Ransomware Impact on Large Global Enterprises | Sans Spotlight Report

Over the past few years, ransomware has grown to become one of the largest and most prolific threats facing organizations today. In general, any data breach is one that no security team wishes to live through. However, ransomware is not just a data breach; ransomware victims are often publicly shamed by adversaries who demand exorbitant sums to secure release of their locked data. Palo Alto’s Unit 42 reported that in the first half of 2021, the average ransomware payment climbed to $570,000. By the end of the same year one insurer had paid $40M in a ransomware payment, per a 2021 Mimecast report on ransomware cases.

Ransomware has also impacted a significant portion of enterprise security. It has reshaped how we construct incident response plans, evaluate cyber insurance, and develop businesses processes rooted in both continuity and resiliency. This impact may have forced organizations to look at their threat landscape differently, making decisions differently than originally planned. Furthermore, it has given new meaning both to what denotes a disaster and to the requirements for recovery operations. We cannot ignore the impact that ransomware has had on some of the largest organizations in the world, especially when coupled with changes that resulted from the recent COVID-19 pandemic.

In this paper, we examine how ransomware has impacted the state of security for the largest 2,000 companies around the globe (G2K). Ransomware itself has become “big business” and, as such, has created lasting effects on normal business operations such as mergers and acquisitions activity and industry growth. Ransomware has also had far-reaching effects on federal and international cybersecurity policy.

While we often look at threat actors—not threat objectives—as a primary focus point, ransomware as an attack profile is too prolific and impactful for organizations to ignore. As we explore in this paper, ransomware is a formidable threat that has changed the way many organizations do business.

These days, we are seeing ransomware threat actors expand their tactics, techniques, and entry vectors, quickly seizing on vulnerabilities and zero-day exploits to gain access and deliver initial ransomware payloads. Organizations that are not wise to these threats or that remain unaware of ransomware trends will find themselves caught off guard and quickly taken advantage of. While the focus of our paper is on the G2K, we encourage organizations of any size to:

• Implement strong monitoring and detection capabilities at ransomware entry vectors, such as vulnerabilities and remote access solutions.
• Implement detection and response capabilities across endpoints and networks, both on-premises and in the cloud.
• Consider defense-in-depth strategies to limit ease of credential reuse and lateral movement within your environment.
• Limit network connectivity to backup and/or disaster recovery systems, which are often targets of ransomware adversaries.
• Ensure your incident response plan includes handling of public naming and shaming.

Finally, it is worth noting that while this paper focuses on the threat of ransomware, many of the recommendations and mitigations described in this paper are useful for combatting the wide array of objectives threat actors are set to achieve. Implementing strong remote access requirements or limiting the ease of lateral movement can stop a multitude of adversaries dead in their tracks. Much to the benefit of a security team looking to get the most bang for their buck, ransomware adversaries often recycle techniques and tactics, creating the opportunity for security analysts to spot attacks before they become breaches.

Ransomware Impact on G2K¹

As we’ve mentioned, the impact of ransomware can easily be felt by organizations of all sizes. However, given their size and scope, G2K organizations have suffered some of the most publicized ransomware attacks. Furthermore, given their amassed revenue and public profiles, G2Ks remain at the top of adversary target lists. They promise a larger ransomware bounty than smaller organizations can afford.

Interestingly, we could also argue that G2K organizations are well-defended targets. We would assume that at a certain revenue level, security departments would be funded (potentially well-funded) and information security would be an integral part of business operations. Unfortunately, as we have learned time and time again, this is not always the case. This is not to say that security teams at large organizations are not doing a good job. We can, however, learn from their experiences. Let’s examine and learn from public case studies to determine how best to implement security and ensure better defense practices.

Impact on Client Trust: Accenture (G2K #169)

Our first case study looks at ransomware’s impact on client trust of an organization. Client confidentiality is of paramount importance to a firm like Accenture and is often considered a main differentiator of consulting firms. In August 2021, Accenture suffered a ransomware attack that resulted in the confirmed theft of proprietary data from its IT systems and created a double-headed threat.

First, when an adversary breaches security, encrypts data, and demands a ransom, the organization is already thrust into panic mode to determine the root cause of the attack and what course of action it can take. However, when an organization is the shepherd of others’ data, it must also quickly identify specific data impacted or stolen from the environment. Additionally, a victimized organization must answer key questions like, “Can the adversary use this data to harm the business or its customers?” It must also reconcile whether or not an adversary can use the stolen data to target and successfully attack other organizations.

Generally, in ransomware cases where stolen data is personally identifiable information (PII) or proprietary data, the organization must focus on ending the intrusion urgently. Without a security program that has a ransomware “caveat” in place, an incident response plan may be too slow or not involved enough to counter such an attack before a detrimental outcome or to get the organization back to normal in the wake of the intrusion. Further, a detailed early understanding of what has happened and which data has potentially been stolen is critical to the negotiation outcomes. Accenture’s decision may have been different if troves of customer data had been lifted.

