Padlock in front of lit grid
Why it keeps happening — & how to ensure resilience

The construction industry finds itself in the crosshairs of ransomware attacks. What makes construction so alluring to cybercriminals? It’s not just the industry’s digital transformation — it’s the mechanics of project delivery. Tight project timelines, lean construction methodologies, contract obligations, and the “just-in-time” delivery of critical materials mean that any disruption has a cascading effect on both schedules and costs. The proprietary nature of project data — from bid documents to building information modeling (BIM) to subcontractor agreements — provides a gold mine for cybercriminals, which can lead to competitive undercutting, intellectual property theft or damaging brand disruptions.


Current Security & Recovery Strategies Fall Short

While many construction enterprises have fortified their digital environments, focusing solely on traditional security measures can leave them vulnerable. The commonly recommended cybersecurity measures include:

  • Implement strong security — This encompasses not just endpoint security but also network monitoring, intrusion detection systems, data loss prevention (DLP), and advanced threat intelligence to predict potential ransomware sources and firewall fortifications.
  • Employee training — Continually educating employees about the risks associated with phishing emails; the importance of maintaining strong, unique passwords; and recognizing suspicious activities can drastically reduce the chance of an inadvertent breach.
  • Network segmentation — By segmenting critical data and operational systems, enterprises can ensure that in the event of a breach, its spread and impact are limited.
  • Update and patch — Regularly updating software and systems ensures that known vulnerabilities are patched, reducing potential points of entry for ransomware.
  • Regular backups — Though backups remain crucial, it’s equally vital to ensure these are stored in a secure, off-site location isolated from the main network. Ensure to test as a part of a disaster recovery strategy. 


Ransomware Continues to Take Down Business: Event Breakdown 

Imagine a construction company with 14 dispersed sites and 300 employees using computer-aided design (CAD) and industrial systems. They believed they were protected. Investments had been made in backup and snapshot tools. But a malicious link in an email went undetected for two months. During this infiltration period, the threat actors identified key systems vital to operations. When they struck, 3 terabytes (TB) of data were encrypted. It was projected to take 12 days to restore this from backups, a period far longer than expected due to the absence of recovery simulations. Downtime was not an option, so the company opted to pay the ransom.


What Went Wrong?

  • Human error — A malicious link remained undetected for two months, giving threat actors ample time to map the environment.
  • Underestimated recovery time — Because the organization had never undergone a recovery simulation, the long recovery duration blindsided them.
  • Critical systems targeted — The attackers understood the vital nature of specific systems and data, hitting where it hurt most.


Decryption: A Novel Method of Recovery

Theoretically, decryption is the ideal path to recovery. It’s fast, simple and direct. Ransomware, at its core, is an encryption problem. Attackers lock away valuable files, demanding a ransom for their release. Though paying the ransom seems to be a tempting solution (and one that almost 75% of victims take), it should ideally be the last resort. Lawful decryption, conducted on the victim organization’s terms, offers a promising alternative. Some organizations have been fortunate enough to recover through decryption with the help of law enforcement and nonprofit entities. This approach, though not foolproof, is gaining traction.

Recently, innovation companies have shifted their perspective, viewing ransomware less as a security issue and more as an encryption problem. These companies have begun equipping organizations with the ability to intercept file encryption keys during an attack. Possessing these keys simplifies decryption, eliminating the need to pay a ransom and recover quickly.

  • This approach of key interception for decryption was recently evaluated by MISI at Dreamport Labs, initially founded by U.S. Cyber Command to evaluate new technologies to protect federal departments and critical infrastructure. Their research tested this method against 17 live ransomware samples. The findings were highly encouraging:
  • The approach successfully passed all 17 tests outlined in the test plan with zero reported test failures.
  • The technique demonstrated a 100% key capture rate from the tested ransomware, which included prominent ransomware.
  • Decryption was effectively performed using captured keys, validating the product’s full capability and value life cycle.
  • The system was found to be simple, secure and user-friendly. The Azure cloud backend was trivial to implement; the endpoint agent did not introduce any observed system instabilities, and the system did not open network ports or introduce vulnerabilities.

MISI commented on these results, expressing their excitement and belief in the method’s promise. They emphasized that decryption is arguably one of the fastest and lowest data-loss means to recover from a ransomware attack. Given the test results and the ease of use of the decryption solution, they see it as a potential safety net for organizations to consider seriously.

Traditional methods alone are not enough. As cyberthreats continue to evolve and become more sophisticated, it’s high
time organizations branched out from the traditional. Urging the exploration of innovative solutions like decryption can ensure resilience against ever-mounting cyber threats. In the dynamic world of cybersecurity, adaptation and evolution are the keys to survival.