Cannabis companies considered ripe targets for ransomware attacks

Image depicting a ransomware hacker

Even as ransomware attacks on high-profile mainstream companies such as Colonial Pipeline and JBS Foods have grabbed headlines in recent months, cannabis companies appear largely unprotected from malicious actors launching such schemes.

That could prove costly to any marijuana companies that fall victim to the crime, which forces targeted businesses to pay a ransom to regain access to data and files that have been stolen and then locked or encrypted.

With the onset of the coronavirus pandemic and the resulting remote workforce, ransom attacks last year were up 150% over 2019 and the amount victims of the attacks paid rose more than 300%, according to the Harvard Business Review.

Efforts to detect and report ransomware payments are critical to preventing and deterring ransomware attacks and holding the attackers accountable for their crimes, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

“As the past few months have demonstrated, the surge in ransomware attacks threatens our critical infrastructure, municipalities and the most vulnerable among us and is increasingly impacting the lives of the American people,” Michael Mosier, FinCEN’s acting director, said in a July news release.

 But most cannabis companies haven’t taken steps to defend themselves against ransomware attacks, according to an informal MJBizDaily survey conducted in July.

Of the 41 people responding to the poll, 59% said their marijuana companies had not taken steps to prevent attacks, while 41% said the businesses had.

Ransomware is a nefarious hack that takes control of a company’s files and data and locks them.

The attackers gain access through a phishing email that deploys malware when an unsuspecting employee clicks on a link. Attackers typically want to be paid in cryptocurrency to allow the targeted company to retrieve the stolen data and files.

Cannabis companies are vulnerable for different reasons:

  • The perception exists that marijuana businesses are flush with money and can easily afford to pay to retrieve their data.
  • They typically don’t have strong information technology departments.

“You have to think about how cryptolockers and ransomware works to understand how vulnerable you are,” said Ryan Ninness, vice president of technology at Urban-Gro, a cannabis cultivation facility design and engineering firm based in Lafayette, Colorado.

Ransomware safeguards

There are a number of steps cannabis businesses can take to protect themselves from attacks:

  • Store everything on the cloud.
  • Train all users on cybersecurity measures.
  • Use two-factor authentication.
  • Limit the number of individuals who have administrative access allowing them to alter computer hardware and operating system settings.
  • Back up all data offline.

Ninness said he’s not aware of any marijuana companies that have been hacked, and that troubles him.

“I’m worried that the industry looks at the fact that they haven’t been hit yet and take that as a token that they have time to wait,” he said. “They really don’t.

“As soon as (cyberattackers) detect that you’re a vulnerable target, you’ll get hit. It’s only going to take one to make the industry a target and vulnerable.”

Educating employees is the No. 1 measure cannabis businesses can take to ensure their systems are secure, said a representative from a Colorado-based edibles manufacturer who asked not to be identified for fear of the company becoming a target.

“The most common way to gain access is through employees,” he said.

The edibles manufacturer has engaged KnowBe4, a Clearwater, Florida-based security awareness training platform, to train and test its employees by sending out fake emails that should be construed as malicious to monitor how staff members respond.

“Everyone gets a lot of phishing emails,” the representative said. “But because of our training, I get people asking whether this is legit.

“The marijuana industry is heavily targeted by phishing emails. These malicious actors know that these are new companies and might not have the robust software to protect them.”

As many employees worked remotely during the global COVID-19 pandemic, the edibles manufacturer feared its networks were open to more ransomware threats because of its inability to properly secure the company’s networks.

“It was such a quick change with little time to prepare and not enough time to secure employees’ networks.”

Spotting suspicious emails key

It’s also important to educate employees about how to spot emails that might appear legitimate but are a scam, said Ajay Chawla, co-founder and partner of Troy, Michigan-based IT consulting firm Backcross Solutions.

One situation a Backcross cannabis client had was when an employee received an email that appeared to be from the company’s CEO saying it had just won another license.

The email instructed the employee to cut a check for $15,000 and drop it off at a certain address by the end of the day.

The employee cut the check, but when he got in his car, the CEO happened to call him, ultimately stopping the fraudulent activity.

“You see the email, and it almost looks exactly like your CEO’s, but there may be a letter different, and you don’t recognize it,” Chawla said.

“It’s things like that that happen all the time. Those kinds of email hacks are easy to do, and people often mistake them.”

Grow operations are particularly vulnerable to cyberattacks because their irrigation, feeding and lighting systems are connected via the internet through so-called Internet of Things (IoT) systems that aren’t difficult to attack, Chawla said.

“They have tracking systems. They have seed-to-sale (programs) in their dispensary or grow,” Chawla said.

“They have a ton of physical security. So, when we ask them about security, they want to show us their camera room and their big armed guard.

“We try to explain that the person who’s going to come in and steal from you is not across the street or in this town – they’re in Ukraine or Russia or somewhere else.”

Backcross partner John Lamarche said that many cannabis companies are so focused on opening their retail locations and adhering to other compliance matters that IT and cybersecurity fall into the “nice to have” category.

“They’re not focusing on cybersecurity, and they are absolutely vulnerable,” Lamarche said.

“As we get more professional money from people who see cannabis as a business opportunity and people who have a strong business background outside of cannabis, they’re reaching out to companies like ours.

“As the industry matures, you’ll see more people gravitate to the more sophisticated solutions.”