By Nate Tabak, FreightWaves | Featuring VP, Cybersecurity and DevSecOps David Jarmon
Companies in the supply chain targeted in successful ransomware attacks face an unenviable dilemma. They can pay the perpetrators sums ranging from thousands to millions of dollars to regain access to their encrypted data and systems, or refuse — an option advocated by U.S government agencies and many cybersecurity experts — which carries its own cost.
TFI International (NYSE:TFII), one of the largest trucking and logistics providers in North America, apparently refused to pay after a ransomware gang called DoppelPaymer targeted its parcel carriers in Canada, including Canpar Express. Montreal-based TFI has disclosed little about the attack, but according to its third-quarter financial results the breach cost its parcel and courier business segment C$8 million ($6 million) in revenue and C$3 million in operating income. Some of that cost included extra labor to manually sort packages and envelopes.
All told, if TFI’s parcel carriers had been a standalone company the toll would have amounted to about 10% of the revenue and 5% of its profits for the quarter. “Jesus,” one transportation executive remarked to FreightWaves.
But according to Brett Callow, a threat analyst with cybersecurity firm Emsisoft, TFI did the right thing by its apparent decision not to pay the attackers.
“As long as companies keep paying, there will be ransomware attacks,” Callow told FreightWaves.
Callow tracks groups like DopplePaymer, which operate a sophisticated business of extorting victims by not only denying victims access to their computer systems, but also threatening to post stolen data if they refuse to pay. Since August, companies big and small have been caught up in a surge of attacks targeting the supply chain.
On the dark web — a part of the internet inaccessible through normal web browsers — vast troves of data from the inner workings of global supply chains sit free for the taking, posted publicly by ransomware gangs. They include detailed financial records for millions of dollars in accounts receivable, contracts between shippers and logistics providers, scans of port ID pages, long email threads about shipments, and even hotel receipts from truck drivers. All stolen from companies around the world during cyberattacks.
Their victims include large companies like TFI and Daseke, the U.S. flatbed trucking giant, but also a long list of tiny firms who see their sensitive data posted for all to see. One victim, a British Columbia-based drayage carrier serving the Port of Vancouver, Indian River Transport, doesn’t have a website or internet presence for that matter.
“They should target an industry that is actually making money,” joked President Suzanne Wentt, remarking that she’s more worried about unfair competition from unlicensed drayage operators at Vancouver.
What the leak sites don’t show are the companies that quietly paid either with their own funds or through specialized insurance policies for cyberattacks. For some companies, it’s a simple business decision of picking the option that’s less costly.
“The idea of not paying is good in theory. But if you’re doing hundreds of thousands of dollars in revenue per day and you can’t get it fixed, it may be cheaper to pay them,” a trucking executive told FreightWaves on the condition of anonymity.
A crop of cybersecurity and insurance firms have emerged aimed at protecting companies from the proliferation of ransomware attacks. Their work typically includes classic cybersecurity prevention, but also incident response and in some cases negotiating with the attackers.
David Jarmon, a vice president at cybersecurity firm Gray Analytics and former Department of Defense official, said he takes a nuanced view on whether companies should pay attackers.
“You hear that most security practitioners will tell you, ‘Don’t pay the ransom,’” Jarmon said. “I don’t necessarily subscribe to that. It’s a business decision based on revenue. But paying the ransom should be absolutely the last resort.”
The payments themselves also can themselves get into a legal gray area. The U.S. Department of the Treasury’s Office of Foreign Assets Control recently warned that the payments to cybercriminals could run afoul of U.S. laws if the recipients are subject to sanctions. The office noted that companies that facilitate those payments could face fines, noting that they encourage the proliferation of ransomware attacks.
Callow, for his part, argues that companies should think about ransomware attacks on less individual terms.
“This is like climate change,” Callow said. “It’s a collective action. Solving it requires doing the right thing, or being made to do the right thing.”