Trucking and logistics companies like Forward Air Corp. (NASDAQ:FWRD) usually face an unenviable dilemma when hit by a successful ransomware attack.
They or their insurers can pay the perpetrators sums ranging from thousands to millions of dollars to regain access to their encrypted data and systems, and an unenforceable promise to never post stolen data. Or companies can refuse — an option advocated by U.S government agencies and many cybersecurity experts — and potentially face costly downtime and increasingly have their data posted publicly.
Tennessee-based Forward Air hasn’t disclosed anything about a potential ransom demand, let alone any decision on whether to pay. But the company did warn that that could lead to a loss in revenue in a recent Securities and Exchange Commission filing.
TFI International (NYSE:TFII), one of the largest trucking and logistics providers in North America, apparently refused to pay after a ransomware gang called DoppelPaymer targeted its parcel carriers in Canada, including Canpar Express in April. Montreal-based TFI has disclosed little about the attack, but according to its third-quarter financial results, the breach cost its parcel and courier business segment CA$8 million ($6 million) in revenue and CA$3 million in operating income. Some of that cost included extra labor to manually sort packages and envelopes.
All told, if TFI’s parcel carriers had been a stand-alone company, the toll would have amounted to about 10% of the revenue and 5% of its profits for the quarter. “Jesus,” one transportation executive remarked to FreightWaves.
But according to Brett Callow, a threat analyst with cybersecurity firm Emsisoft, TFI did the right thing by its apparent decision not to pay the attackers.
“As long as companies keep paying, there will be ransomware attacks,” Callow told FreightWaves.
Data leaks raise stakes for attack victims
Callow tracks groups like DoppelPaymer, which operate a sophisticated business of extorting victims by not only denying them access to their computer systems, but also threatening to post stolen data if they refuse to pay. Anecdotally, attacks on trucking and logistics providers have surged since late summer.
The ransomware gang that targeted Forward Air — Hades — has been linked to just a handful of attacks. In an exchange with FreightWaves on a secure messaging platform, the group indicated that it does steal and post data of victims who don’t pay. Hades, however, would not comment about Forward Air.
On the dark web — a part of the internet inaccessible through normal web browsers — vast troves of data from the inner workings of global supply chains sit free for the taking, posted publicly by ransomware gangs. They include detailed financial records for millions of dollars in accounts receivable, contracts between shippers and logistics providers, scans of port ID pages, long email threads about shipments, and even hotel receipts from truck drivers. All stolen from companies around the world.
Their victims include large companies like TFI, Cardinal Logistics and Daseke, the U.S. flatbed trucking giant, but also a long list of tiny firms. One victim, a British Columbia-based drayage carrier serving the Port of Vancouver, Indian River Transport, doesn’t have a website or internet presence for that matter.
According to the carrier, the September attack temporarily took one of its four computers out of service for several days. The ransomware gang also apparently believed they hit had an another larger trucking company that shares the same name.
“They should target an industry that is actually making money,” joked President Suzanne Wentt, remarking that she’s more worried about unfair competition from unlicensed drayage operators at Vancouver.
‘Not paying is good in theory,’ trucking executive says
What the leak sites don’t show are the companies that quietly paid either with their own funds or through specialized insurance policies for cyberattacks. For some companies, it’s a simple business decision of picking the option that’s less costly.
“The idea of not paying is good in theory. But if you’re doing hundreds of thousands of dollars in revenue per day and you can’t get it fixed, it may be cheaper to pay them,” a trucking executive told FreightWaves on condition of anonymity.
A crop of cybersecurity and insurance firms have emerged aimed at protecting companies from the proliferation of ransomware attacks. Their work typically includes classic cybersecurity prevention, but also incident response and in some cases negotiating with the attackers.
David Jarmon, a vice president at cybersecurity firm Gray Analytics and former Department of Defense official, said he takes a nuanced view on whether companies should pay attackers.
“You hear that most security practitioners will tell you, ‘Don’t pay the ransom,’” Jarmon said. “I don’t necessarily subscribe to that. It’s a business decision based on revenue. But paying the ransom should be absolutely the last resort.”
Should companies consider the greater good when weighing ransomware payments?
The payments themselves also can get into a legal gray area. The U.S. Department of the Treasury’s Office of Foreign Assets Control recently warned that payments to cybercriminals could run afoul of U.S. laws if the recipients are subject to sanctions. The office noted that companies that facilitate those payments could face fines, noting that they encourage the proliferation of ransomware attacks.
Callow, for his part, argues that companies should think about ransomware attacks on less individual terms.
“This is like climate change,” Callow said. “It’s a collective action. Solving it requires doing the right thing, or being made to do the right thing.”
Editor’s note: This is an updated version of an article originally published on Nov. 12.