Any hopes of a respite in ransomware attacks were dashed this week, as the state of Montenegro, InterContinental Hotels, bus operator Go-Ahead, Italian energy agency GSE and an LA school district were all hit.
A new report from Sophos meanwhile revealed ransomware attacks against retailers were up 75% in a year, with 77% of retail organisations surveyed hit by ransomware in 2021, up from 44% in 2020.
While retail has seen a significant uptick in the volume, complexity and impact of ransomware attacks, Sophos notes the sector actually reports better numbers than the cross-industry average.
And while most ransomware attacks appear to be purely financially motivated, Albania’s severing of diplomatic relations with Iran over July’s cyber-attack against the NATO ally demonstrates the potential for ransomware to be a weapon in inter-state conflicts. Late last month Albania’s neighbour Montenegro also suffered a ransomware attack, and called in help from NATO. How threat actors are getting access to systems shouldn’t be a surprise either: a joint advisory early this year from CISA, NCSC and other national agencies said phishing, RDP abuse, and software vulnerability exploitation were the main ways in – and have remained so for some time.
The second-largest school district in the United States, the LA Unified School District said it had been hit earlier this week, and avoided a “catastrophic breach” only by deactivating all its systems.
Unfortunately the recovery process “has proven more challenging than initially anticipated”, according to the district, which said it was making progress towards resetting passwords for all its 660,000+ students.
Go-Ahead Group, the largest bus operator in London, with other regional public transport operations across the UK, acknowledged in a stock market filing it had been hit by a “cyber security incident”. The company told The Guardian the attack affected its bus operations, while its train services were not impacted – and said IBM was investigating the incident.
InterContinental Hotels Group (IHG), which operates the Holiday Inn, Crowne Plaza, Kimpton and Six Senses hotel brands, said its systems had been “subject to unauthorised activity” since 5 September, but didn’t attribute the attack to a particular group. Its website and app both went down, and customers are still unable to make or amend bookings through these channels.
Last week the BlackCat ransomware group breached Italian energy agency Gestore dei Servizi Energetici (GSE), with the organisation taking down its website and other systems for several days to prevent further access. BlackCat claims it stole 700GB of data from GSE, which runs part of Italy’s power network – the group said it would publish the information if GSE didn’t meet its demands for payment.
The Sophos report said the “near-normalisation” of ransomware has pushed organisations to improve their ability to deal with such attacks, with 99% of retail organisations surveyed getting at least some encrypted data back. But the report said ransomware still has a considerable impact on companies’ ability to function.
“92% of retail organizations hit by ransomware said the attack impacted their ability to operate (cross-sector average: 90%), while 89% said the attack caused their organization to lose business/revenue (cross-sector average: 86%),” said the Sophos report.
More than half of all organisations surveyed said they were able to recover from an attack within a week, while 17% said it took between one and six months to recover. Across all sectors, Sophos said the average cost of remediation was $1.4 million.
Iran ransomware attack ‘crosses line’ for first time
Ransomware against companies generally (but not always) lacks the geopolitical implications of attacks against states, however. Iran’s apparent attacks against Albania follow on from attacks against Iranian infrastructure, including steel mills, fuel distribution and a prison, linked to the Predatory Sparrows group.
Following Albania’s action against Iran, the US has now been drawn in, with the White House National Security Council saying the States would take “further action” against Iran. What action that might be remains unclear – but it seems the impact of cyber-attacks has reached an unprecedented level.
As the Grugc noted in a recent newsletter: “For the first time in history, a cyber warfare event has ‘crossed the line’. Albania has established a baseline for cyber warfare that is significant enough to warrant a state response. For all the talk about strategic ambiguity, and ‘reserving the right to retaliate’ for ‘cyber attacks that cross the line’ there has never actually been an attack that crossed the line. Until now.”