Ransomware Through the Supply Chain: Are Organizations Prepared for the New Normal?

Ransomware has been a persistent nightmare for security professionals throughout the last decade. These attacks cost organizations $590m in the first half of 2021 alone. The latest angle that cyber-criminals are using is leveraging the software supply chain to expose significant vulnerabilities and extort ransoms from a vast field of downstream stakeholders. As these attacks become more prevalent, organizations must understand their place in the supply chain ecosystem to remain secure.

Understanding the Supply Chain

The potential impact of a ransomware attack through the supply chain is substantial. Last July, Kaseya, an IT solutions developer, reported that hackers carried out an attack by leveraging a vulnerability in Kaseya’s VSA software. Although less than 0.1% of the company’s customers were compromised in the breach, it still impacted 800 to 1500 small to medium-sized companies.

This incident, while relatively small, clearly demonstrates how a seemingly small breach on a software developer can have outsized impacts on companies that may not be able to defend themselves properly. Some may quibble of this being a supply chain talk, but for the customers of Kaseya, it sure felt like it.

Put simply, organizations fall into one of two roles in the overall supply chain: supplier or consumer; sometimes, organizations have both roles. Regardless of its core business model, any organization that creates technology is a supplier and has a measurable population at risk. Conversely, businesses that are strictly consumers of technology are rare. As a result, most fall into the center of this Venn diagram, both consuming and supplying technology.

For example, a bank that provides services but also has software developers to create its own internal tech has an ongoing in-and-out flow that makes cybersecurity shockingly complex. Ransomware attacks will impact customer organizations that are two or three layers removed from the target, and a failure to understand the supply chain ecosystem allows this collateral damage to fester.

Attackers Won’t Need to Shift Their Methods if Security Practices Fail to Change

Cyber-criminals are proficient – and rapidly improving – at combining traditional attack methods with malicious ransomware binaries. This devastating combination is picking up steam fast. Additionally, attackers are aware that many companies do not understand how to plug their supply chain vulnerabilities properly.

So what should organizations do about it? How can they protect against a threat that leverages such a complex but necessary business process?

It is obvious that pinpointing where the organization stands as a software supplier or consumer (or both) is a critical first step. From there, teams will be able to manage and monitor their data within the supply chain through a new lens and increase the likelihood of catching an attack in its infancy.

As most organizations supply and consume software, it’s necessary to secure and understand the data connected to internal and third-party avenues of attack. Data is central to business transactions, and teams must work diligently to control it at rest and in motion to prevent a breach. Data locality is a critical component of this strategy. Security teams must prioritize covering every base of the supply chain and fully locate, classify and protect all the data within. This is impossible without a clear understanding of the organization’s software supply chain ecosystem.

Additionally, secure data exchange is unattainable without trust and constant communication with the third party – the suppliers – that are upstream in the chain. Imagine leaving your pet with an unfamiliar sitter while you go on vacation without checking references or background. It’s pretty high-risk to trust something so precious in the hands of a faceless stranger, right? Now imagine leaving an essential component of your most vital corporate software development project in the hands of a complete stranger.

It’s crucial to assure that all data stakeholders are legitimate, and this due diligence will provide a solid wall of defense against hackers looking for a misstep in the target’s supply chain.

Ultimately, these attacks are inevitable, but security teams can take several steps to soften the blow:

  • Conduct thorough defense assessments. Study common ransomware vectors, and put them up against the organization’s unique vulnerabilities.
  • Develop an incident response plan. Map out technical responses, key contacts, primary decision-makers and strategies for ransom demands.
  • Create an incident recovery plan. How will your organization restore locked systems/data, respond to public/customer queries and handle other communication issues?

Ransomware through the supply chain is a critical threat but not unstoppable. We learn lessons with every significant attack, and organizations are working rapidly to develop a broader understanding of their software supply chains. A clear understanding of the suppliers, stronger asset knowledge and malleable, pivot-ready action plans will all contribute to reducing vulnerabilities as attackers continue to improve their use of the supply chain in ransomware attacks.

What’s Hot on Infosecurity Magazine?