The world continues to network. Supply and value chains are no longer chains, but networks. With a multitude of nodes, hubs, dependencies, decentralized players and service providers. This not only leads to close links in the operational process, but also to complex IT landscapes with a wealth of interfaces, subsystems and data transactions.
Logistics companies are currently particularly aware of how sensitive such networks are and what can happen if they are disrupted. Disruptions can occur in both real and digital space. As a digitization partner in industry and commerce, we know that the latter are constantly increasing and that it is therefore not only sensible but critical to success to invest in professional IT security. Because the costs for this are a.) well invested and b.) significantly lower than the costs of a possible damage event. But more on that later. First, a brief overview of the general threat situation.
Free ride in danger
An example of the threat in real space is the insecurity of trade routes due to piracy in the maritime waterways around Africa. This originally began in the Gulf of Aden, off the coast of Somalia, from where it shifted to the Gulf of Guinea after the successful Atalanta and Enduring Freedom missions in 2015.1
Since Russia’s invasion of Ukraine in the spring of 2022, we know that war can also be a real threat to global supply chains. With fatal consequences for entire societies worldwide – be that shortages of basic foodstuffs, energy sources or other trade goods.
A third major risk factor for the international transport of goods is freighter accidents. The most recent example is the blockade of the Suez Canal by the container ship Ever Given in spring 2021, for which the Egyptian Canal Authority alone claimed costs of more than 600 million euros, in which, according to the tradition of „major average,“ not only the shipping company but also the traders will share.2
A political event such as Brexit can certainly be understood as such a disruption – in view of the planning uncertainty in the transition phase or the new customs bureaucracy3 with the corresponding long waiting and delivery times.4 Against this background, the transport of fresh goods or perishable foodstuffs is particularly risky. For example, since the new trade and customs rules came into force, imports of British cheese, fish and meat into the EU have slumped dramatically5 , which is due not only to the new customs formalities but also to new import criteria, but either way significantly reduces the volume of transport orders.
Ransomware & Co.
In the digital space, the disruptions are no less costly. They mostly emanate from ransomware, i.e., the infection of software systems with malicious malware that crashes entire software landscapes. The purpose is to demand a ransom, which the victims then use to „unlock“ their systems again.
The gateways for ransomware range from contaminated emails to exploit kits to vulnerabilities in servers. The German Federal Office for Information Security (BSI) provides an overview of this and the various types of ransomware.6
One of the best-known examples of ransomware is the WannaCry malware program, which in 2017 infected and paralyzed around 230,000 computers in 150 countries, including those of major logistics companies such as Deutsche Bahn, Schenker and FedEx.7
Similarly, the malware program NotPetya struck in the same year, costing FedEx subsidiary TNT Express Europe $300 million, for example.8
Since the start of the Corona pandemic in 2020, the number of ransomware attacks worldwide has increased by 150%9. For the total amount of ransoms demanded, experts estimate an increase of 171 % 10 in the same year, while the number of ransoms actually paid has even increased by a whopping 300%.11
One might wonder why the ransom demands are not higher. So far, we can only speculate here: First, the estimated sums may be worth more in the attackers‘ country of origin than in ours. In addition, there is the possible assumption by the attackers that higher sums will make the extorted parties less willing to pay and increase the risk of involving the authorities – while also increasing the ransom, as we will see. In addition, it is quite conceivable that such attacks are not always and primarily for personal gain, but are more about either simply causing damage or also demonstrating the vulnerability of companies, entire industries and critical infrastructures. The ransomware attack on AmeriCold, which was tasked with the frozen transport of BioNTech Pfizer’s COVID-19 vaccine, shows just how vulnerable these can be.12
Either way, it’s worth it for the attackers. But what makes logistics companies particularly attractive to them? The answer lies in the high degree of interconnectedness mentioned at the beginning: many players along the logistics value chain mean high dependencies on each other and thus a high degree of blackmailability of the damaged parties.
The extent to which ransomware has become a lucrative, increasingly professionalized business model is also shown by the fact that a real service sector has grown up around the cybercriminals, offering the necessary malware as a product-as-a-service as needed.13 Cryptocurrencies make the business additionally attractive because, unlike classic currency, they are untraceable.
