Security Expert Re: FUJIFILM Ransomware Attack

When hit with a ransomware attack, there is no simple decision for organisations to make. Refusing to pay ransoms, certainly, is not a choice to be taken lightly – and can have a series of dangerous knock-on effects. Having backup solutions in place is, of course, essential in any business, but when an attack hits and all data becomes encrypted, it takes a lot of confidence to refuse to pay and fully rely on the restore functioning. Rebuilding a network can take time, but it assures a business that there aren’t any malicious remnants left in the system, which can potentially occur when paying a ransom. Testing restore functions is imperative, and simulations are the most effective way of measuring this. Unfortunately, it is often said that paying a ransom can be cheaper or quicker to get back to business, but it is important to remember that this option fuels the ransomware cycle, not to mention that it is potentially immoral.

While the details on this incident are scarce at the moment clearly something severe is going on if part of the network has been basically unplugged. Disconnecting from the internet is a sure fire way to make sure nobody can get in. Normally you know who is getting in as they would have to authenticate, however Fujifilm have said that that possible unauthorized access is to blame. In which case they don’t know what accounts to trust, or which accounts may have been taken over, which may have something to do with the 895 breached passwords for their domain. Password security policy and also Multi-Factor authentication are key to know who is the legitimate user of an account.

2020 was a tough year in the physical world. As it drew to a close, 2021 was looking pretty bright. Not in the cyber realm though. The SolarWinds supply chain breach was uncovered and rolled into 2021 with breach after breach. The Hafnium Exchange, the Florida water system, Bombardier, Acer, JBS, and now the Fujifilm attack. There are many more publicly announced compromises not in this list and many more likely yet undiscovered.

2021 has seen a significant spike in ransomware attacks. The Verizon Data Breach Investigations Report (DBIR) says that ransomware attacks doubled in 2020 and that doesn’t include the spate of attacks seen this year. It’s clear that attackers are working overtime to compromise systems as quickly as possible to steal data and encrypt systems to hold company systems hostage for payment. How is this happening? There are several reasons.

• Misplaced trust with an over reliance on vendor claims that their product will keep you safe. No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts.
• Complexity in our enterprises continues to increase which increases the level of difficulty in protecting the systems.
• A lack of cyber defenders with the needed skills to understand the environment and detect attacks.      

Adversaries often continue break into systems via simple phishing emails that compromise an initial endpoint. From there, it’s not that difficult for them to masquerade as a legitimate user using the credentials they stole on the infected endpoint. With that users credentials, they do some queries to find targets in the enterprise Active Directory system, steal more credentials with elevated privileges and just rinse and repeat until they have their target acquired internally. Then in the case of Fujifilm and JBS, they can steal corporate data, encrypt systems, and begin the hostage process for a ransom.

To counter these challenges, organizations must understand that they can’t prevent all attacks. This means they must put in place systems that detect lateral movement inside the enterprise, look for privilege escalation, and protect identities and systems such as Active Directory. If not, we’re going to continue to read about these large successful ransomware attacks for the foreseeable future.

In the wake of a steady flow of major Ransomware attacks taking down global brands, critical infrastructure and entire cities, it should be painfully obvious by now that no one is safe. Once targeted, the attackers will probably find a way in. So, lets continue to invest in preventing these attacks, but at the same time we need to accept the inevitable. They will get in some day. So, in addition to preventing attacks, we also need to invest in becoming more resilient to successful breaches.

In many cases, it’s the abundance of caution on the victim’s side that causes them to initiate their own shutdowns of operations, not the attack itself causing the shutdown. The ransomware probably never hit the parts of the network that were isolated, but a decision was made by the facility operators to limit the blast radius of the attack, or segment off sections of infrastructure to protect it. Those networks may be able to resist the attack, or may have been super-secure. But in the end, it doesn’t matter. The attackers were able to shut down and impact infrastructure outside of the scope of their attack. Defenders need to be aware of this, and start thinking about consequence reduction activities, not only prevention. Organizations that took this mindset prior to their own ransomware attack fare much better than those that didn’t.

Fuji will be the 3rd significant organisation in Japan to be impacted by ransomware in recent months. If it does turn out to be REvil group, it will be their first Japanese victim. REvil were the only ransomware group out of the 13 groups that Armis tracked in May to successfully disrupt a Chinese organisation. Ransomware is clearly becoming a global issue. This has been exemplified by the 193 leak notifications tracked by us this past month which affected 35 countries in total, with Russia being notable by its absence.

In 2020, ransomware attacks broke records for the sheer number of attacks and their damaging consequences, and it looks like it’s going to be another record-breaking year. In the past few weeks alone we have seen one of the worst ransomware attacks in history with the Colonial pipeline attack, followed by a spate of other serious attacks on both the private and public sectors. It seems that nobody is safe, so it is important for organisations of all sizes to prepare and protect themselves from the threat.  

If this is found to be a ransomware attack it would be advised that Fujifilm refrain from paying a ransom, as although this seems like the obvious decision to make, there are other factors that to consider. It would be advised that when making their decision Fujifilm should start by analysing the three factors associated with the attack - the means, the motive, and opportunity. This can be accompanied by industry, economic and market conditions. Factoring three or four variables into this decision can help make an informed decision on the possible impact to the organisation.

The thing that stands out most about this incident is how transparent Fujifilm is being about the attack. Rather than shutting the shutters and keeping the attack out of the public eye, Fujifilm is taking a proactive approach and sending out updates via its website on the incident and the organisation’s mitigation progress. 

More companies must follow suit. Ransomware attacks are inevitable today and do not mean a company has failed. If organisations are more open and transparent about attacks, we will be better able to share experiences, exchange ideas and pool intelligence. 

The cyber criminals collaborate to make their attacks more successful, so we must collaborate to make our defences stronger.

Not a week goes by recently without another major organisation falling victim to cyberattack. Whether this turns out to be ransomware is yet to be discovered, however, if it is, it will add to the long list of reasons cyber insurers are getting wary of insuring against the threat. 

Organisations must practice cyber-resilience and take steps to mitigate the risks cyberattacks pose, before they actually happen. Cyberattacks are here to stay, so the only defence today is getting into a post-breach mindset, before breaches happen to limit the negative outcomes.

This latest attack on FUJIFILM adds to the many ransomware attacks we’re seeing in the news.  We know the frequency of ransomware doubled last year, according to the most recent Verizon Breach Incident Report. Most enterprises cannot operate without a connection to the internet; the shutdown of the network at FUJIFILM shows how hard it is to operate in today’s connected world without a network connection.

Ransomware can stem from a number of sources, including phishing campaigns as well as exploited vulnerabilities in applications. 

Enterprises need to remain vigilant in their security, not only using phishing detection and training employees to recognize phishing, but also making sure they have defense in depth for all of their applications, data, and assets that are internet- facing.  This includes making sure their devices and software are up to date and patched, and they have security in place for their applications, including runtime security for common attacks like those outlined in the OWASP Top 10 web application risks.  Equally important, organizations need to make sure they vet the security of the many partners and third party organizations that they depend on, as thoroughly as they vet their own security infrastructure.