Canadian cybersecurity firm eSentire has identified a trend that should alarm trucking companies. The transportation sector has been identified by cyber-criminals as an easy target.
“They are an underserved sector of the economy when it comes to cybersecurity,” Mark Sangster, eSentire vice-president with a focus on industry security strategy, said of the trucking industry. “Trucking companies are more likely to pay ransoms.”
This he attributes to the time-sensitive nature of the business and contractual obligations to deliver loads on schedule. Also, most trucking companies rely on the same technologies when it comes to automation, making it easier for criminals to understand how to infiltrate them.
Efforts may begin with phishing emails, as a way to gain access to the front office. From there, data will be sought that allows cybercriminals to move into the warehouse or in operations, where they can cause the most damage.
“Once they have a playbook to get in and disrupt a certain type of business, they see how they respond. If they respond by paying, if they don’t have insurance in place or experts on hand, they’re more likely to pay that ransom,” Sangster explained, adding this is often the case with trucking companies.
“A lot of companies don’t see themselves as being at risk. They are. [Cyberattackers] are very sophisticated – they operate like a Fortune 500 company and they’re very capable of getting into your business. And when they do, the reality is they are criminal organizations bent on illegal profit.”
One way hackers will infiltrate a business is to send phishing emails that appear to be from a trusted partner, for example an industry association. Small companies aren’t immune, either. Cybercriminals are likely to hack a company’s financial records to determine a ransom they can afford to pay.
If a trucking company balks at paying the ransom, they could move on to the fleet’s customers. When Apple supplier Quanta Computers was hacked by the Sodin/REvil ransomware group and refused to pay the US$50 million ransom, the hackers took their demands up to Apple itself. When its initial demands were ignored, it published stolen blueprints of Apple products it obtained by hacking Quanta.
Imagine having to tell your largest customer their data has been stolen and you’re unwilling to pay the ransom to get it back.
Some large transportation companies attacked in recent months include: DSC Logistics; Forward Air; TFI International; and ocean carrier CMA CGM. eSentire knows of others but protects the identity of companies that haven’t publicly acknowledged the attacks.
What can you do?
eSentire provides the following advice for companies in all sectors, including transportation:
- Have a backup copy of all critical files and make sure they are offline backups. Backups connected to the infected systems will be useless in the event of a ransomware attack.
- Require multi-factor authentication to access your organization’s virtual private network (VPN) or remote desktop protocol (RDP) services.
- Only allow administrators to access network appliances using a VPN service.
- Domain controllers are a key target for ransomware actors, so ensure that your security team has visibility into your IT networks using endpoint detection and response (EDR) agents and centralized logging on domain controllers (DCs) and other servers.
- Employ the principle of least privilege with staff members.
- Implement network segmentation.
- Disable RDP if not being used.
- Regularly patch systems, prioritizing your key IT systems.
- User-awareness training should be mandated for all company employees and focus on:
- downloading and executing files from unverified sources
- avoiding free versions of paid software
- inspecting the full URL before downloading files to ensure it matches the source (ie., Microsoft Teams should come from a Microsoft domain)
- always inspecting file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
The most effective ransomware mitigation strategy comes in the form of offline backups. Unfortunately, victims rarely have reliable backups of key IT systems and data. When thinking about additional remediation measures, consider the following:
- Meet with your business teams to create an action plan and be sure to have an incident response (IR) plan mapped out that clearly defines which systems need to be put back online first.
- Prep your payment method. Nearly 75% of enterprises claim they would never seriously consider paying a ransom. When push comes to shove, more than 65% end up paying. Assume you’ll pay, and establish cryptocurrency and prepaid voucher payment methods now. You don’t want to waste precious time trying to set up a cryptocurrency account in the middle of an attack.
- Ready-set-go team. You need to create a reliable partner ecosystem well in advance of a breach. Not only is it important to have security vendors in place to help prevent a ransomware infection, but it’s vital that you have agreements already hammered out with a larger partner ecosystem, such as crisis communications agencies, digital forensic firms, cyber investigations teams, and outside counsel that specializes in security incidents.