Thought leadership. Threat analysis. Cybersecurity news and alerts.
Sierra Wireless Becomes Latest Ransomware Attack Victim
Sierra Wireless, one of the world’s leading IoT solutions providers, recently announced it was a victim of a ransomware attack.
Last March 23rd, Sierra Wireless announced that it discovered on March 20, 2021, it was hit by a ransomware attack.
In a ransomware attack, computer files are encrypted, blocking a victim from accessing these files. A ransomware attacker then demands from the victim to pay a specified amount in exchange for the decryption key that would unlock the encrypted files.
In recent months, it has become a trend among ransomware attackers to demand from ransomware victims a second ransom demand in exchange for the non-publication of data stolen during the ransomware attack. In the case of the ransomware attack on Sierra Wireless, it wasn’t disclosed whether or not the attacker or attackers demanded the second ransom or whether or not the company paid ransom.
As a result of the ransomware attack, Sierra Wireless said it halted production at its manufacturing sites. The company added that its corporate website and other internal operations have also been disrupted by the ransomware attack.
As a result of the ransomware attack, Sierra Wireless said it was withdrawing its First Quarter 2021 guidance. In February 2021, the company released its 2020 full year revenue and First Quarter 2021 guidance.
Sierra Wireless reported that its total revenue reached $448.6 million in 2020. For the First Quarter of 2021, the company said it projected to earn $109.9 million. In its March 26th update about the ransomware attack, Sierra Wireless said it has resumed production and started to recover its internal systems.
“Sierra Wireless maintains a clear separation between its internal IT systems and its customer-facing products and services,” the company said. “Sierra Wireless believes that the impact of the attack was limited to Sierra Wireless’ internal systems and corporate website, and that its products and connectivity services were not impacted, and its customers’ products and systems were not breached during the attack.”
The company added that it doesn’t expect that there will be any product security patches, or firmware or software updates required as a result of the ransomware attack.
Prevalence of Ransomware Attacks
IBM reported that ransomware was the cause of nearly one in four real-life cyberattacks worldwide that the company responded to in 2020. IBM added that ransomware attacks in 2020 were “aggressively evolving to include double extortion tactics.”
According to IBM, the group behind the ransomware called “Sodinokibi” – the most commonly observed ransomware group in 2020 – earned over $123 million in 2020, with nearly two-thirds of its victims paying a ransom. IBM added that the group behind Sodinokibi stole from victims approximately 21.6 terabytes of data and approximately 43% of ransomware victims had their data leaked for the public to see.
IBM further reported that Sodinokibi and the other successful ransomware groups in 2020 were focused on stealing and publishing the data of victims who refused to pay ransom.
IBM added that the most successful ransomware groups in 2020 were focused on creating ransomware-as-a-service cartels. In ransomware-as-a-service, one group maintains the ransomware code and another group, known as affiliates, spread the ransomware. Affiliates are known to distribute ransomware in any way they like.
In the blog post “McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us,” McAfee Labs reported that while Sodinokibi ransomware affiliates used different modus operandi, it did notice many started with a breach of Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft that allows Windows users to remotely connect to another Windows computer.
RDP servers that are exposed to the internet through the use of weak passwords and unprotected by multi-factor authentication (MFA), virtual private networks (VPNs), and other security protections, are of particular interest to cyberattackers. RDP is often breached via brute force attacks, in which the attacker submits many username and password combinations in the hope of guessing the correct combination.
“Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations,” Microsoft Defender Security Research Team said in the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks."
Cybersecurity Best Practices Against Ransomware
Network segmentation is one of the cybersecurity best practices in protecting your organization’s network from ransomware. In network segmentation, your organization’s IT network is divided into sub-networks so that in case something bad happens to one sub-network, the other sub-networks won’t be affected. In the case of Sierra Wireless ransomware attack, the company said it maintains a clear separation between its internal IT systems and its customer-facing products and services.
It’s also important to backup your organization’s critical data regularly, following the 3-2-1 backup rule. In 3-2-1 backup rule, 3 copies of your organization’s critical data are kept, with copies stored on 2 different media, and one of these copies must be kept offsite for disaster recovery.
As mentioned, one of the favorite entry points of ransomware attackers into their victims’ networks is via RDP servers exposed to the internet. Protect RDP servers via strong passwords, MFA, VPN, and other security protections.
Steve E. Driz, I.S.P., ITCP