André Nogueira was woken up early one Sunday morning by a phone call telling him that his company, JBS Foods, the world’s largest meat supplier, had been hacked. He was given the distressing details: A group of hackers called REvil had gained access to the company’s critical infrastructure and was holding it hostage, demanding a ransom of $11 million in bitcoin. The hack caused JBS to stop production at all of its plants in the United States as well as some operations in Canada and Australia. The shutdown rippled through the entire supply chain, halting livestock sales and leaving restaurants scrambling to find new temporary suppliers. Though Nogueira told the Wall Street Journal the company was able to restore some access to its systems via encrypted backups, JBS ended up paying out the full ransom to REvil in order to resume full operations.
The JBS hack is exceptional, not simply because of its impact on America’s beef supply chain, but because it illustrates that hacks are now part of the cost of doing business. Though the FBI advises companies against paying ransom, many do because the alternative can mean a massive data leak, loss of profits, or worse. A 2022 report surveyed over 1,200 security leaders and found that 79% of those had been the target of a ransomware attack, and 35% admitted at least one of those attacks led to the loss of access to data and systems. Ransomware crews have gotten more professionalized, providing tech support and customer service for its hackers, and their attacks have gotten so sophisticated that businesses looking to protect themselves have turned to a growing industry of tech firms that simulate ransomware attacks or mitigate them, and insurance firms that assist in recovery. It’s no longer a question of if a business will get hacked anymore; it’s simply a matter of when.
In response, companies are beginning to run their own fire drills of sorts to prep for an inevitable attack. These drills do everything from measure preparedness readiness to employ third parties with hacking expertise so that the exercise is realistic. Businesses are scrimmaging to prevent their demise before it becomes reality. According to Alex Rice, CTO of HackerOne, a cybersecurity platform, large organizations are constantly patching what he described as “multiple unexploited near miss” vulnerabilities, but they are not voluntarily disclosed, for fear of public scrutiny. Given the near inevitability of a hack, companies are in a good spot if they’re more secure than their peers. “There’s an old adage: You don’t have to outrun the bear, just have to outrun the other campers,” Rice said through a spokesperson.
According to Brian Carter, senior cybercrime specialist at Chainanalysis, hacks most often occur through business email compromises. The second most prevalent tactic often relies on social engineering, which basically means that hackers aren’t scaling the building: They’re going through the front door. They might swipe an employee’s credentials or scam an employee into opening a document with macros embedded in it. These macros allow a background program to run and execute code so that a hacker could pilfer data or upgrade their security privileges and wade further into the company. This approach has been consistent, Carter said, while the ransom demands have gone up.
Carter said he spends most of his time dealing with ransomware. Chainalysis tracks the “financial footprint” of ransomware strains, which often remain the same even when the attackers rebrand their organization. Then he has to figure out if a ransom payment is legal or if it will violate any sanctions, which can be an issue with hackers outside the US. His work also involves mapping criminal enterprises and their use of cryptocurrency, including people who sell access to hacked corporate networks, employee credentials, and malware programs. In some cases, Chainalysis can unmask the identity of a hacker involved with a ransomware attack, he said.
While many large organizations conduct threat assessments of their systems, the limitations of a test can prevent a realistic hack simulation. In an exercise called a penetration test, or pentest for short, a company will attempt to hack its own infrastructure with a designated red team of hackers (i.e. bad guys) versus a defending blue team (the good guys). The pentest might limit the target to only a small portion of the company’s infrastructure, with a designated time window and only a few red team players involved, rendering the exercise unrealistic. A limited pentest is like preparing for a heavyweight prizefight by having a small child hit you repeatedly with a pool noodle: entertaining, but not useful.
But there are real reasons a company may launch an ineffective pentest. Carter explained why they might conduct such tests: it allows them to report good news to a business partner or regulator who may have mandated a test. When companies conduct their own broader pentests, internal red teams may operate with less restraint, resulting in more useful sensitive findings that can improve the company’s breach resistance, but those aren’t as commonplace. The findings can be extremely revealing. “They don’t have to necessarily worry about exposing that vulnerability information to people that might sue them,” Carter said.
Become smarter in just 5 minutes
Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.
