Global organisations say they are increasingly at risk of ransomware compromise via their extensive supply chains.
Out of 2,958 IT decision makers across 26 countries in North and South America, Europe, and APAC, 79 per cent believe their partners and customers are making their organisation a more attractive ransomware target, according to the latest research by Trend Micro.
Fifty-two per cent of the global organisations surveyed say they have a supply chain partner that has been hit by ransomware.
Supply chain and other partners include providers of IT hardware, software and services, open-source code repositories, and non-digital suppliers ranging from law firms and accountants to building maintenance providers. They make for a web of interdependent organisations.
“Supply chains are an attractive target because they can offer either a poorly defended access vector and/or an opportunity to multiply illicit profits by infecting many organisations through a single supplier,” the research report notes.
An example of this is the compromise of IT management software provider Kaseya in 2021. Through a sophisticated attack, hackers exploited an internal software vulnerability to push out malicious updates to its managed service provider customers.
They in turn infected downstream customers with ransomware. An estimated 1,500-2,000 organisations were impacted.
Another example is the Log4j vulnerability that saw supply chains experiencing difficulties when it came to keeping track of and patching flaws. Firms are still facing problems as they are unable to comprehensively locate the presence of Log4j across their systems, due to complex software dependencies, according to the Trend Micro research.
“Many DevOps teams use third-party components to accelerate time-to-market for their software. But these often introduce vulnerabilities or deliberately planted malware,” according to the research.
The average application development project contains 49 vulnerabilities spanning 80 direct dependencies (components or services called directly by code), while 40 per cent of bugs are found in indirect dependencies (essentially, dependencies of the direct dependencies), according to a recent report from the Linux Foundation.
Transparency is key to supply chain security
Supply chain security can be improved by increasing transparency around cyber risk. However, only 47 per cent of the organisations Trend Micro interviewed share knowledge about ransomware attacks with their suppliers and 25% don’t share potentially useful threat information with partners.
“This could be because security teams don’t have information to share in the first place. Detection rates were worryingly low for ransomware activities,” according to the research.
The detection rate of ransomware payloads is 63 per cent—for data exfiltration it's 49 per cent; for initial access it's 42 per cent; and for lateral movement it's 31 per cent, according to the report.
Steps to mitigate ransomware risk
Mitigation of ransomware risk should start at the organisation level. “This would also help to prevent a scenario in which suppliers are contacted about breaches to pressure their partner organisations into paying up,” according to the research.
In the last three years, 67 per cent of respondents who had been attacked experienced this kind of blackmail to force payment.
While ransomware mitigation starts inside the firewall, the research suggests that it must then be extended to the wider supply chain to help reduce the risk from the third-party attack surface.
One of the best practices to reduce risk is to gain a comprehensive understanding of the supply chain itself, as well as corresponding data flows, so that high-risk suppliers can be identified.
“They should be regularly audited where possible against industry baseline standards. And similar checks should be enforced before onboarding new suppliers,” according to the research.
Some of the other practices include scanning open-source components for vulnerabilities/malware before they are used and built into CI/CD (continuous integration/continuous delivery) pipelines, running XDR (extended detection and response) programs to spot and resolve threats before they can make an impact, running continuous risk-based patching and vulnerability management.
Supply chain attacks increase
Meanwhile, other research shows that cyber attacks on supply chains are increasing. They increased by 51 per cent during the period July to December 2021, according to a report from the NCC group research released in April.
The study surveyed 1,400 cyber security decision makers and found that 36 per cent believed that they are more responsible for preventing, detecting, and resolving supply chain attacks than their suppliers.
The NCC research found that only one in three businesses surveyed were confident they can respond quickly and effectively to a supply chain attack. Of the organisations surveyed, 34 per cent said they were being very resilient in case of such an attack.