Expeditors Ransomware Attack: What Happens Next?

Expeditors Ransomware Attack: What Happens Next?

Today we have a cyber-attack against a major shipping company called Expeditors, one of the largest in the world, are under a purported ransomware attack, a devastating ransomware attack, a very large-scale ransomware attack, and we're going to get into it right now.

Expeditors is a major shipping company in the world, who had to shut down global operations because of a ransomware attack. It's been reported that they have a whole army of recovery companies that have descended on Expeditors as it's battled to recover from a targeted cyber-attack over the weekend, on Sunday. Expeditors promised to keep the market updated on what's going on, because it is a key factor in supply chain things, like getting products to shelves. They are a major shipping operation that is global and unfortunately shut down.

Reports say that their employees are using backup procedures and alternative solutions to support customers, to keep things going, and they have cybersecurity and technology experts and partners that are focused on the remediation efforts across their systems. The company says that they appreciate everyone's support and collaboration, and additional updates will follow as the situation evolves. They discovered the incident that shut down most of its global IT systems, but they added that this significant event could have a material adverse impact on our business, revenues, results of operation, and reputation. Any cyber-attack that happens, this will happen to any business.

It will impact your business. It will impact your revenues, because you have to pay for the stuff, and it's not just the ransomware. You're buying new computers. You're saving information and storing it somewhere else. This all-costs money and requires people to come in with the expertise to know how to do this stuff.

Expeditors did not confirm what type of attack it had suffered. An anonymous tip to Bleeping Computer suggested it was a massive ransomware incident. One senior executive, whose company suffered a major cyber-attack in the past, explained to The Loadstar, which is a shipping publication said, "It took us about a week to get over the shock," not get back up, get over the shock. "It was hard to know who was where, and we needed boots on the ground. After the initial shock and trying to connect with employees and customers globally, the next surprise was the arrival of an industry specialist. Authorities, insurance companies, and consultants get involved very early, and it's an interesting process. There's a whole industry that does this as a specialty. The field of cyber-attack recovery is amazing. The restoration takes weeks, if not months. There are no shortcuts, no easy fixes. Things come up at a different pace."

There have been warnings of this that if you have cyber insurance, that it can muddy the waters on what you think your recovery efforts are like, if you've never really done a fire drill or understood what was involved after you get hit with a cyber-attack. The global element of logistics makes it even harder. You want to know what might've been lost and what the different rules in different countries are. That has to be all done through computer systems these days, and things have to be done manually, and people have forgotten how to do them on paper or manually, because the computers do a lot of this stuff.

"You're prepared for business continuity with things like typhoons or earthquakes. You have a way of coping and coordinating across the globe. A cyber-attack, affecting only your own platform is a different beast," he said, "and communication is critical, yet difficult to achieve. We are now more aware of how to deal with the challenges. We have created a series of deployments internally and a cybersecurity department. When you are rebuilding, you need a protective environment that is more secure than ring-fencing 30-year-old processes. Everything we purchase is now under the scrutiny of security. It was pretty interesting, but we don't want it to happen again."

Then the article mentioned that "It is unclear how far along the process Expeditors is.” While it has issued updates to the market, some customers remain concerned. The company said, 'Since it's extremely early in the process, we cannot provide any specific projections on when we might be operational, but we will provide regular updates when we are able to do so confidently.'" This is a learning point, that people shouldn't be coming out this quickly and stating things, especially three days after an attack. There's just not enough time to know what really happened and to know all the damage and how long it's going to take.

Realistically, if you look at Kronos, who was attacked in December, they are still not back up, and we're heading into March at this point. They are recovering, but it's a lot slower process than a lot of people think. The article said that "The company's incurring expenses relating to the cyber-attack to investigate and remediate this matter, and expect to continue to incur expenses of this nature in the future. Luckily it had $1.7 billion in cash and equivalents on December 31st," and I guess they have some cash to help pay for this, but, "Noting that there's a severe imbalance between capacity and demand, like other forwarders, it has opted for air charters and said it was working with carriers across sectors to secure capacity. Despite the lack of space, we experience record high air tonnage," and this just has to deal with their company.

This being said this means they are dealing with the demand problem, but this is a bigger problem for them, because now they have to shut down, so we don't know how this is going to affect their business. At the end of this article, the CEO talks about the demand problem that they were already under before this cyber-attack.

Think about that in your business. If you are stretched thin right now, maybe you've been affected by the Great Resignation, maybe you're short-staffed, maybe you're having trouble finding staff. Those types of things are what we look at as risk in your business. Then you pile on top a cyber-attack, and you could have a real big problem where your business can't recover, either financially or from reputational damages. These are all the things that you need to look at.

Unfortunately, it looks like Expeditors just learned a big lesson in you need to pay more money for your IT and cybersecurity. Many talks have gone on about how much people are investing and spending in their cybersecurity, and it's nowhere near the 3% to 6% recommended top line revenue that businesses need to spend.

You’re probably sitting here doing the math and saying, "That sounds like a lot of money." It only is a lot of money because you've been used to getting away with spending a lot less than you should have on IT and cybersecurity. Cyber experts know where these numbers fall and the companies that are doing it right, what that cost looks like.

Unfortunately, you have to change this mindset and have a mind shift on what this stuff actually costs and what you need to dedicate to in your business in order to remain secure. Xact IT Solutions runs network assessments all the time for companies, and the discussion goes to where they're going to get hacked and how they're going to get hacked. Most of the time, when we discuss this with them on the back end about what's wrong and what it's going to cost to fix, 9.5 times out of 10, people tell us that they don't have the budget for that, or they don't have the budget to do everything. If experts look at all the numbers, and shake out that revenue, those people are really spending 1% or less of their revenue on IT and cybersecurity.

Most businesses need to go through a shift in their thinking, or they're going to have to change the way that they do things over the next 12 to 24 months, and start shifting some money from other areas of their business or raise their prices, or renegotiate contracts, so they can pay for the security that they need in their business. This isn't only going to be because of what happens if you get attacked. You're going to have industry pressures forcing you to do this, whether you want cyber insurance, whether you want to do business with bigger companies that take cybersecurity seriously, and then they want to audit your cybersecurity.

This is coming from all different directions. It doesn't matter if you get attacked or not. There are people in this world who have a vested interest in your business maintaining operations, and those people are going to want to make sure that you're doing things around cybersecurity.

Cybersecurity is the number one problem that all businesses will have to deal with over the next 10 years. It's not things like pandemics. It's not things like people resigning from their jobs. Its going to be something that everyone will need to have in order to stay secure.