The multinational energy company Enel Group has been hit by a ransomware attack for the second time this year. This time by Netwalker, who is asking a $14 million ransom for the decryption key and to not release several terabytes of stolen data. Enel is one of the largest players in the European energy sector, with more than 61 million customers in 40 countries. As of August 10, it ranks 87 in Fortune Global 500, with a revenue of almost $90 billion in 2019.
When multinational companies are hit by attacks and data breaches, it’s very easy and tempting to dismiss the situation as something that could never happen to our own organization. Whether this complacency is due to over-confidence in our data security strategy or unwillingness to entertain the possibility at all, complacency itself becomes an opening and a weak spot in your defenses. The recent ransomware attack suffered by Enel Group—the second one this year—shouldn’t lead to comparisons and assumptions that “it could never happen in my organization.” Rather, it should be a clarion call for every serious and responsible organization to reassess and make appropriate course corrections.
What does a reassessment of your data security strategy mean? It means making sure that you not only shore up your entire data environment and the defensive perimeters around it but also consider how to secure your sensitive organizational data if it happens to be apprehended and brought outside that protected perimeter. A data-centric approach means applying strong security mechanisms such as format-preserving encryption or tokenization to your sensitive data so that threat actors cannot compromise that data if they manage to breach your perimeter. Tokenization in particular replaces sensitive data with benign tokens that don’t convey any real meaning, so sensitive information cannot be understood or compromised. Data-centric security travels with the data, and it’s a perfect complement to strong perimeter defenses. It renders stolen data worthless to attackers.
Enel Group will no doubt engage in this type of reassessment—typically attacks have this effect. The rest of us can sympathize with them and turn that eye of scrutiny inward to make sure the same doesn’t happen to the rest of us.
To avoid being hit by ransomware attacks, like the one that has impacted the Enel Group, educate yourself and the workforce on the consequences of clicking malicious emails or links. Email phishing is a popular choice for attackers and not clicking attachments from unknown correspondents will lower the chances of being attacked. Have antivirus software installed and ensure system and device backups are conducted on a regular basis. This will help reduce the overall impact that an attack will have. However, if you are unfortunate enough to become affected, paying a ransom should be avoided as it won’t guarantee that your data will be retrieved. Security awareness is key and should not be overlooked as a critical component in any organisations security defense.
This attack is yet another confirmation that defenders need to be right all the time, whereas cybercriminals need to be right only once. Enel was able to stop the spreading of the Snake ransomware back in June, which means that their security controls were probably strong and their response plan well-rehearsed. Unfortunately, this wasn\’t enough to stop the Netwalker ransomware gang, who appears to be intentioned to leak stolen data if the energy provider won\’t agree to pay the ransom.
Ransomware attacks are almost always the second step of an intrusion so avoiding ransomware in the first place involves general best practices. Security training to keep employees from opening a malicious document in a phishing email is a good start. Additionally, patching for common vulnerabilities and network segmentation will keep ransomware from spreading if it does find its way into your network. The goal here should be not to stop all together since attackers will constantly be trying to find a way through — and almost always will at least once at some point — but to make it expensive for the attacker and reduce damages if there is an incident.
Ransomware threats to critical infrastructure providers should be a top concern for security teams. Enel is like many critical infrastructure providers that are seeing spikes in targeted ransomware attacks against their networks. Minimising damage and preventing an ICS network from being taken offline is essentially the cat and mouse game being played by attackers and defenders. To keep hacking groups at bay, organisations need to minimise the time it takes to respond to a threat. This can be achieved by deploying threat hunting services around the clock. In addition, operating a unified security operations center (SOC) provides visibility into the IT and OT environments because attackers are looking to use IT environments as gateways into OT environments.
Also, resiliency and security can no longer be an afterthought. As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead. Also, it is critical that regular testing be a focal point in this sector. Tabletop exercises that enable a red and blue team to role-play different catastrophic scenarios and the real-time response to those scenarios is critical when having to actually have to deal with a threat in real-time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.
Ransomware attack patterns have evolved significantly. Traditionally, ransomware was deployed to encrypt the victim’s data and lock them out of their own files. Had the victim refused to pay the ransom, their files would be destroyed. Ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker would often release small portions of the data online. If the negotiation turns out badly, the attacker would then either publish all of the exfiltrated data or sell them to third parties. These attacks are essentially a combination of a ransomware attack and a data breach. Organizations that are victims of this attack feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information that they would instead have destroyed then published or sold. So, it’s a double threat.
It’s easy for the attacker to say they have it. Easy for them to imply they do by releasing a small sample and very difficult to prove forensically because most places don’t have that layer of visibility. This puts another pressure point, and it can be easily validated by the victim that indeed the hackers also downloaded the entire database if the organization has a DLP solution that has been implemented. Since the tactic is relatively new, there are any no real data points for either the attacker or the defender that says it increases the pay-out potential of the victim. More practical advice is to know your data. If you have been compromised assume the data has left your possession. Root cause analysis should be able to help determine if indeed it was done, but that is concluded after the incident is wrapped up and has no bearing on the decision to pay. This tactic is more effective on data that is meant to cause widespread as well as a quick impact. Controversial and sensitive data is usually the target for these types of ransomware attacks. A typical PII or credit card data is not going to be the motive and not going to have the same leverage.