Minnesota trucking company hit in 2nd ransomware attack
After some of Minnesota trucking and logistics company Bay & Bay Transportation's IT systems started acting up on Dec.
1, it soon became apparent that the cause was something familiar -- and alarming: a ransomware attack. Hackers intent on extorting the Eagan-based carrier had deployed malware to encrypt data on the company's systems. The company had been down this road before.
A ransomware attack in 2018 crippled its systems and led the company to pay the criminals. "The good part of it is we have a lot better tools, systems and processes than we did three years ago, but we knew it was bad because the spread was more heinous than the other one," Wade Anderson, Bay & Bay's chief information officer, chief technology officer and head of marketing, told FreightWaves. The company was targeted by a ransomware gang called Conti.
The group -- a so-called ransomware as a service provider -- provides malware, an extortion platform and support to affiliates, who get a percentage of the payments made by victims. Conti has been linked to hundreds of attacks, including multiple U.S. transportation and logistics companies. Anderson initially said that the attack had "brought down most everything" that wasn't on the cloud.
In a subsequent interview, he said that ransomware only impacted some of its systems and "a small minority" of desktop computers, but that everything was shut down as a precaution. The company, he said, had measures in place to minimize the impacts, including network segmentation. The company was able to return to "90% functionality" within about a day in a half, he said.
He credited quick action, training and cloud-based backups with enabling a rapid recovery. "We're good at recovering from outages," he said. "This one was more challenging because Conti itself is really nasty."
Criminals exploited vulnerability in server
Bay & Bay, which has a fleet of over 400 power units, disclosed the attack after Conti began posting data stolen from the company to the dark web. Groups like Conti typically do this after victims refuse to pay their ransom demands.
The carrier was attacked through a known vulnerability in a Microsoft Exchange server, Anderson said. Microsoft released an update on Nov.
9 to fix multiple security issues with Exchange. The company hadn't run the update yet, Anderson said.
"We run our patches monthly and hadn't gotten to our next monthly cycle," he said. Anderson said there is evidence that the attackers gained access before the patch was released, suggesting that the update might not have prevented the intrusion.
Why Bay & Bay refused to pay
In contrast to its response to the attack in 2018, Bay & Bay refused to pay. Anderson said the company was in a better position to recover on its own instead of paying the criminals for the key to decrypt its data.
Another big reason: Paying ransoms can be illegal. Anderson has been very open about Bay & Bay's experience with its previous ransomware attack, which happened just days after he became CIO. It involved a variant of SamSam ransomware.
"We were outgunned, and they had us," Anderson wrote in 3PL Perspectives in 2019. The incident, he wrote, led to significant changes in the company's approach to cybersecurity. While Bay & Bay appears to have fared better this time, avoiding the kind of catastrophic outage ransomware attacks have brought companies like Forward Air, the incident was still significant.
A freight technology executive told FreightWaves that while the carrier appears to have recovered relatively quickly, its decision to not promptly run the Microsoft Exchange patch was troubling. "Critical patches are critical for a reason," said the executive, who asked that his name not be used. Bay & Bay engaged third-party cybersecurity experts shortly after the attack and notified law enforcement.
A forensic investigation is underway to determine how the attack occurred and the extent of any data breach. Conti has released a small amount of data that it claims to have stolen from the carrier, including what appears to be some sensitive employee information. It has threatened to release more data.
While the company wouldn't comment on what data may have been compromised, Sam Anderson, Bay & Bay's CEO and president, said the company will take steps to protect anyone affected. "We're most concerned about the employees of the company," said Anderson, who isn't related to Wade Anderson. "If there is any of their personal information that has been leaked, we want to try to figure out whose information [it is], how much, and then take the necessary precautions to prevent anything from happening to those people." Sam Anderson also lauded the company's response.
"At this point, we've survived and have had almost no business disruption for our customers," he said. "Our employees have been working around the clock to make sure that our drivers and our customers don't feel the impacts of this criminal activity." Anderson said the attack should serve as a reminder to the wider transportation and logistics industry, especially smaller carriers, that "we're all vulnerable" to cyberattacks. "Unfortunately, even with the resources of these massive tech giants, they can't even protect us," he said.
Companies don't get hit twice very often
Brett Callow, a threat analyst with cybersecurity software firm Emsisoft, said companies generally take a hard lesson from their first ransomware attack and take steps to avoid a repeat.
"Most companies do learn their lesson and bolster their defenses after an incident," Callow said. "You've got to remember that most attacks succeed because of a fairly basic security failing. So after an incident, most companies do take steps to try to make sure the same thing doesn't happen, and they will take security more seriously than they previously did." Still, sometimes companies do get hit again.
"It's not common, but it does happen -- it has even happened to some large companies," Callow said. Australian logistics giant Toll Group is among those companies. It was hit in ransomware attacks twice within three months in 2020.
Wade Anderson said he expects lessons from the latest attack will lead to more cybersecurity improvements.
"Obviously, every company going through this should get better, stronger," he said. "We did a few years and continued to invest in security."