Outcome: The adversaries claimed 6TB of data had been stolen and made a $50M ransomware demand. However, Accenture restored affected systems from a backup and confirmed that no client data had been taken.

There’s no guarantee that customers will leave or stay because of a ransomware breach. However, protecting customer data and organizational IP should be one of the organization’s top goals. Ransomware can be the force that drives new security policies and the implementation of stronger, more advanced processes and controls, which the security team should embrace and deploy to the fullest extent possible.

Impact on Global Supply Chain: JBS USA (G2K #525)

Our second case study looks at the impact of ransomware on supply chain operations and how devastating a cyberattack can be to the physical world. In May 2021, JBS USA, one of the largest meat suppliers in the United States, disclosed that a ransomware attack had halted production operations at five facilities, which processed a total of 22,500 head of cattle daily. Disruption of operation also extended to plants in Australia, highlighting just how connected JBS’ systems were.

JBS is a perfect example of how a ransomware attack can impact a global supply chain. The meat production shutdown affected a long list of JBS customers, including restaurants, grocery stores, and suppliers, such as cattle farmers. This disruption could cause both JBS customers and suppliers to seek business elsewhere and provide leverage for attackers to inflate the cost of the ransomware breach. Furthermore, depending on the scope of damage the production systems sustained, it could take days or weeks to get back to normal operational speeds.

Outcome: JBS succumbed to the ransom demands and paid $11M to the threat actors. While they report that no company, customer, or employee data was compromised, it was likely a business decision that an $11M payment was better than lost production for additional day(s).

Impact on Data Integrity and Extortion: Brenntag (G2K #1088)

Finally, our third case study examines an impact on data integrity as a result of a ransomware breach at Brenntag, a chemical distribution company based in Germany. In May 2021, it was reported that the DarkSide ransomware group compromised the North American division of Brenntag using stolen credentials. At the height of the attack, the adversaries launched the expected encryption payload and stole nearly 150GB of files from the environment.

According to the ransomware group at the time of disclosure, the stolen data (which was unencrypted in the hands of the adversary) included contracts, NDAs, chemical formulas, and key financial and accounting documents. While we don’t know whether the adversaries understood the data they possessed, they understood the value of it and the likelihood that Brenntag would want to keep it private.

Using the stolen data as leverage, the original ransomware demand was made at $7.5M. According to the G2K listings, Brenntag is a $14.2B company; so $7.5M seems like a “drop in the bucket.” This is a viewpoint that ransomware threat actors often take: It is such a small subset of your worth, the safety of your data must be worth this small amount. This strategy plays out in their negotiation tactics.

Outcome: Brenntag ultimately paid $4.4M of the original $7.5M to the threat actors on May 11, 2021. Although often done behind closed doors, the ransomware negotiation process is another process on which adversaries invest time and skills to extract the maximum amount from a victim organization.

Ransomware Impact on Security

In just three short case studies, we were able to highlight how a ransomware attack can quickly impact customer trust, global supply chains, or data integrity. The three attacks we examined are just the tip of the iceberg. Ransomware has ballooned into a multi-billiondollar industry, with some estimates placing it at $10B+ in 2021. However, it could be strangely argued that ransomware has also simultaneously changed both the threat and enterprise security landscapes.

Impact on Incident Detection and Response

The area on which ransomware has had the most impact is arguably how organizations detect and respond to incidents. If we think back to the data breaches of the early 2010s, we had a world mostly consumed with financially motivated breaches, intellectual property/state espionage, and hacktivism. Ransomware was seen as a “nuisance” threat that only demanded a few hundred dollars and was often easily handled by data recovery techniques.

Fast forward to 2021–2022, and ransomware adversaries have honed their skills. A ransomware attack now proficiently identifies and targets data recovery mechanisms. There are multiple reports of adversaries’ ability to go from zero to domain administrator and full encryption in a matter of single-digit hours, meaning that security teams have even less time to keep up and neutralize a threat.

Adversaries behind ransomware have leveled-up their skills even further by focusing on the post-encryption stages of an attack. Negotiations are handled by a separate party who knows the victim, can discuss finances, and is willing to accept a lower sum than the original ransom amount. At the same time, it is not above ransomware actors to extort victims and threaten them with data leakage and other embarrassing situations.

