One of the worst things a trucking company can do is assume it’s safe from a cyberattack because it’s a small fleet. Many people think hackers are after the bigger organizations because it means bigger payouts, but companies of all sizes are at risk as the cybercrime landscape is shifting.
Ransomware has been around since the late 80s with some of the first ransomware promulgated on floppy disk, Artie Crawford, director of cybersecurity at the National Motor Freight Traffic Association, said during the recent “Not Your Average Ransomware” webinar.
Ransomware, which has become the top cybersecurity concern for the trucking industry, back then wasn’t as dangerous as it is today because the cost of entry was much higher. Now, it’s available to purchase, enabling less sophisticated attackers to launch highly effective ransomware campaigns.
“I would estimate that better than half of the attacks out there today are facilitated by some RaaS (Ransomware as a Service) affiliate,” Crawford said. “I've seen numbers that range in the 60s and 70s (percent). I think the numbers are much higher than what we're seeing out there just because we tend not to report a lot of them.”
He said a significant portion of the cyber threat landscape today is shifting from traditional ransomware to RaaS.
Hacker vs. hacktivist
The difference in ransomware and RaaS is the motivation behind it, said Ben Wilkens, cybersecurity principal engineer at NMFTA.
Ransomware, he said, is ideologically motivated. The threat actor – or what in this case is called a hacktivist – is driven by an economic or political purpose. They target an organization, not necessarily to get paid a ransom, but to teach a lesson or to inflict financial pain upon a company to have a larger impact. They also often are the ones who create the ransomware.
Threat actors who use RaaS, however, are typically in it to make a quick buck, he said.
“Ransomware as a Service is truly one of these aspects of I'm not targeting anybody; I'm targeting everybody,” Crawford said. “It's like holding a shotgun and just shooting it to the sky and hoping that something falls out. You don't know what you're trying to hit; you don't know if you're going to hit it, but I'm using this Ransomware as a Service platform to try to make something happen.”
Dan Metz, senior director of intelligence analysis at TAM-C Solutions, said these cybercriminals aren’t just targeting large companies. They collectively attack thousands of companies of all sizes, demanding ransoms of differing amounts based on the size of the company.
“Some of these have collectively earned hundreds of millions of dollars in ransoms over the course of their lifetimes,” Metz said. “Notably, a lot of the times the ransoms they are demanding given the size of the organizations they're attacking are anywhere from $100,000 to $200,000. That's the average. You see ransoms of that size, and you think, ‘okay, so they are targeting organizations for which that would be a sizable and a significant ransom,’ drawing in a lot of very small and potentially vulnerable organizations.”
The dangers of RaaS
Metz said RaaS is so dangerous because of its low barrier to entry for threat actors, it's a scalable and affiliate-driven model, and because it targets a broader range of companies, including small and mid-size fleets.
LockBit, RansomHub, Rhysida, CLOP, and Black Basta are just five of dozens of RaaS threat actors currently attacking organizations around the world.
Metz said the common tactics, techniques and procedures they use to gain initial access to and then persist within an organization vary, but one of the most typical entry vectors is phishing attacks.
“A lot of times, these might redirect you to a page that attempts to see login credentials for any single person at your organization,” Metz said. “Then once they get access, they can sit and wait and see if they can find other credentials to escalate their presence and gain more administrative privileges and move from there.”
Another common method is accessing vulnerabilities in a company’s technologies, ranging from routers and modems to unpatched in-house firewall systems.
Mitigating threats
Wilkens said the best means of protecting your company is having good cybersecurity hygiene and an all-hands-on-deck approach.
“There's a lot of risk that goes along with trucking. Driving a truck is dangerous. Operating large numbers of pieces of equipment on the road over an extended period of time, things are going to break, accidents are going to happen. But we don't stop trucking because of that risk,” he said. “The importance of having a good cybersecurity program in place is just like doing preventative maintenance on your equipment or training your drivers on safety.”
Basic steps, Crawford said, include anti-phishing training for employees, a defense in depth security approach, and a well-designed detection and response architecture.
Metz said identify vulnerabilities that threat actors could exploit, and make sure systems are updated and security patches are installed as soon as they’re available.
And a big concern, he noted, is third-party vendors because many threat actors gain access to trucking companies via integrations with technology providers.
Wilkens said if a vendor that is integrated into your tech stack is compromised, that could quickly turn into a foothold into your organization as well.
“Your vendor’s risk is your risk. Their vulnerabilities are your vulnerabilities,” he said.
Vet your vendors on the front end, he said. Some questions to ask: Do they perform cybersecurity audits and penetration tests? Do they have a good cybersecurity program in place? What is their protocol if there is a breach, and at what point do they make customers aware?
Wilkens said make sure the contract you sign includes cybersecurity terms and conditions and have regular touchpoints with vendors, making cybersecurity part of the conversation come time for contract renewal. “Ultimately, the security of your data is your responsibility,” he said.
