizations in several countries were impacted every week by at least one such attack. Brazil is one of the invaders' favorite territories. In 2020, we were the ninth country to suffer the most ransomware attacks, with more than 3.8 million incidents.

The devastating power of data hijacking is incalculable. There are hundreds of cases of companies that have fallen victim and never managed to get back on their feet.

Colonial Pipeline case - why ransomware has become an epidemic

The cybercriminals who introduced the ransomware into Colonial Pipeline's IT network chose their target carefully, because that's how these groups operate. The logic is simple: the bigger the company, the greater the number of intrusion attempts. And when the infection finally occurs, it spreads like wildfire. In the case of the US giant, the powder was the flaws in the segmentation between the IT and OT environments.

But there are other doors through which infection occurs. Technological obsolescence is usually one of them. Many companies' virtual environments operate with outdated technology that is patched infrequently. Cyber security risk levels are below acceptable levels.

Technological updates are rapid, which is why not all organizations are able to keep up. Just think, it wasn't that long ago that many companies had the option of just implementing data backup and recovery solutions so that, in the event of a ransomware attack, they could focus on restoring systems rather than paying a ransom to the criminals.

This has been a very sound strategy for a long time, and it is still valid. But as part of a larger security architecture. On its own, it's far from enough considering the threat surface businesses are on. Also, because criminal groups have developed alternative methods of pressuring companies to pay the ransom in cases of ransomware. These include the tactic of double extortion.

Once the ransomware has encrypted the company's data and issued a ransom demand for payment in exchange for the decryption key, the cybercriminals make the additional threat of publishing or selling the most sensitive information if the target refuses to pay the ransom. This is double extortion. With this tactic in play, it doesn't matter if the company has invested in backups as a precautionary measure.

It's always good to remember that there are many reasons not to pay the amount demanded for data sequestration. Firstly, because paying supports illegal business models. And secondly, we already know that hundreds of companies that have paid the ransom have fallen victim to the same scam again and again, sometimes by the same group of cybercriminals.

Protection that keeps pace with the evolving risks of the digital world

Security is not a single method, but a dynamic and agile process. To be considered secure, an environment needs to be analyzed and monitored continuously, using intelligence and highly trained professionals to manage vulnerabilities and incidents in companies. Strategies must be designed according to each corporate context.

Unpreparedness for the digital transformation contributes to increasing insecurity. Protection does not always keep pace with technological advances and the risks they bring. This means security in all phases, processes and environments of an organization.

It's true, many data breaches are caught by existing security tools. The problem is that the alert is often not addressed or is forgotten. Threats go unnoticed and remain in a company's environment for months because there is a lack of 24/7 coverage, there is little internal knowledge of protection operations and security teams are not well structured.

Information security today needs to be based on what we call the security triad: people, processes and products. This wide range of talent, technology and professional experience, aligned with the business, raises the maturity of security and the level of the brand in the market. ISH Vision is a solution that offers this level of personalized service, taking into account the role and timing of each organization. The knowledge of the Threat Intelligence team, made up of highly qualified professionals, continuously researches and collects information. Artificial Intelligence (AI) learning is added to this.

The result is aDetection and Response Service (DRS) that eliminates the fatigue of alerts and false positives, and promotes a practically real-time response. And in cases of ransomware, it identifies the intrusion attempt early on, preventing deep damage to the business.

It's true that there is no silver bullet. But Brazil already has solutions to match the complexity of cybercrime, capable of minimizing the risks of attacks. Talk to one of our experts and see how to protect your business based on your company's reality.

By João Paulo Barros