These parameters have changed incident detection and response in a few key ways:

• Security teams must be able to detect threats faster. Adversary dwell times measured in days can result in security controls that work too slowly and give ransomware threat actors too much time to act.
• It is no longer about detecting the ransomware payload—this comes too late in the game. Today the focus must be on the activities and techniques that precede ransomware deployment.
• More than ever, security teams should be relying on strong detection and response technologies (both network and endpoint, or NDR and EDR, respectively, qualify here) to provide advanced detection and handling capabilities. Coverage for attacks leveraging privileged accounts is a key consideration, given how central they are to modern attacks.
• Incident response plans must include rapid options that neutralize threats immediately. The days of submitting a change ticket to block a firewall port wastes too much time, especially for craft adversaries who are moving at the speed of light through a flat network.
• Incident response plans must also include other “non-traditional” departments. Not every incident in an organization may require a call to the legal or PR departments. A ransomware breach, however, may be disclosed publicly before the security team even has a handle on it. This should prompt additional parties, skilled at handling external-facing issues, to be involved.

With regard to incident detection and response, there are also unique opportunities for security teams. Board and executive concerns of a ransomware attack may provide the necessary impetus to fund a certain tool or project, move vulnerable assets to a more secure “location,” or finally implement policies and processes that the security team has been seeking for some time.

Interestingly, ransomware attacks are some of the only types of attacks that focus on the outcome of the attack, not necessarily the threat actors and/or their associated objectives. While this is a unique vantage point, it does not remove the need for basic security hygiene, which can go a long way toward stopping all types of attacks—not just ransomware.

Impact on Remote Access Solutions, Passwords, and Permissions

Remote access solutions have been a part of normal business operations for decades; it is nothing new for administrators to log into systems for normal IT upgrades, maintenance, etc. Unfortunately, they have also become one of the entry vectors of choice for ransomware adversaries, who know that remote access systems or “jump boxes” are often configured with light security, but heavy permissions.

As such, business processes have had to explore either a change or a brand-new business process to allow administrators remote access. While this may seem like simple security hygiene, ransomware has been one of the primary vehicles pushing for multifactor authentication, required VPN usage, or complete elimination of remote access solutions.

Ransomware has also impacted how organizations treat their users’ passwords and permissions. Far too often, we see data breaches that involve an account with far too many permissions, little perimeter security, and easily guessed credentials. Even within the population of the G2K, this is a pre-existing problem that is ripe for adversary exploitation. Furthermore, forensic analysis and incident response can be difficult when an adversary “blends in” to normal traffic.

Ransomware can, however, be the catalyst to enforce much needed organizational change. Deployment of multifactor authentication is a good practice that security professionals have recommended for years: It can deter ransomware and other types of attacks from adversaries who don’t have the time for such a “robust” security hurdle.

We would be remiss if we didn’t note that something as simple as multifactor authentication can put a double-digit dent in adversary success rates. A significant number of attacks rely on weak, single-factor credentials for remote access. Introducing a hurdle can break adversary automation, remove the ability to sell credentials, and stave off an otherwise easy attack.

Impact on Vulnerabilities and Software Development Life Cycles (SDLCs)

Ransomware has also had a positive impact on vulnerability management and software development life cycles. This stems from a recent (past 24 months) shift in ransomware attacks, which have originated with vulnerabilities and exploits rather than traditional remote access or spearphishing. The rapid weaponization and exploitation of widespread vulnerabilities have introduced a new vector for attackers to deploy ransomware, another trend security teams must be aware of. Depending on how the vulnerability is connected to the environment, adversaries may be able to quickly deploy their ransomware with permissions.

For example, between March and April 2021, multiple vulnerabilities were patched that impacted Microsoft’s on-premises Exchange Server, versions 2013, 2016, and 2019. At nearly the same time that vulnerability announcements were made, adversaries had already weaponized and scanned for vulnerable internet-facing Exchange servers—of which there were obviously thousands. At this point, a simple alignment of scripts and automated scanners did the dirty work.

The scale at which adversaries can automate their operations introduces new complexities—hence the need for a proper vulnerability management and software life cycle program. When a vulnerability is announced in a product or software library, security teams don’t have days or weeks to identify and catalog said vulnerability. That task must be done ahead of time. Asset visibility programs can also be included in this discussion, because they give security teams insight into assets and may combine the best of both worlds with a catalog of installed software as well.

Closing Thoughts

In this whitepaper, we examined the impact of ransomware on the globe’s largest 2,000 companies. While ransomware targets organizations way beyond this list—money is money, after all—it is worth looking at how companies with resources handle the ransomware threat. Does revenue equal investment in cybersecurity? Does it place a larger target on an organization’s network(s)? Is it both, or even more?

We think that despite being a non-discerning attack, the lessons learned from publicly known G2K ransomware breaches can help other organizations implement stronger defenses. Locking down protocols like remote access and implementing strong visibility and vulnerability management programs can be a significant adversary deterrent. An informed security team is one that will always be ready to go to “battle” and stand up against any threat—ransomware included.

---

¹ The G2K rankings provided in the sub-headings are taken from Forbes’ 2021 Global 2000 List