The tree fruit industry is not immune to ransomware attacks like those that shut down Colonial Pipeline and JBS Foods in May, but there are things companies can do to ward off such attacks. (Illustration by TJ Mullinax/Good Fruit Grower)
The tree fruit industry is not immune to ransomware attacks like those that shut down Colonial Pipeline and JBS Foods in May, but there are things companies can do to ward off such attacks. (Illustration by TJ Mullinax/Good Fruit Grower)

en español

This article is also available in Spanish:

The tree fruit industry is not immune.

In the past year alone, ransomware attacks along the lines of those that shut down Colonial Pipeline and JBS Foods in May targeted dozens of food companies.

Though it’s an uncomfortable topic, some of the industry’s information technology experts would like to talk about it more. That’s the best way to fight back, they said.

“Suddenly you start plugging these holes you didn’t know you had,” said an IT director of a vertically integrated Washington fruit company that asked for anonymity because it’s been a victim. Good Fruit Grower granted anonymity to avoid attracting more attempts.

About four years ago at that company, a normally tech-savvy and alert employee opened a bad email, clicked on a nefarious link and servers began shutting down. The malware did not spread far, the problem was fixed without a ransom payment, and backups restored most of the encrypted data within a day.

The IT director has been sharing this story with other IT technicians and directors around Washington’s fruit industry who have created an informal group to share ideas.

“We can all benefit from each other’s knowledge and experiences,” he said.

Any business that relies on continued production and movement of goods is vulnerable. The food industry, with perishable inventory, fits that category.

In November last year, Tree Top suffered a compromised user account that encrypted servers with ransomware, said Allison Arnett, a company spokeswoman. The company did not pay the ransom.

Tree Top hired a forensic investigator to track the fallout. The hack did not affect any food processing operations at any plant locations, but it shut down administrative services, such as sending invoices, for roughly a week.

Coincidentally, the hack occurred as the company was about 90 percent finished with a major systems upgrade that included new security features. The upgrade beefed up the backup redundancy.

“The biggest thing we learned is you have to have multiple methods of data backup,” Arnett said. The goal is to be up and running within 48 hours instead of a week if it happens again.

Ransomware isn’t new, but concern reached a crescendo in May when hackers shut down Colonial Pipeline, the nation’s largest fuel pipeline, and successfully extorted $4.4 million. Also in May, hackers hit JBS, a Brazilian food conglomerate and the world’s largest meat supplier. JBS reported paying $11 million to the hackers, according to reports.

In the past year, at least 40 food companies have been targeted by ransomware, according to a cybersecurity firm interviewed by the Associated Press. In October last year, a representative of a Russian hacker group said in an online interview that the syndicate would start targeting agriculture, also according to the Associated Press.

Hackers are becoming more sophisticated and seeking higher ransoms, the Cybersecurity and Infrastructure Security Agency, a federal agency under the Department of Homeland Security, reported in its 2020 ransomware guide.

Protection measures and training

The good news is that fruit production companies can do things to protect themselves.

A lot of the technical security measures — air-gapping backup servers, using multifactor verification and installing Domain Name Systems filters — fall within the expertise of IT directors. (Don’t know what some of those words mean? Read “Prepareware,” below…

But everybody at a company can and should help through awareness, said several experts.

“Nothing is a substitute for an astute and aware user,” said Dan Maycock, principal for Loftus Labs, an agricultural data consulting subsidiary of Loftus Ranches in Yakima, Washington.

Training must be ongoing, Maycock said. He routinely brings up security threats and phishy emails in company meetings and in internal company message boards. In his experience, employees sometimes let their guard down with passwords and email sources when they know their companies have robust digital security. 

At Price Cold Storage and Fruit in Yakima earlier this year, an alert supervisor recently caught a well-disguised hack attempt, said IT manager Jeremy Hines.

Any employee would have been tempted to put the mysterious invoice for the meager $21.68 on the company credit card. Instead, the supervisor did not recognize the vendor and notified Hines, who researched the invoice with accounts payable. It didn’t reconcile, so the company discarded it. 

