Ransomware attack on airline industry a turning point for India and the world at large

Recently, the airline industry in India was hit by a ransomware attack that affected flight scheduling and caused delays to the frustration of some passengers. It is understood that while the attack was contained, there was unfortunately, impact on the flight scheduling system which caused major delays for several hours. This comes on the heels of previous major data breaches affecting airlines in India in 2021 exposing over one million customers accounts.

The fact that this ransomware attack was successfully contained to some extent indicates that they would have taken actions to adjust their security posture to prevent further data breaches. The restoration of services is possible when attackers are not able to encrypt all backups though it could take hours or days. This also highlights the fact that ransomware criminal gangs will keep coming back when successfully breaching an organization and that post attack recovery is just as important as mitigation.

The good news was that this ransomware attack did not create a complete shutdown of airline services based on the payout of a ransom like other prominent ransomware attacks on critical infrastructure in the US and that the impact was limited to flight delays for a few hours and angry customers.

Notwithstanding the fact that ransomware attacks are not new and have increased in frequency these past two years, this particular attack was widely picked up by news outlets around the world and indicated a sense of urgency to tackle this new critical security global threat. 

It highlights also the fact that attackers will target any companies irrespective of the industry and will not hesitate to disrupt essential services for monetary purposes. Ransomware attacks have become the cyber public enemy number one as it has affected people's ability to pump gas, buy meat and groceries and now travel just to name a few.

Ransomware is the attack method of choice for cyber criminals

Since the beginning of the COVID pandemic, with the increased digitization of the economy, the rapid growth of e-commerce and the increase of the remote workforce, the world has seen a surge in the number of ransomware attacks. Ransomware is a very profitable business for cyber criminal gangs.

Australia, India and Japan were the most attacked countries in the Asia Pacific region in 2022. There is a challenge in accurately quantifying the number of ransomware attacks  in Asia Pacific as organizations chose to stay silent and not report those attacks due to the risk of bad press or government fines.

According to April 2022 data from BitDefender, India now accounts for 5% of all ransomware attacks reported globally which is quite significant. 80% of organizations across all industries have been impacted by ransomware attacks in 2021 with 51% paying the ransom.

India has topped the list of countries hit by ransomware with 68% of respondents reporting attacks according to the Global State of Industrial Cyber-Security report. This was an independent survey conducted across each region to find out how organizations deal with ransomware and their level of readiness and resilience.

India ranks fourth worldwide in the percentage of organizations hit by ransomware in the last year, according to security firm Sophos.

Cyber criminal gangs are targeting companies and government organizations and the Singapore Cyber Security agency has reported a rise of 154% in ransomware cases impacting government organizations and enterprises such as ecommerce, health care and finance. 

Another great concern is not only in the sheer number of attacks but that 71% of organizations in APAC have paid ransoms fees between $100,000 to $1 million while 13% paid between $1 to $5 million. The problem is now being accentuated by criminal gangs like Conti or Revil selling ransomware as a service enabling other attackers with lower technical skills. 

 India leads the encryption rate globally once a ransomware unfolds per the graph below with 80% of all data being encrypted on servers and their backups. This would indicate that 80% of ransomware attacks are successful and will have a grave impact on the business. 

 It is essential that Indian businesses across all industries adopt an effective security strategy to prevent ransomware attacks from encrypting critical systems data and their backups in order to prevent any disruption to their business and operations.  

 How does a Ransomware attack unfold? 

It is important to understand what ransomware is and how a ransomware attack unfolds. The ransomware file is a malicious file or malware used to encrypt data on a server. The ransomware file is added to a script or attack toolkit that is propagated over the network to vulnerable servers in order to encrypt all data. The ransomware attack is thus a lateral movement attack from a server that was breached and where the ransomware file was downloaded.  

Ransomware attacks are run by criminal gangs like Conti, Avaddon or Revil and will first work to penetrate the security perimeter of a company. They will use techniques such as spear phishing emails and phishing attacks to harvest credentials or use zero day vulnerabilities like Log4j for remote code execution.

Once the perimeter has been breached and a server compromised, the attackers will perform network reconnaissance to identify key servers hosting critical systems and data as well as their backups. They will work to further harvest credentials and gain domain admin privileges in order to move laterally toward those identified systems and their backups.

They will then start the attack by propagating the ransomware attack toolkit to those systems over the network and encrypt all files and their backups. This attack can take a day or less and prevent a company’s users and applications from accessing needed data to run their operation.  

Recovery by restoring data to affected servers and systems from their backup. 

Backups are the #1 method used to restore data, used by 73% of organizations whose data was encrypted. At the same time, 46% reported that they paid the ransom to restore data per the Sophos ransomware 

The ransomware threat is here to stay and even to increase in scale and complexity. It is therefore essential that Indian businesses across all industries adopt an effective security strategy not just to contain but to effectively mitigate ransomware attacks. 

Mitigation and Recovery 

As with ship building since the 15th century with the addition of bulkheads based on the strategy to prevent the sinking of the ship in the event of a breach rather than relying solely on preventing the water from breaching the hull, security teams need to accept the fact that the perimeter can be breached and adopt a security strategy to prevent such breach to shut down system operation. 

The reality today is that the security perimeter can and will be breached at some point. It is therefore primordial to implement a security strategy to prevent the propagation of the ransomware attack tool over the network to the Domain controller, crown jewel servers and their backups. This is the reason why we see such a high number of successful ransomware attacks and a high encryption rate in India and around the world. The latest attack on the Indian budget airline where the attack caused key systems to be offline for a few hours demonstrates that adopting the most effective ransomware mitigation security solution is critical.

Zero trust network security with software micro-segmentation is the most effective strategy to fully mitigate and recover from a ransomware attack and ensure that the business operation is never disrupted though the security perimeter was breached and a server infected.

Network segmentation needs also to become simple, affordable, and painless. We need to move away from the idea that segmentation must be accomplished at the infrastructure layer with traditional firewalls, which is complicated and requires multiple approaches as you adopt new technologies.

Preventing lateral movement is the best strategy 

The right answer is to start with a simple, flat underlying network and then apply a software-defined overlay that is easy to visualize, change without disruption and works consistently across all of your environments and technologies…on-prem, hybrid or multi-cloud.

It is key to quickly segment your environment and ring-fence your crown jewel servers and their backups regardless of geographical location and underlying infrastructure. 

Once you’re infected with ransomware, recovery is very hard and backups are often the first target of malware and the easiest path to recovery is often cut off.

Ransomware gangs are increasing the sophistication of their public key encryptions techniques that are very unlikely to be cracked by the recovery team.

The best defense against ransomware is preventing it from propagating across your organization in the first place.

---