But the ransom is not the only cost driver in ransomware attacks, and it is by no means the largest. Other effects are even more expensive. Here are the three most important.
1. Downtime of the systems
Even the first minute offline causes losses and costs for the affected companies. In logistics, for example, this can mean canceling orders or missing out on new ones. Added to this are delays in delivery, which become particularly expensive when several players in the value chain are affected and/or contracts or delivery deadlines cannot be met. The added loss of prestige is difficult to quantify, but is likely to be immense.
Since the interdependencies in logistics are particularly pronounced, the damage of a potential downtime is also higher – not only because of the systemic consequences mentioned for the directly affected party, but also due to possible claims for damages by the indirectly affected parties.
Depending on the length of the downtime, the downtime costs can be up to 50 times higher than the actual ransom demand, experts estimate.14
2. Double and triple extortion
It does not always stop at just one ransom demand. A common practice of attackers is not only to paralyze systems, but also to access and encrypt business-critical data, for the return of which an additional ransom is then demanded. This is not only significantly higher than the first ransom, but is even doubled if payment is not made immediately. Moreover, the attackers put the damaged company under pressure by publishing portions of stolen data until the company pays.15 If personal data is involved, the general loss of prestige caused by a downtime can turn into a very personal loss of trust. It is difficult to measure how lasting this is.
A study by Sophos shows whether and how companies react to such extortion: only 26% of those affected get their data back as a result of a ransom payment; more than twice as many restore it from backups. That’s just as well, because paying a ransom only drives up the cost of the attack without offering any guarantee. Nevertheless, it can be observed that most attackers keep their word when it comes to returning data after payment, presumably in order not to undermine their own business model.16
3. Repair costs
After a successful ransomware attack, the affected systems must be repaired. Depending on the extent of the damage, this can be extremely costly. The minimum repair work required is as follows
- Cleanup of the affected subsystems,
- Restoration of the data,
- Finding and closing the causal weak point.
All this costs not only money, but also time. Valuable resources, therefore, that would be much better invested in preventing such incidents than in cleaning up afterwards.
Prevention
After all, restoring the status quo ante is not enough. It is much more important to invest in a future-proof security concept. As the saying goes: Fool me once, shame on you. Fool me twice, shame on me. We would like to add: If you don’t let yourself be duped in the first place, you save yourself the shame from the start.
Here are five recommendations on how to protect your IT systems, and thus your entire company, from ransomware attacks.
1. Penetrationstests
Um es erst gar nicht so weit kommen zu lassen, dass Ransomware-Angriffe erfolgreich sein können: Testen Sie Ihre Softwaresysteme sorgfältig und regelmäßig auf Sicherheitslücken. Ein professionelles Pentesting hilft, Schwachstellen zu finden und zu schließen, bevor andere sie ausnutzen können. Zu gut gemachten Penetrationstests gehören neben sachgerechten Black- und Whiteboxanalysen auch die Analyse des Quellcodes sowie sorgfältige Abhängigkeitstests, um Kettenreaktionen und Wechselwirkungen im Angriffsfall möglichst auszuschließen.
2. Zero Trust Policy
Das Zero-Trust-Prinzip stellt sicher, dass ausnahmslos alle, die im IT-Netzwerk eines Unternehmens aktiv sind oder von extern darauf zugreifen, authentifiziert werden müssen – und zwar nicht nur initial, sondern bei jedem einzelnen Zugriff. Getreu der Devise: So wenig Berechtigungen wie möglich, nur so viel Zugriff wie zwingend nötig. Einen Vertrauensvorschuss gibt es nicht mehr. Dass der Datenverkehr grundsätzlich verschlüsselt zu erfolgen hat, muss nicht eigens erwähnt werden – beim Übertragen ebenso wie beim Speichern.
3. Back-ups!
Backups sind gängige Praxis im Datenschutz von Unternehmen und Kern einer guten Disaster Recovery. Da Ransomware auch Datenbanken und -speicher kompromittieren kann, empfehlen sich neben reinen Netzwerk- oder Online-Backups auch solche auf separaten Servern, die rein lokal sind und abgetrennt von anderen Systemen arbeiten bzw. sich im Angriffsfall schnell vom Netz nehmen lassen. Folgende zwei Parameter sollten für eine gute Backup-Strategie als Bemessungsgrundlage dienen:
- Recovery Time Objective (RTO): Maximum time that a downtime may last
- Recovery Point Objective (RPO): Maximum volume of data that can be lost
Keeping both at 0 is practically impossible, but a workable compromise can usually be found.
It is also important for data recovery not to take any stowaways with you, i.e., data that has been contaminated or corrupted unnoticed. This is another characteristic of ransomware: it has a certain incubation period during which it can carry out its subcutaneous activities unnoticed before it breaks out with all its symptoms.
Of course, a good backup strategy also includes regularly checking whether the data can be retrieved at all in the event of an emergency. It can happen that backup technologies are misconfigured, for example if too few or the wrong directories are backed up. But wear and tear on hardware can also have a negative impact on the recovery of data later on. It is therefore advisable to put the back-up setup through its paces at least once a year and at least randomly.
4. Emergency plan & trainings
Establish an emergency management system that is tailored to your company and its processes. This should be consciously lived by the responsible persons, i.e.: train your employees regularly on the matter. Create emergency drills for all conceivable scenarios so that the correct behavior can be called up quickly and routinely in the event of an attack.
5. Insurance
The extent to which you should insure your systems against cybercrime depends on various factors, some of which are very individual. In any case, however, pay attention to the service portfolio of the insurance companies. In addition to covering possible ransom sums, services such as emergency assistance and IT forensic analyses should also be included.
Conclusion: Targeted precaution pays off!
The good news is that you can save yourself the follow-up costs of ransomware attacks. Instead, invest in holistic and sustainable IT security at an early stage. Because unlike downtime, ransomware and repairs, a well thought-out security concept pays directly towards a secure, successful future. So that you can continue to benefit from the interconnectedness of the world without having to experience its downsides.
(jw)
Sources:
- 1 https://www.deutschlandfunk.de/unsichere-handelswege-piraten-vor-afrikas-kuesten.724.de.html?dram:article_id=493309
- 2 https://www.lto.de/recht/hintergruende/h/ever-given-havarie-wer-zahlt-schaden-suezkanal-festgesetzt-crew-eigner-ladung-verfahren/
- 3 https://www.zoll.de/DE/Fachthemen/Zoelle/Brexit/Brexit-Zoll/brexit-zoll_node.html4
- 4 https://www.logistik-watchblog.de/recht/3095-brexit-versand-huerde-kaeufer-umsatzverlust-haendler.html
- 5 arte Dokumentationen Brexit: More Borders, More Problems. British Exports sowie Brexit Borders: Brexit Fishing Industry Wales
- 6 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Ransomware.pdf
- 7 https://de.wikipedia.org/wiki/WannaCry oder https://darknetdiaries.com/episode/73/
- 8 https://www.golem.de/news/fedex-tnt-verliert-durch-notpetya-300-millionen-us-dollar-1709-130192.html oder https://darknetdiaries.com/episode/54/
- 9 Harvard Business Manager, Print-Ausgabe 08/2021, Seite 55
- 10 https://www.datensicherheit.de/dreifach-erpressung-neuartigkeit-ransomware-masche
- 11 Harvard Business Manager, Print-Ausgabe 08/2021, Seite 55
- 12 https://portswigger.net/daily-swig/ransomware-attacks-on-shipping-logistics-organizations-rising-as-coronavirus-vaccine-supply-chain-targeted
- 13 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Ransomware.pdf
- 14 https://www.datto.com/blog/downtime-the-true-cost-of-a-ransomware-attack
- 15 https://www.zdnet.de/88394716/ransomware-doppelte-erpressungsangriffe/
- 16 https://secure2.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf und https://www.nzz.ch/wirtschaft/ransomware-warum-zahlreiche-firmen-loesegeld-zahlen-duerften-ld.1489507