Red-teaming exercises can be designed with sophistication to expose a system’s weakest link. UK-based firm NCC Group recently gained entry to a bank’s finance system and transferred $5 to a specific account, all while avoiding detection, Tim Rawlins, director and senior advisor of NCC Group, said. This “full-spectrum attack simulation team,” as Rawlins described them, will sometimes perform “capture the flag” exercises with an end goal of obtaining a specific piece of information, whether it’s unpublished financial figures, the chief risk officer’s top five priorities, or a sensitive HR investigation’s findings.
In one exercise, Rawlins’s team gained access to the message center of a stock exchange. They could’ve crashed the company’s stock price by simply putting out a message announcing bankruptcy. These exercises, Rawlins said, are “a really good way of demonstrating…the abilities of the team, and the impact that a real bad guy would have had on that company.”
It’s a common misconception that companies are not a target if they aren’t involved in large-scale work, like stock exchanges, government programs, defense contracting, or hospital networks. Most hacking groups are motivated by money alone and are looking for easy-to-find weaknesses anywhere they can. “Everybody’s got something of value to an attacker,” Michael Sentonas, the CTO of CrowdStrike, said. “If you’ve got nothing of value, why are you in business?”
Realistic pentests and red-team exercises are important, Sentonas said, because “you play it like you practice.” And in the game-time moments, sometimes the attackers score more than once. There’s a parallel to traditional crime: If a burglar breaks into a house and sees the garage filled with foreign luxury vehicles, they know they’ve found a good target to return to. “The extortion piece is one part. But it’s very common that we see adversaries come back,” Sentonas said. In a CrowdStrike “Global Security Attitude” survey, 96% of companies that paid an initial ransom reported that they later had to pay additional extortion fees, he noted.
The average company has more resources to protect against hackers than it did a decade ago, Sentonas said, but ransomware has become more frequent and far more sophisticated, including the rise of Ransomware as a Service. For a fee, a hacker can join a ransomware platform in exchange for a share of the profits in the event of a successful ransomware attack. Ransomware as a Service offers technical support for hackers who require guidance on their ransomware attack, as well as services to transfer encrypted files once the ransom has been paid. Sam Rubin, head of Unit 42, the cybersecurity consulting division of Palo Alto Networks, said these services can make otherwise incapable hackers into “pretty lethal cybercriminals.”
Companies are preparing their defenses against this new crop of sophisticated, customer service-enabled attacks in multiple ways. To scrimmage for ransomware attacks, there are conceptual tabletop exercises, Rubin explained. In a meeting room or Zoom conference, the key players will game out a hypothetical hack. In this situation, they’ll pretend their production environment has been fully encrypted by a hacker, the backups have been deleted, and the ransom is $10 million in bitcoin. The hacker says they’ve already downloaded 250 gigabytes of user data and are threatening to release it if the company doesn’t comply within 24 hours. These are the types of scenarios that Rubin runs through with clients, and they are all based on real incident responses Unit 42 has handled in the past.
Because getting hacked and paying a ransom is now a mundane business expense, a new industry has also popped up: cyber liability insurance. Coalition is one of the largest companies insuring against cyberattacks. Its founder and CEO, Joshua Motta, said cybersecurity isn’t just a technology problem but also a risk management problem. Last year, Motta met with President Joe Biden as part of a cybersecurity summit meant to address the rise in cyberattacks.
Insurance companies are sometimes on the hook for ransomware payments. Most policy wordings, Motta noted, “only state that it will be covered where it’s reasonable and necessary,” in such cases where the payment is critical for a business’s survival. He believes the insurance industry, by providing financial incentives to its customers, can increase the level of “cybersecurity hygiene” for the typical business, which right now Motta believes is “abysmally low.” As part of the underwriting process, Coalition will map out a customer’s “attack surface.” This surface includes anything touching the public internet, Motta said, including “all the data and passwords that your employees may have leaked, all the different assets that you have connected to the internet.”
There’s no reason to believe that the scope or frequency of ransomware attacks will wane and work from home has made some companies even more vulnerable. The tools and techniques of the most sophisticated attacks travel downstream “very, very quickly,” Sentonas said. That means the tools of today’s ransomware attack against, say, a major technology manufacturer could easily land in the hands of less-savvy criminals, who could target organizations with weaker security practices.
And that’s partly why ransomware is a lucrative business—its targets are practically limitless. There’s always another JBS Food and the possibility of a multimillion-dollar ransom.