After Colonial Pipeline (and MOVEit), what can we do to prevent another ransomware attack?

This is an updated version from the original article published in 2021.

Earlier this month, it was reported a Russia-based ransomware gang exploited a vulnerability in the MOVEit file transfer software, using it to steal data and extorting money out of the victims. This follows a series of ransomware attacks against end user entities, some of them more critical in nature, for example Colonial Pipeline that suffered a breach in 2021. The truth is, in the connected age, ransomware attacks can happen not just to computers at oil and gas companies, but also to IoT devices and IP cameras at other organizations. Taking precautionary measures against such attacks, then, becomes quite important.

On June 7, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI published a joint cybersecurity advisory with recommended actions to protect against the MOVEit vulnerability, which was allegedly exploited by the CL0P Ransomware Gang, reportedly based in Russia.
 
According to the CISA press release, which cited open-source information, CL0P began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer solution, known as MOVEit Transfer, beginning in May 2023. Internet-facing MOVEit Transfer web applications were infected with a specific malware used by CL0P, which was then used to steal data from underlying MOVEit Transfer databases.
 
CL0P subsequently demanded ransom from the victims to keep the data undisclosed.
 
Similar incidents have happened before. In May 2021, American oil pipeline system Colonial Pipeline suffered a ransomware attack, which impacted computerized equipment managing the pipeline. The company subsequently shut down its operations and paid the requested ransom. It was the largest cyberattack on an oil infrastructure target in the history of the United States.
 
The perpetrator is said to be the criminal hacking group DarkSide. The attack’s ramifications were not limited to Colonial Pipeline itself but also to a wide range of end user entities, including airports in US Southeast. Panic buying also occurred at gas stations across the region.
 

Ransomware attacks nothing new

 
In fact, ransomware attacks are nothing new. The earliest case was reported in 1989. A ransomware attack entails the attacker encrypting files on the users’ computer system, and demanding the user pay a ransom to get the files decrypted.
 
“The easiest way for ransomware to infect a device is through phishing spam, such as an attachment in an email. Once the user downloads and opens the attachment, the malware can infect and take over the computer and start encrypting files,” said Luke Bencie, MD, and Zachary Smith, Junior Associate at Security Management International.
 
They added: “There are several different types of ransomware flavors, such as CryptoWall, Apocalypse, Cerber, Jigsaw, Locky, and Petya. Each flavor of ransomware infects a device in a different manner, and therefore encrypt files in a different way. However the end result is the same – a user needs to have the decryption key in order to regain control over their files.”
 

Any smart device is susceptible

 
Ransomware attacks commonly target computer networks of small and medium businesses who usually have weaker security protocols. But then again, this is the age of IoT. Ransomware attacks can happen to any computer, smart phone or connected device, be it IP camera or NVR.
 
“Any ‘smart’ device is susceptible to an attack via ransomware. Cameras are more commonly attacked with other types of malware, but ransomware attacks are possible, and have been carried out. There have been no large-scale ransomware attacks on mass groups of IP cameras or other security devices, as those devices are generally targeted by malware such as Mirai or Mukashi, but there is always the possibility,” Bencie and Smith said.
 
When struck by a ransomware attack, there’s really little the user can do. “If your device is infected with ransomware, you need to reboot Windows in safe mode, install antimalware software, scan your system, and restore the computer to a previous state. However, doing this will only allow you to regain control of your device. The files infected by the malware are already encrypted and unreadable,” Bencie and Smith said. “Depending on the sophistication of the malware, it will be impossible for anybody to decrypt the files without access to the decryption key held by the attacker.”
 

What measures should be taken

 
Fortunately, most cyberattacks, including ransomware attacks, are preventable. This however requires various precautionary measures taken by the end user.
 
In the case of Colonial Pipelines, for example, there were certain measures that the company could have taken to avert the disaster. “The simplest thing that the Colonial Pipeline could’ve done is to add two-factor authorization, much like we as individuals can do for our bank accounts and other sensitive information, or to utilize a better VPN. More specifically, the Colonial Pipeline could have restricted file sharing access, blocked Tor proxies, cracked down on security and firewall protocols on file sharing, and added endpoint detection and response on all file sharing,” Bencie and Smith said.

It’s worth noting that today’s physical security solutions providers are cybersecurity-conscious. Security features protecting users against threats and intrusion are already found in products by most security companies, including Axis, Genetec, Teledyne FLIR, 2N and Milestone, among others.
 
For the rest of us, we should also do our part to protect devices against ransomware attacks. “Most ransomware attacks are performed because of user negligence or naivety. Vendors could mandate the implementation of two-factor authorization for file access, but the burden of preventing ransomware is primarily on the consumer,” Bencie and Smith said. “Like we’ve always been told: don’t click on a link from an unfamiliar email, don’t download files from unknown, insecure, or generally ‘sketchy’ looking sites, and don’t ever give your usernames and passwords to anyone. Don’t enter personal information in pop-up screens, install a phishing filter, and if you receive what you believe to be a phishing attack containing some kind of malware, report it to authorities.”