In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories from the past week.
Ransomware Incident in the Cannabis Industry
Among the ways Cannabis ISAO monitors cybersecurity threats and risks to the cannabis industry is through a daily dark web ransomware report. This report identifies organizations that have been identified as victims by ransomware gangs, usually because the victims haven’t paid ransoms or negotiations have broken down. Typically, listed organizations have already been contacted by the cybercriminals, and the public naming of the organization is done as a means to add pressure to encourage the victims to pay the demanded ransom.
Earlier this week, Cannabis ISAO discovered that a U.S. based cannabis cultivator had shown up on the list, as a victim of LockBit 2.0. Cannabis ISAO immediately reached out to the victim to ensure they were aware of the likely compromise, and to offer resources to help assist in the recovery process. We were able to confirm that the cultivator had obtained the services of a cybersecurity firm to assist in the process.
Beyond using this list to identify potential breaches to individual organizations, it is immensely valuable in identifying potential threats through third party vendors. We always encourage security professionals to scan the list for any potentially effected vendor, and then if identified, conduct a risk analysis on what business sensitive information that organization may have on your company, and how your company could potentially be compromised because of a third-party data breach. The Date Leak/”Name and Shame” report is a report that is available strictly to Cannabis ISAO members, as the information contained within the report is not meant for public release.
Threat actors have been know to target similar industries/organizations once they have had success, so LockBit 2.0 may be a threat actor of interest for the cannabis industry to monitor moving forward.
Below are a few open source links of possible interest:
- An interview with LockBit: The risk of being hacked ourselves is always present
- Herjavec Group LockBit 2.0 Ransomware Profile
If your organization was recently the victim of a ransomware incident, we want to be sure you have the proper resources to respond. The Cybersecurity & Infrastructure Security Agency (CISA) has published a checklist for responding to a ransomware incident. I’ll include their initial suggested steps below, but the link provides the entire checklist. If you need additional resources, please reach out and we’re happy to point you to a number of useful ransomware references. If you think you need additional professional assistance, let us know and we can put you in touch with ransomware response organizations that can assist. We do not provide those services. From the CISA checklist:
- Determine which systems were impacted, and immediately isolate them.
- If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident.
- If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
- After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely prior to networks being taken offline.
- Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection. * Note: Step 2 will prevent you from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.
- Triage impacted systems for restoration and recovery.
- Identify and prioritize critical systems for restoration, and confirm the nature of data housed on impacted systems. – Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.
- Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.
You may have also seen recent headlines where the FBI has been successful in retrieving paid ransoms and we do recommend contacting your nearest FBI field office to report the incident.
A cashier’s calm and collective demeanor likely prevented a situation of shots being fired during an armed robbery of Shelton Cannabis on Monday night. Based on security video, the footage shows the suspect throwing a satchel bag to the clerk as soon as he walks in the doors, the clerk calmly puts the money in the bag and throws it back to the culprit, who is wielding a long-barreled gun. The man then leaves the store.
While armed, day-time robberies of cannabis facilities are not as prevalent as after hours heists, they do still occur. Employee training, particularly for budtenders and other frontline retail workers should include best practices on what to do during a robber. Ready Training Online promotes the “6 Cs of Robbery Protocol” as follows:
- Calm. If someone approaches you with the intention of robbing the store, stay calm. If you panic, the robber’s adrenaline will rise even higher and could lead to tragedy.
- Communicate. Listen to what the robber is asking you to do.
- Cooperate. No one expects you to be a hero. Your safety and the safety of customers in the store is the number one priority.
- Close and call. Ass soon as the robbers leave the building, lock the door and call 911. Once emergency personnel arrive, alert a manager if one is not already present.
- Control. Once you’re safe and the threat of robbery is over, take control of your emotions and your surroundings. Do not conduct any business, and do not touch anything. If other customers are in the store, ask for their patience while you wait for the police to arrive. Do not give out any information except to police and company management.
- Confide. Being the victim of a robbery is a traumatic experience that can be difficult to process. Talk about your feelings. If you need help, talk to your manager or HR department.
Deputies said thieves cut through the roof of the building of Aim High Meds in Tekonsha, Michigan and stole an estimated $100,000 in merchandise. The Calhoun County Sheriff Department said security cameras show two or three people arrived at the building near the intersection of M-60 and Old-27 South about 4:13 a.m. Monday. They used a battery-operated circular saw, which was found outside the building, to cut a hole two feet in diameter in the roof. They entered an attic and then the storage room, where the merchandise was taken. Cameras show two people entering the room and using black plastic bags to collect cannabis and other merchandise.
The manager of the store discovered the burglary about 8:45 a.m. when reporting for work and called deputies. Doors and windows to the building were secure. Video shows two outside cameras were covered and some exterior lights were pulled down, causing an electrical short circuit. This story serves as a reminder that criminal actors will go above and beyond to acquire items they find value in, and as dispensaries increase physical security measures, thieves will scheme new methods for overcoming such barriers. Security plans should be constantly evolving, and proper resources put in place to handle an evolving threat.
The legal battle over the Biden administration’s coronavirus vaccination or testing requirements for private businesses is falling along the country’s sharp political fault lines, with Republican-led states, conservative legal groups and sympathetic employers lining up most forcefully to try to block the rules. Opponents celebrated a court ruling on Saturday that would temporarily halt the policy. But that was just the opening round in high-stakes litigation that could shift to a different set of judges as early as next week under a little-known judicial lottery system — and end up before the Supreme Court, perhaps before the policy is scheduled to take effect on Jan. 4.
Mask mandates continue to be a hotly debated topic around the globe, and anti-vaccine and anti-mandate protests have previously led to violent encounters between protest groups, and between protesters and governmental/public health authorities. It is worth noting that if the private employer mandate stands, there is potential for workplace violence as individuals feel they are getting backed into a corner and may reach a tipping point from a mental health standpoint.
Cannabis ISAO recommends for those organizations that may be impacted by this or other mandates to ensure you have clear corporate messaging, and that employees understand their options and what support systems are available to them. Ensuring communications channels are open with employees who may be facing difficult decisions is one way to prevent a potential workplace violence situation. The Cybersecurity & Infrastructure Security Agency (CISA) has more workplace violence resources which can be found here.
Be sure to check back every Tuesday as we publish our Library Card Series where we highlight one of the resources available in our library!
Check out the latest blog highlighting issues important to cannabis security!Tweet