In recent weeks, cybercriminals seem to be working their way down a checklist of the basic necessities of a modern life: Healthcare – check, Scripps, HSE and a bunch more. Energy – check, Colonial Pipeline. Food – got it! We just hit JBS.
In late May, JBS SA, the world’s largest meat processor with over 250,000 employees, suffered a ransomware attack which shut down much of the company’s US operations, as well as operations in Canada and Australia. Much as the Colonial Pipeline attack highlighted dependence on a single supplier for a large swath of the fuel needs for the Eastern Coast of the United States, the JBS attack highlights the fact that America’s food supply is likewise highly concentrated in the hands of a few companies and is therefore vulnerable to disruption that can impact the national food supply.
Brazil-based JBS supplies almost one fourth of America’s meat supply. Commenting on the attack, US Senator John Thune (R-South Dakota) said, “Attacks like this one highlight the vulnerabilities in our nation’s food supply chain security, and they underscore the importance of diversifying the nation’s meat processing capacity.” The impact of the attack was felt far beyond the company’s own customers: Chicago cattle futures temporarily dropped by as much as 3.4%, as JBS’s shutdown exacerbated a glut of unprocessed animals.
This was not the only ransomware attack on a food company in the past year. According to ransomware expert Allan Liska of Recorded Future at least 40 food companies have been hit with ransomware during that period, including winemaker E&J Gallo and brewer Molson Coors (both, in some circles, might be considered “critical.”) Gallo was attacked by the same cybergang, REvil, that hit JBS. That breach became public when REvil posted a threat to publicize data that they stole from the winemaker.
Molson Coors, the largest beer producer in North America, was temporarily shut down. It took weeks to recover from the incident. The company reported that the cyberattack, together with unusually harsh winter storms in Texas, would result in a $140 million hit to its bottom line.
The facts that JBS paid an astonishing $11 million ransom and that it took almost a week to fully restore production despite the fact that backup servers were not affected shows that relying on backups alone is not a viable strategy: the company clearly lost millions of dollars from the production downtime alone, and the consequences of the shutdown were felt, literally, worldwide.
The availability of increasingly sophisticated ransomware – along with the growth of “ransomware-as-a-service” and cloud-based ransomware tools – has resulted in increased targeting of “whales,” large companies that cybercriminals anticipate will be willing to pay big ransoms to avoid extended downtime or embarrassing (and potentially liability-generating) releases of confidential customer information. Cybercriminals are also targeting industries that may not traditionally have been considered attractive cyberattack targets, like food companies and manufacturers, and therefore may not have made cybersecurity a top priority.
Ransomware-as-a-service is fueling much of the growth in ransomware attacks. Cyberthieves no longer need to be highly sophisticated coders to pull off a cyberattack. Someone with very modest computing skills and time on their hands can launch a large number of ransomware attacks with the ready help of “service providers” who share in the take. If they get lucky the result can be disastrous for the victim.
Past efforts to pass legislation that would have mandated cybersecurity standards for a large array of companies in critical industries were derailed by lobbying efforts of the US Chamber of Commerce – which today might be regretting doing so. Without such standards in place, it is up to each company to figure out for itself how to secure itself from ransomware attacks…or suffer the consequences.
Protecting Against Ransomware
The best way to protect against ransomware attacks—in fact, all cyberattacks–is to move to a Zero Trust approach, in which all actors, content, and interactions are considered malicious unless proven otherwise. And even when proven safe, access should be limited to only the resources each actor or process needs. Other approaches, such as conventional anti-malware software, work on the opposite principle: Unless an actor or process is known as malicious, it is assumed to be safe. This leaves organizations vulnerable to zero-day exploits as well as threats that manage to penetrate a system and are then free to move laterally throughout.
Remote Browser Isolation (RBI) takes a Zero Trust approach to internet-delivered threats. Websites are opened in a virtual browser located in an isolated container in the cloud. Only safe rendering data reaches the endpoint; no website code ever runs on the user device. Yet users interact as they are accustomed to, via their usual browsers—only safe from malvertising and other web-delivered threats. Ericom RBI also protects against malicious links in emails. Attachments are sanitized of malware within before they are delivered to user devices. Suspected phishing sites automatically open in read-only mode to prevent unsuspecting users from entering credentials.
Powerful as it is, RBI is just one part of a Zero Trust approach. The Colonial Pipeline attack, which appears to have been due to compromised VPN credentials, serves as a clear demonstration of the dangers of lateral movement. Zero Trust Network Access enforces least privilege, policy-controlled access to apps, resources and data, so they are shielded from view of unauthorized hackers. Microsegmenting access to sensitive areas of the network limits the damage that results in the event that a hacker succeeds in breaking in, by restricting their ability to move laterally within.