Had the supervisor fallen for it, the culprits would have made it onto an approved vendor list, established some trust and likely tried to bait another employee into installing malware, perhaps ransomware.

“Ransomware is a long con,” Hines said.

Loftus, Price, Tree Top and other companies train their workers in cybersecurity to be that alert.

Such training works, according to a metric designed by one company. Cybersecurity firm KnowBe4 calls it the “Phish-prone” percentage — the share of employees likely to fall for a disguised malware, usually sent by email. The company measures this by testing their clients with simulated phishing attempts that will report to administrators exactly who in the company clicked on a harmless link that in real life might not be quite so harmless.

Average Phish-prone percentages dropped from 40 percent to 14 percent after 90 days of computer-based training and simulated tests, the company wrote in a 2020 report that analyzed results from 9.5 million tests over 17,000 of its clients. That dropped to 4.7 percent over one year of continued training.

Price Cold Storage has run such tests on upper-level executives as well as office staff, Hines said. “That has been a big deal for us, especially for people who have lots of access,” he said.

The anonymous company attacked four years ago took the penetration test even further. It hired a security consultant to test the locks. Wearing a suit, carrying a briefcase and dropping names of company officials, the imposter charmed his way into the warehouse and employee offices with unlocked computers. He even convinced one night shift supervisor to step back from her desk so he could “perform some maintenance,” the IT director said.

Hackers prey on honest people’s trust and good nature, said Lance Fuhrman, a cybersecurity threat intelligence analyst for the Washington State Fusion Center, a security information-sharing network started after the terrorist attacks of Sept. 11, 2001.

“People are preying on human behavior, because you want to be helpful and nice,” said Fuhrman.

Fuhrman sends weekly emails to IT directors to warn them about trends and emerging threats. He also has advised tree fruit companies after hacks.

He said another common hack attempt is to drop USB keys around a building, hoping employees — trying to be helpful — plug them into their computers to find out who they belong to. Enter malware.

“You have to be right all the time,” Fuhrman said. “The bad guys only have to be right once.” 

by Ross Courtney

Prepareware

Training and awareness are the most important elements of cybersecurity, but it requires tech solutions, too. Tree fruit IT directors and cybersecurity experts recommend the following:

—Use multifactor authentication, which stops about 95 percent of email phishing attempts, said Lance Fuhrman, a threat intelligence analyst for the Washington State Fusion Center.

—Verify any Automated Clearing House, or ACH, change using contract information on record, Fuhrman said. Don’t just trust an email or digital form. Automatic deposit for paychecks or contracts are examples of ACH. 

—Patch vulnerabilities right away. That’s what a lot of software updates are for. The bad guys see the updates, too, and reverse-engineer to find corresponding holes. “Because they know that people aren’t going to patch in a timely manner,” Fuhrman said.

—Back up often and double-check the backups. Sometimes they don’t work all the way because some new user logged on or someone changed software.

—Air-gap your backup, whether it’s in the cloud or on a piece of hardware. That is, make sure it disconnects from the computer system after the backup is done.

—Make sure employee identification, such as Social Security numbers, is not on labor apps.

—Ask employees to change their passwords periodically or use a password management software.

—Use Domain Name Systems filtering.

—Employ intrusion prevention systems that use artificial intelligence to recognize attack attempts.

—Make sure all computers and servers have antivirus software and firewalls.

—Try a snapshot backup. A snapshot is a point-in-time image of data that backup software can use to restore a system, said Jeremy Hines, IT director for Price Cold Storage and Fruit. New data is written to different parts of the disk. 

—Hire a third-party audit by an IT security firm, said Dan Maycock, principal of Loftus Labs, an agricultural data analytics company.

—Find an executive or board member with some influence over the budget to take up the cause. Some measures are expensive, Hines said.

—For a host of ransomware tips from the federal Cybersecurity and Infrastructure Security Agency: cisa.gov/ransomware.

—R. Courtney