On the evening of July 2, IT software management provider Kaseya announced that threat actors had successfully targeted its on-premises VSA server software technology, which is used by multiple Information Technology (IT) managed service providers (MSPs) to manage and monitor computers remotely. Initial reports suggest that the threat actors exploited a 0-day software vulnerability, and Kaseya’s CEO stated that “We will release that patch as quickly as possible to get our [on-prem] customers back up and running.” The threat actor in this context appears to be REvil, the same threat actor group behind numerous other ransomware attacks including on meat processor JBS. The scope of impact is not yet fully understood.

On Sunday, May 30^th, JBS SA determined its information technology (IT) systems were compromised by a ransomware attack. In response to the attack, JBS SA suspended its North American and Australian computer systems, shutting down its beef processing operations in the U.S., Australia, and Canada while severely disrupting operations at poultry and pork plants.

On Wednesday, May 12, President Biden signed an extensive Executive Order (E.O.) on Improving the Nation’s Cybersecurity. The E.O. is primarily directed at federal departments and agencies, and federal contractors, but its implementing standards will likely have a much broader impact across critical infrastructure sectors and related technology suppliers.

On Saturday, May 8^th, Colonial Pipeline confirmed that its information technology (IT) systems were compromised by a ransomware attack. As a precaution, Colonial temporarily halted operational technology (OT) functions across four of its mainlines that transport gasoline, diesel, and jet fuel, stretching from Texas to New Jersey.

On December 8th, FireEye, a leading cybersecurity provider, reported that a sophisticated threat actor had infiltrated its network and accessed proprietary penetration testing tools. Upon further investigation, the firm uncovered a global cyber intrusion campaign, which trojanized a software update to a widely deployed SolarWinds IT management software product. Nation-state actors, likely of Russian origin, subverted SolarWinds’ software supply chain and inserted malicious code into the company’s Orion software product update. Because the SolarWinds Orion solution is used by thousands of large organizations, and is often enabled with elevated privileges, it is a valuable target for adversary activity.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Health & Human Services (HHS) issued a joint alert October 28 that they had “credible information” of an “increased and imminent” cybercrime threat to U.S. hospitals and healthcare providers. In the last week, at least six U.S. hospitals have been hit by Ryuk ransomware within 24 hours by the cyber criminals behind Trickbot and Ryuk. Separate reporting indicates that healthcare organizations in Oregon, upstate New York, Minnesota, and Vermont have been infected.

For the last decade, the public and private sectors have faced increasing complications managing complex and dispersed international supply chains. The issues confronted are extensive, including physical and cybersecurity vulnerabilities, trade and customs compliance, the threat of malign foreign influence, and supply chain resiliency. In 2020, these trendlines have accelerated further, with organizations now having to manage the COVID-19 pandemic, heightened geopolitical tensions, and natural disasters, creating a series of disruptions unrivaled in modern history.

Last month the Court of Justice of the European Union (CJEU) issued one of the most significant decisions in the court’s history, invalidating Privacy Shield, an important but relatively obscure agreement used to facilitate the transfer of private customer data between the U.S. and Europe, and also calling into question several privacy-related mechanisms. The decision has left widespread uncertainty and turmoil in its wake, threatening to further damage trans-Atlantic commerce amidst a global pandemic and strengthen Chinese and Russian efforts to push their own model of “privacy.” Now is the time work with our allies on privacy and economic recovery, not to cut off our nose to spite our face.

In June 2020, a software exploit dubbed GoldenSpy was observed targeting corporations doing business in China – the underlying executable file was part of required tax software. Companies were required to install the software to enable payment of local Chinese taxes, and the software’s backdoor enabled command and control of victim systems and remote code execution.

The first half of 2020 has yielded multiple significant developments on ransomware and related disruptive attacks – including new targets and evolving tactics, techniques and procedures (TTPs). These trends require priority attention across all functions with security-related responsibilities. By better understanding these events and their risk implications, our clients and partners can more effectively manage ransomware risk and apply appropriate safeguards.