Ransomware shows us the supply chains we rely on are fundamentally flawed

 

Ransomware is exhausting. The criminals behind cyberattacks that encrypt computers, and now steal and leak data, while completely disrupting business as usual are predatory, callous jerks. Ransomware is often described as a 21st century hostage attempt, run by cartels of various shapes and sizes, offering “ransomware-as-a-service” opportunities and messing with everything from schools to hospitals to small businesses. I dislike comparing types of crime and reducing the complex nature of ransomware cybercrime to a simple encryption scheme. Because if we have learned anything since 2017 it’s that ransomware and the operators behind it are becoming increasingly adept at disrupting the underpinnings of society – whether they mean to or not. 

Let me be clear: This is not cyberwar. It is activity revealing an intricate web of flawed systems that rely on insecure computing, invasive vendor operations, and interconnected services that drive our daily lives. Ransomware, especially in the last three years, has shown how fundamentally connected the world is and how we are supported by various supply chains, from agriculture to manufacturing to healthcare to elections. We rely on computers working correctly in order to live. And I would argue no other cyber threat comes as close to holding a mirror up against our enmeshed reality and exposing its flaws.

The discourse that bubbles up whenever ransomware is discussed is fascinating, if not flawed. Ransomware is definitely targeting elections! Ransomware is definitely not targeting elections! Can both statements be correct? (Well, no, but the answer is a bit more complicated.) 

Ransomware is a major threat to every industry. But perhaps not a direct threat. The indirect impacts of ransomware can have as much, if not more, impact than the encryption activities.

Take, for example, sheep. Earlier this year, auction buying software platform Talman suffered a ransomware attack. Talman is the largest supplier of in-house wool IT systems globally, and more than 75% of the industry in Australian and New Zealand use the company’s products. Australia alone is one of the world’s largest wool producers and 2017 data suggests its wool exports were around $3.615 billion. So, it’s a booming business.

In February, Talman’s ransomware attack brought wool buying and trading to a halt across Australia. According to local reports, auctions were cancelled for a week, “preventing 44,000 bales of wool worth up to $70 million entering the marketplace.” The incident put added pressure on an industry already beset by the coronavirus pandemic and bushfires that blazed across the country. Wool farmers and brokers were immediately impacted both financially and logistically. But the disruption would have domino effects on buyers and their customers like textile mills, manufacturers, and others in the business who rely on timely shipments for production and distribution.

Australia’s wooly woes are a great example of how companies around the world are interconnected through what people refer to as the “supply chain.” This is formally defined as “the sequence of processes involved in the production and distribution of a commodity,” but can be everything from software that supports auctioneering to the manufacturers that make your phone to the vendors that have remote access to industrial operations. You as a consumer are, in fact, part of the supply chain, albeit a link somewhat toward the end.

Ransomware has revealed that these links are fragile. In 2017, we saw WannaCry and NotPetya (not a ransomware, I know) bring companies to their knees, disrupting logistics, manufacturing, and healthcare. In 2020, we see Ryuk, Maze, Sodinokibi, and multiple other ransomwares and their operators targeting and disrupting steel production, state and local governments, and software providers that happen to work with organizations supporting U.S. elections.

Various government agencies and the tech behemoth Microsoft have warned ransomware is one of the largest threats to the upcoming elections. But it’s not the ballots or voting machines that concern experts. As Microsoft said in its blog announcing a disruption of the infamous Trickbot malware, “adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.” Effectively messing with the tools we use to function in a democracy. This, my friends, is the supply chain.

(I would like to point out here however that there has been no public evidence of adversaries actually doing this and if you are aware of ransomware adversaries specifically targeting software and services supporting election systems in an effort to disrupt the U.S. elections please message me on Keybase as I would love to know.)

In my role as senior cyber threat analyst at the industrial cybersecurity firm Dragos, I scour the web (clear and “deep” thank you) looking for evidence of ransomware attacks and the consequences they have on businesses. Often the public looks at ransomware in a vacuum: this attack locked up computers at this company and they either had to pay a million dollars or work with the FBI to get their stuff back. (I’m simplifying it, I know.) Sometimes the monetary cost of ransomware is revealed in the millions of dollars either because a company paid for the decryption key, or it cost them dearly to rebuild impacted systems. Note to analysts and reporters: Federal financial filings are treasure troves of ransomware data and what attacks cost businesses.

However, it is impossible to know the true cost of ransomware. Not just in monetary expenditures, but in the loss of business, reputational damage, physical harm done to people, or the emotional and psychological toll on people who have been victimized by a ghost. It is also difficult to learn how much of an impact the ransomware had on customers and partners. Companies will frequently say the attack did not impact their customers or operations, but sometimes we eventually learn that it did.

Ransomware is a scourge on our interconnected world, but I believe companies, industries, and society as a whole can come out stronger and more resilient after facing down these adversaries. Ransomware – at least the initial access and encryption – can generally be prevented by practicing proper security measures. “Security Hygiene” it is called, but I hate that term. We also must realize that no matter the link along a chain of supply and demand, it is strong, and it is valuable, and a tiny disruption can make the whole thing fall apart.