Three Ransomware Attacks that Upped the Ante

July 21, 2021 | 4 minute read

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit... 

Concern surrounding ransomware attacks is high in the security industry. In our recent global research report titled Ransomware: The True Cost to Business, we found that 81% of the 1,200+ cybersecurity professionals we surveyed were highly or very concerned about the risk of ransomware.

No doubt this concern reflects the degree to which many recent attacks have changed or have given new meaning to the ransomware threat landscape. Three attacks in particular stand out.

REvil/Sodinokibi’s Attack Against Apple

At the end of April, we wrote about the REvil/Sodinokibi gang’s targeting of Quanta Computer, a business partner of Apple. Per the ransomware model, the threat actors tried to force the laptop manufacturer to pay a ransom to recover their encrypted data. When that didn’t work, the attackers shifted their attention to extorting Apple with some sensitive data that was compromised in the attack.

This incident didn’t just involve a supply chain attack where malicious actors attempted to extort a tech giant. It also involved a data leak that took place during a tech conference. Indeed, the REvil/Sodinokibi attackers waited until Apple’s “Spring Loaded” event on April 20 to publish some of Apple’s files. They then demanded that the tech giant pay $50 million or have even more of their information published.

This double extortion model has quickly become the norm, where attackers use the threat of releasing stolen data publically if a ransom demand is not met. By using double extortion, ransomware attackers can compel organizations to pay a ransom even if they were able to recover their encrypted data using data backups. Given the sharp increase in ransom demands both sought and paid, the tactic seems to be working.

Panic Buying Following the Colonial Pipeline Attack

After the DarkSide ransomware gang succeeded in infecting its systems at the start of May, the Colonial Pipeline Company took the step of halting its daily operations. This slowed the flow of hundreds of millions of gallons of fuel between Houston, Texas and the New York Harbor - basically the bulk of the supply for the Eastern Seaboard of the United States.

Many gas stations suffered fuel shortages in the days that followed, and many witnessed a surge in panic buying as customers rushed to purchase whatever fuel they could. That was even the case in Miami and Tampa—areas not served by the Colonial Pipeline Company, reported Reuters.

In light of that fuel emergency, the Federal Motor Carrier Safety Administration (FMCSA) issued an emergency declaration exempting 17 states and the District of Columbia from certain restrictions relating to the transportation of refined petroleum products by motor carriers and drivers. It did this to help gas stations and other businesses continue to receive fuel.

Significant business disruptions following ransomware attacks are not unusual. The Cybereason ransomware report found that a startling 26% of organizations reported they were forced to cease operations for some period of time following a ransomware attack.

CNA’s Ransom Payment of $40 Million

Then came news of CNA’s record-setting ransom payment to a threat group called “Phoenix.” Within a week of discovering the attack, the U.S. commercial and casualty insurance company elected to fulfill the malicious actors’ demands.

It wasn’t an ordinary ransom payment, however. The company handed over $40 million—the largest ransom demand ever reported to have been paid by a ransomware victim as of this writing.

CNA’s payment coheres with the recent growth of ransom demands. According to Bloomberg, the average ransom demand ranges between $50 million and $70 million. Many companies use cyber insurance policies to help them cover some if not all the cost of the ransom, however, thus lowering a victim’s actual payment to between $10 million and $15 million on average.

The Cybereason ransomware report found that 43% of organizations who had cyber insurance indicated that the policy only covered a portion of the costs following a ransomware attack.

The U.S. Government is Taking the Ransomware Threat Seriously

In the aftermath of these and other recent attacks, the U.S. government is taking the ransomware threat seriously. The U.S. Department of Justice began circulating internal guidance in early June instructing U.S. attorney officers to share their intelligence with a task force in Washington D.C.

“We've used this model around terrorism before but never with ransomware,” said Justice Department Principle Associate Deputy Attorney General John Carlin, as quoted by Reuters.

It was shortly thereafter when President Biden threatened that the United States would respond if ransomware actors continued to target critical infrastructure organizations and other entities. “Responsible countries need to take action against criminals who conduct ransomware activities on their territory,” Biden said at a news conference, per NPR.

How to Defend Against Ransomware Attacks

A behavior-based approach to prevention, detection and response is required for success against ransomware attacks by stopping them at the earliest stages, long before the ransomware payload can be delivered.

Specifically, organizations need a ransomware defense that moves beyond retrospective Indicators of Compromise (IOCs) and leverages proactive threat hunting based on Indicators of Behavior (IOBs), the subtle chains of malicious behavior that set the stage for a successful ransomware attack because the adversary had the time to permeate the network, making the encryption process more efficient and widespread.

These are some of the advanced APT-like aspects of an attack that precede the ransomware payload by weeks or even months - such as the initial ingress, the exploit activity, the data exfiltration and more - that were missed.

These early stages of an attack can be surfaced by way of behavioral detections if your solution has those capabilities and it’s not filtering out data it deems unimportant - a process some vendors refer to as “Smart Filtering” even though it has nothing to do with being smart and everything to do with the inability of the solution to ingest all of the available telemetry.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed