Ransomware still threatens the automotive industry

Ransomware, widely considered to be the fastest-growing malware hazard of the 21st century, continues to threaten the uptime, profits and brand reputation of the automotive industry. Recent victims like Renault and Nissan only partially reflect the magnitude of the threat, which is global in scope and continues to expand at a frightening pace.

by James R. Slaby

Automotive executives need to deploy a battery of technologies, procedures and policies to prevent ransomware attacks from bringing down critical business systems across the enterprise, from the back office to the factory floor.

Ransomware is a type of malicious software that infects computer servers, desktops, laptops, tablets and smartphone, infiltrating through a variety of mechanisms and often spreading laterally across a business from one machine to another. Once it infects a system, the virus quietly encrypts every data file it finds, then displays a ransom note to the user. The extortion message starts by demanding an online payment of anywhere from hundreds to thousands of dollars (generally in some untraceable cryptocurrency like Bitcoin) in return for the decryption keys needed to restore the user’s locked files. The demand often includes a series of deadlines for payment: each missed deadline leads to a higher ransom demand and perhaps some destroyed files. If the victim doesn’t pay up, the attacker discards the decryption keys, making the data permanently inaccessible.

A notorious example of a ransomware attack that hit automakers hard was the 2017 WannaCry outbreak, which afflicted over 200,000 computers in over 150 countries. At both France’s Renault and its Japanese alliance partner Nissan, so many systems were brought down by this attack that both were forced to temporarily idle some of their plants in Europe. Facilities in France, Slovenia and Romania were hit so hard that Renault was forced to temporarily shut down industrial activity at them; at least one facility remained offline for days.

Ransomware attacks have also wreaked extensive downtime and economic harm on many other industries, from the UK’s National Health Service to financial institutions and transportation systems around the world. For example, Danish transportation and logistics giant Maersk suffered $300M of business interruption losses due to a ransomware attack. The downtime forced a 20% drop in its shipping volume when it had to fall back to manual operations during the recovery effort, which required Maersk to re-install 4000 servers, 45,000 PCs, and 2500 applications over ten days.

FedEx was the victim of another costly attack, reporting losses of $300M after its European subsidiary TNT Express suffered widespread disruption to its shipping operation from the late-2017 NotPetya ransomware outbreak. After the attack, FedEx also set aside an additional $75M to more securely integrate its IT operations with those of TNT Express. The spring of 2018 brought headlines of ransomware attacks on the City of Atlanta, Georgia in the USA, as well as airplane manufacturing giant Boeing.

Tech vendor Nuance reported that a ransomware attack it suffered in the fall of 2017 cost it $68M in refunds to customers for service disruptions and another $24M in cleanup costs.

These examples are just some of the higher-profile ones from recent months. Various researchers have shown that ransomware has affected a total of 55% of businesses. Just the amount of ransom that criminals are successfully collecting from victims shows an alarming trend: total ransoms surged from $325M in 2015 to $5B in 2017, and are projected to reach $11.5B by 2019. But as examples like Maersk, FedEx and Nuance show, the total damage of ransomware attacks -- including the costs of business interruption, attack recovery and forensics, damage to brand equity, lost customers and compliance violation fines -- are far greater. For example, the global costs of the WannaCry epidemic are estimated to total a whopping $8B.

The reasons for the rapid growth of this particular category of malware are mostly attributable to its evolution from a one-time cottage industry to a modern, criminal version of the software-as-a-service business. Ransomware gangs copied the model of tech vendors like Salesforce.com, continually and rapidly developing and improving their product and relying on a network of distributors to get it onto as many machines as possible through various techniques. In the case of ransomware, the distributors are lower-level, unskilled criminals that use a variety of techniques to attack victims, including phishing emails with infected web links or attachments, fake websites that invisibly download malware to users that visit them, and infiltration of popular industry-specific websites like GitHub. Exploiting operating system vulnerabilities that are not widely known (so-called zero-day exploits) and thus likely to be unpatched are another popular technique, one used in both the WannaCry and NotPetya ransomware outbreaks.

Under this so-called ransomware-as-a-service model, criminal software engineers are constantly turning out new variants of ransomware to take advantage of various vulnerabilities in operating systems, applications and user behaviors, staying one step ahead of business IT and security staffers and the tech vendors they rely on for defensive measures. In parallel, these ransomware gangs have also developed sophisticated distribution, monitoring, notification and payment infrastructures which they make available to their “distributors” for free. All a would-be criminals needs to do to get into the ransomware distribution racket is to download some very simple-to-use software tools and start spreading the virus around. The developers and the distributors then split the profits of victims who pay the ransom.

In the face of this rapidly-growing threat, automakers can take some concrete steps to protect their systems from the business disruptions and high costs of successful ransomware attacks. Step one is to start educating employees on the techniques that ransomware distributors use, teaching them to be wary of the email links they click on, websites they visit, and attachments they open.

Good network and security hygiene measures remain important, like segmenting networks to make it harder for ransomware to spread from system to system, keeping endpoint anti-malware software up-to-date, and patching known vulnerabilities in operating systems and applications as quickly as possible.

Finally, given the high success rate of ransomware attacks, it is critical to institute a rigorous backup regimen and keep multiple copies of critical business data both locally, offsite and in the cloud.  Backup remains the most foolproof defense against ransomware: if your systems are compromised, you simply identify the onset to the attack and restore your systems from clean backups created before the incursion.

Law enforcement and security experts agree that paying the ransom is a very poor defense: over half of ransomware victims who pay do not successfully recover their files, either because the extortionists fail to deliver the promised keys, or have implemented the encryption/decryption algorithms so poorly that the keys don’t work.

To avoid becoming victims to the next widespread ransomware attack, the automotive industry will have to deploy the basic measures outlined above, and consider deploying leading-edge technologies for ransomware defense like Acronis Active Protection, a free extension to Acronis Cyber Backup that uses machine learning to identify ransomware attacks in progress, instantly terminate them, and automatically restore any damaged files.

For case studies of enterprises that have used Acronis Active Protection to effectively protect themselves against ransomware attacks, see these stories on auto dealership Ready Honda, electronics manufacturer Johnson Electric, and aluminum refining giant Hydro Alunorte.

Learn how of a leading European automaker is protecting its factory-floor systems with Acronis Backup with Active protection, read this case study. For details on how Active Protection works, read our whitepaper.