Japanese conglomerate Fujifilm announced that it is suffering from a ransomware attack, becoming the latest victim of cyberattackers who in the last week alone have crippled everything from the largest meat processor in the US to the ferry system serving Martha’s Vineyard.
In a statement, the company said it was investigating unauthorized access to its servers and had no choice but to shut down its network. On Tuesday evening, the company said it became aware that it was being hit with ransomware and spent the last two days trying to “determine the extent and the scale of the issue.”
The photography and medical imaging giant said the attack had affected all of its external communications, including email and phone services. BleepingComputer spoke with Advanced Intel CEO Vitali Kremez, who said Fujifilm had been hit with the Qbot trojan in May and added that the people behind Qbot have been working with the REvil ransomware gang as of late.
REvil caused outrage again this weekend after they were implicated in a ransomware attack on JBS, one of the world’s largest meat processors and a company providing about one-fourth of the beef and pork in the US. They previously shut down Colonial Pipeline, causing gas shortages on the East Coast and national outrage that sparked more stringent cybersecurity guidelines for pipelines.
Due to the increasing number of attacks, The White House released an open letter on Thursday titled, “What We Urge You To Do To Protect Against The Threat of Ransomware” from Anne Neuberger, deputy assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology.
Despite the startling increase in ransomware attacks in the last few months, Neuberger touted the White House’s efforts to deal with the crisis, noting that the US government is currently “disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds.”
But she added that it was important for the private sector to do its part in addressing the cybersecurity posture of their organizations.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger said.
She urged business leaders to “immediately convene their leadership teams to discuss the ransomware threat” and enhance security measures as well as continuity plans in case they are attacked.
Neuberger included a list of best practices and suggestions that ranged from the creation of data backups to prompt system patches, third-party cybersecurity reviews, and segmented networks.
“Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany, and France, to pipelines in the United States and banks in the UK,” Neuberger wrote.
“The US Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility.”
Setu Kulkarni, vice president of strategy at WhiteHat Security, said the two pieces of advice that stood out from the letter are incident response testing and pen-testing. Kulkarni explained that often organizations treat incident response plans like business continuity plans, only creating them for compliance.
“We need to make a change here to treat the incident response plan much like a fire drill or an earthquake drill so that when the inevitable breach happens, the entire organization is clear on the first few steps and that will give them the time they need to counter the threat effectively rather than scrambling at the nth minute,” Kulkarni said.
“The memo should be updated to further emphasize penetration testing of production systems in a continuous manner — this is important because while the production systems may not change that often, the adversary and the threat landscape are fast evolving in an attempt to breach these production systems.”
Focusing on continuous production security testing of web, mobile, and API applications, Kulkarni added, should be non-negotiable.
But Kulkarni said the memo fell short because it does not create an environment of incentives and disincentives for organizations to double down on these security fundamentals.
Tony Cole, CTO of Attivo Networks and a former executive at FireEye, McAfee, and Symantec, told ZDNet that there were a variety of reasons behind the recent spate of ransomware attacks. Enterprises have an over-reliance on vendors and in general, organizations continue to add digital tools to their operations which increases the complexity of work for cybersecurity officials.
Cole, who previously worked as a cyber operator for the US Army, added that there is a general lack of cyber defenders with the needed skill sets to keep organizations safe as well as systems that prevent privilege escalation.
“No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts,” Cole said. “Organizations must understand that they can’t prevent all attacks.”
Dozens of cybersecurity experts told ZDNet that the letter was an appropriate move considering the current landscape of cyberthreats. Many, like Egnyte cybersecurity evangelist Neil Jones, said there has been a marked shift from simple data theft and cyber-espionage to attacks specifically designed to cripple critical services and business productivity.
Others echoed Neuberger’s letter in saying that companies now need to prepare for when, not if, they are hit with ransomware.
Tom Garrubba, CISO of Shared Assessments, questioned why critical infrastructure organizations are not being held more accountable and said it was time for certain enterprises to be held to a higher level of legislative scrutiny, like financial institutions and even retail enterprises.
“Perhaps it’s time to bring in the executives and board members of these breached organizations to publicly explain these breaches and how their organizations are addressing the IT risks in the current environment,” Garrubba explained. “Every C-Suite and BoD needs to be similarly prepared to answer these questions.”
Sophos senior security advisor John Shier noted that the financial incentives of ransomware attacks need to be removed in order to address the problem.
Shier said attackers want to hit where it hurts the most to increase their likelihood of a large payout, but most ransomware attacks aren’t targeted scenarios, as seen with the Colonial Pipeline attack.
“Attackers are opportunistic. Once they realize they’ve secured a potentially lucrative victim, they go all in — that’s when they become targeted attacks,” he added, explaining that while no defense can be bulletproof, putting up tougher barriers will force cybercriminals to move on to easier targets.
While many experts said it was important to have plans in place for how to recover from an attack, Gurucul CEO Saryu Nayyar said organizations had to implement defenses that could reduce their attack surface and detect ransomware attacks in real-time.
“The technology is available. It’s just a matter of putting it in place and working diligently to identify and derail cybercriminals and malicious insiders before they derail you,” Nayyar told ZDNet.
But even with a slate of cybersecurity tools available, many IT teams and CISOs do not have the full buy-in from the leaders of their organization. The letter may help justify requests for bigger cybersecurity budgets and more help, according to Digital Shadows CISO Rick Holland.
“One comment that stands out to me from Neuberger’s memo is the need for a ‘skilled, empowered security team.’ We so often focus on technology to solve our problems,” Holland said. “Focus on your teams first; have dedicated training and development programs.”
Doug Britton, CEO of Haystack Solutions, said that while the recommendations from the White House were accurate and worthwhile, the biggest problem is finding a team able to implement the measures.
“Unfortunately, with hundreds of thousands of cyber positions unfilled in the US alone, the million-pound gorilla in the room is, ‘where are the qualified cyber practitioners that can expertly implement the recommendations?'” Britton said.
“Ideally, the national strategy will also rethink the underlying economics of identifying the potential talent, decreasing the cost of training the talent, and retaining that talent in industry.”
Kulkarni echoed those remarks, noting that the need for a skilled security team was one area where the gap is the largest between aspiration and reality.
“There are just not enough security personnel in the world to staff security teams in organizations today,” Kulkarni said. “What is needed is a combinatorial approach: accelerated and scaled-up security training in the country for security professionals plus training the general population about avoiding risky online behavior.”