FUJIFILM, a Japanese multinational conglomerate with more than $20 billion in revenues, is investigating a ransomware attack and has shut down portions of its global network to prevent the attack’s spread.
<p>When hit with a ransomware attack, there is no simple decision for organisations to make. Refusing to pay ransoms, certainly, is not a choice to be taken lightly – and can have a series of dangerous knock-on effects. Having backup solutions in place is, of course, essential in any business, but when an attack hits and all data becomes encrypted, it takes a lot of confidence to refuse to pay and fully rely on the restore functioning. Rebuilding a network can take time, but it assures a business that there aren’t any malicious remnants left in the system, which can potentially occur when paying a ransom. Testing restore functions is imperative, and simulations are the most effective way of measuring this. Unfortunately, it is often said that paying a ransom can be cheaper or quicker to get back to business, but it is important to remember that this option fuels the ransomware cycle, not to mention that it is potentially immoral.</p>
<p>While the details on this incident are scarce at the moment clearly something severe is going on if part of the network has been basically unplugged. Disconnecting from the internet is a sure fire way to make sure nobody can get in. Normally you know who is getting in as they would have to authenticate, however Fujifilm have said that that possible unauthorized access is to blame. In which case they don’t know what accounts to trust, or which accounts may have been taken over, which may have something to do with the 895 breached passwords for their domain. Password security policy and also Multi-Factor authentication are key to know who is the legitimate user of an account.</p>
<p>2020 was a tough year in the physical world. As it drew to a close, 2021 was looking pretty bright. Not in the cyber realm though. The SolarWinds supply chain breach was uncovered and rolled into 2021 with breach after breach. The Hafnium Exchange, the Florida water system, Bombardier, Acer, JBS, and now the Fujifilm attack. There are many more publicly announced compromises not in this list and many more likely yet undiscovered.</p> <p> </p> <p>2021 has seen a significant spike in ransomware attacks. The Verizon Data Breach Investigations Report (DBIR) says that ransomware attacks doubled in 2020 and that doesn’t include the spate of attacks seen this year. It’s clear that attackers are working overtime to compromise systems as quickly as possible to steal data and encrypt systems to hold company systems hostage for payment. How is this happening? There are several reasons.</p> <p> </p> <ul> <li>Misplaced trust with an over reliance on vendor claims that their product will keep you safe. No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts.</li> <li>Complexity in our enterprises continues to increase which increases the level of difficulty in protecting the systems.</li> <li>A lack of cyber defenders with the needed skills to understand the environment and detect attacks. </li> </ul> <p> </p> <p>Adversaries often continue break into systems via simple phishing emails that compromise an initial endpoint. From there, it’s not that difficult for them to masquerade as a legitimate user using the credentials they stole on the infected endpoint. With that users credentials, they do some queries to find targets in the enterprise Active Directory system, steal more credentials with elevated privileges and just rinse and repeat until they have their target acquired internally. Then in the case of Fujifilm and JBS, they can steal corporate data, encrypt systems, and begin the hostage process for a ransom.</p> <p> </p> <p>To counter these challenges, organizations must understand that they can’t prevent all attacks. This means they must put in place systems that detect lateral movement inside the enterprise, look for privilege escalation, and protect identities and systems such as Active Directory. If not, we’re going to continue to read about these large successful ransomware attacks for the foreseeable future.</p>
<p><span lang=\"EN-US\">In the wake of a steady flow of major Ransomware attacks taking down global brands, critical infrastructure and entire cities, it should be painfully obvious by now that no one is safe. Once targeted, the attackers will probably find a way in. So, lets continue to invest in preventing these attacks, but at the same time we need to accept the inevitable. They will get in some day. So, in addition to preventing attacks, we also need to invest in becoming more resilient to successful breaches. </span></p> <p> </p> <p><span lang=\"EN-US\">In many cases, it’s the abundance of caution on the victim’s side that causes them to initiate their own shutdowns of operations, not the attack itself causing the shutdown. The ransomware probably never hit the parts of the network that were isolated, but a decision was made by the facility operators to limit the blast radius of the attack, or segment off sections of infrastructure to protect it. Those networks may be able to resist the attack, or may have been super-secure. But in the end, it doesn’t matter. The attackers were able to shut down and impact infrastructure outside of the scope of their attack. Defenders need to be aware of this, and start thinking about consequence reduction activities, not only prevention. Organizations that took this mindset prior to their own ransomware attack fare much better than those that didn’t.</span></p>
<p>Fuji will be the 3rd significant organisation in Japan to be impacted by ransomware in recent months. If it does turn out to be REvil group, it will be their first Japanese victim. REvil were the only ransomware group out of the 13 groups that Armis tracked in May to successfully disrupt a Chinese organisation. Ransomware is clearly becoming a global issue. This has been exemplified by the 193 leak notifications tracked by us this past month which affected 35 countries in total, with Russia being notable by its absence.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics