(This is a contributed guest column. To be considered as an MJBizDaily guest columnist, please submit your request here.)
The Everest Ransomware group appears to have set its sights on the marijuana industry, according to the Cannabis Information Sharing & Analysis Organization (Cannabis ISAO).
On Monday, a second cannabis operator within one week appeared as a ransomware victim on Everest’s dark-web blog.
The second claimed victim is listed as a client of the first victim, a software-as-a-service vendor.
This potential connection highlights third-party vendor risk and the potential for Everest to continue branching out and targeting the industry.
Cyber threat background
Ransomware groups utilize data-leak sites, also known as “name and shame” blogs on the dark web, in an effort to pressure victims into paying ransoms.
It is important to remember that just because an organization appears on one of these sites does not mean their networks were breached.
But multiple organizations within the same industry being referenced in a short period of time suggests there might be a legitimate threat. (MJBizDaily has agreed not to identify the alleged victims.)
The U.S. Department of Health and Human Services (HHS) recently published a Threat Actor Profile about Everest after its increased targeting of health care organizations.
“Everest appears to have morphed into what is known as an ‘initial access broker,’ meaning their role in the underground Russian ransomware economy is to facilitate ransomware attacks by initially gaining unauthorized access to a victim organization,” John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said in August.
“They then sell the unauthorized access to other gangs, who conduct the ransomware attack.”
Understanding cybersecurity threats
The Cannabis ISAO recommends that organizations maintain situational awareness of ongoing cybersecurity threats to better understand where they might be most at risk.
Doing so can help network defenders better prioritize their information-security activities, particularly for implementing software patches.
“We always encourage organizations to understand the threat environment,” said Jennifer Lyn Walker, director of cyber defense at Gate 15, a threat-management company in Virginia.
“As the cyberthreat landscape changes faster than most individual organizations can keep up, collective defense – organizations working together, sharing information within and across industries – is key to defending against today’s cyberthreats.”
Third-party risk management and ransomware defense
Third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain.
The marijuana industry experienced this firsthand in 2022, when a cyberattack on Ontario Cannabis Store’s logistics partner impacted product delivery to retailers.
“As a nascent and growing industry, our vendors may be at a different stage in their cybersecurity journey,” advised Chris Clai, director of information security for Chicago-based marijuana multistate operator Green Thumb Industries.
“It’s important that any third-party risk program not only assesses and monitors our vendors for potential risks but also establishes a healthy partnership wherein our IT resources may have to offer expertise to ensure continued iterations and improvements on the overall security resilience of both vendor and customer.”
The Cybersecurity & Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security maintains the Stop Ransomware site, which features best practices for both mitigation and response, including its #StopRansomware Guide.
In the wake of ransomware attacks in 2023 against Caesars Entertainment and MGM Resorts, Lisa Plaggemier, executive director of the Washington, D.C.-based National Cyber Security Alliance told Casino.org that “the best way to deal with a ransomware attack is to practice having one, to do tabletop exercises.”
“You bring in outside consultants, a third party that runs you through an exercise where you practice having an incident and everybody knows what their role is and how they would respond,” Plaggemier continued.
“That can help you find weaknesses, maybe in the way your backup processes are built or in your response plan.”
Additional ransomware best practices that organizations should be considering include:
- Building good cyber hygiene and best practices into all onboarding and continued employee training.
- Develop and test a cybersecurity incident-response plan.
- If your company is dealing with a response, review this checklist.
2024 MJBiz Factbook – now available!
Exclusive industry data and analysis to help you make informed business decisions and avoid costly missteps. All the facts, none of the hype.
Featured inside:
- Financial forecasts + capital investment trends
- 200+ pages and 49 charts highlighting key data figures and sales trends
- State-by-state guide to regulations, taxes & market opportunities
- Monthly and quarterly updates, with new data & insights
- And more!
Defending against Everest
While the CISA’s site provides a good one-stop shop for general ransomware defense, the previously mentioned Threat Actor Profile from the HHS offers some specific Indicators of Compromise (IOCs) related to Everest.
Cannabis organizations are encouraged to work with internal information security teams or managed security service providers (MSSPs) to scan for the below IOCs featured in the HHS’ profile:
Indicator | Type | Description |
netscan.exe | File Name | SoftPerfect Network Scanner |
netscanpack.exe | File Name | This was unable to be analyzed during the investigation. |
svcdsl.exe | File Name | SoftPerfect Network Scanner Portable |
Winrar.exe | File Name | Popular archiving tool, which supports encryption. |
subnets.txt | File Name | Network Discovery output file |
trustdumps.txt | File Name | Network Discovery output file |
I.exe | File Name | Metasploit payload |
hXXp://3.22.79[.]23:8080/ | URL | Site hosting Cobalt Strike beacon |
hXXp://3.22.79[.]23:8080/a | URL | Site hosting Cobalt Strike beacon |
hXXp://3.22.79[.]23:10443/ga.js | URL | Cobalt Strike C2 |
hXXp://18.193.71[.]144:10443/match | URL | Cobalt Strike C2 |
hXXp://45.84.0[.]164:10443/o6mj | URL | Meterpreter C2 |
Ben Taylor is the executive director of the Virginia-based Cannabis Information Sharing & Analysis Organization, where he focuses on identifying and disseminating critical physical security and cybersecurity threat intelligence to the marijuana industry. He can be reached at ben@cannabisisao.org.