What’s Driving the Surge in Ransomware Attacks?
Digital experts are fighting a “pandemic” of viruses as the United States emerges out of the coronavirus lockdown. This was warned by Chris Krebs, the former head of U.S. cybersecurity. Ransomware attacks have been successful in shutting down large parts of the American economy on several occasions over the past seven months. Hackers are taking advantage of lax security precautions to make quick money. It’s quite simple: Hackers use malicious code to hack into and encrypt company data. They then hold ransom until the victim pays, often in seven-figure installments.
Although the Biden administration has made stopping these disruptive attacks a top national security priority, experts believe that we are still in for the worst. This is what you need to know regarding the latest spate of attacks and how to stop them.
What businesses were attacked?
In recent months, cyber-attacks have been a major problem in the private sector:
- In August, Howard University canceled classes following a hack of their systems, which is representative of a rise in ransomware attacks on education providers in the U.S.
- In July, the IT firm Kaseya was hacked, resulting in thousands of victims in at least 17 countries getting locked out of their systems. Initial ransom demands were for $70 million.
- In June, an attack on the multi-national meat manufacturer JBS S.A. closed off a quarter of American beef operations for two days, as the firm shut down its computer systems to limit the scale of the breach. Ravil, the same group that hacked JBS and Kaseya, also attacked them.
- In May, a cyberattack on Colonial Pipeline forced the company to shut off gasoline supply too much of the Eastern Seaboard, resulting in shortages throughout the South. That same month, an attack shut down the databases of a hospital system in San Diego for two weeks.
- In April, hackers claimed to have stolen 500 gigabytes of data from the Houston Rockets. This includes contracts and non-disclosure agreements.
- In March, CNA Financial Corp, one of the largest insurance companies in the U.S., was locked out of their network for almost two weeks following a breach.
- And in February hackers accessed a water-treatment plant in Oldsmar, Florida, briefly raising the lye in drinking water to dangerous levels.
These are some of the most damaging break-ins, but they are far from the only examples: One security firm that tracks ransomware attacks estimated that there were some 65,000 successful breaches in 2020. Around the time that Colonial Pipeline’s system was compromised, Homeland Security Secretary Alejandro Mayorkas estimated that $350 million in ransom payments were handed out to groups engaging in ransomware schemes last year.
What is ransomware?
Ransomware attacks are the most widespread form of a cybersecurity breach. They target individuals and businesses by taking their data hostage, locking them out of their systems, and then demanding ransom money to allow them back in. This type of cybercrime is very popular because it is easy to carry out. The most common strategies involve using software to bypass security holes or tricking users into downloading malicious software by pretending to be from a trusted source. This is called a phishing scheme. We’ve seen this year that some companies with high national security importance have poor security. In testimony before Congress, Colonial Pipeline CEO Joseph Blount admitted that the company wasn’t using multifactor authentication to log in — the simple step requiring users to plug in their password on a computer and confirm their identity on their phone or another device.
Many victims pay ransom to end the breach. “Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to simply pay a relatively low ransom to make a problem go away,” the cybersecurity blog CSO explains.
Colonial Pipeline and Brenntag, a chemical distributor firm, paid ransoms equivalent to $4.4 million to hackers who hacked their systems in May to regain access and launch operations. JBS paid $11 million to stop their attack. “I know that’s a highly controversial decision,” Colonial Pipeline CEO Joseph Blount said after his firm’s payment was announced. I didn’t do it lightly. I’ll be honest, I was uncomfortable seeing the money flow to people like these. It was the right thing for the country.
Blount is not alone: According to a survey conducted by the security firm Kaspersky, more than half of ransomware victims in 2021 paid up to gain access to their own information. Only 25% of these companies were able to regain full access.
These attacks are being carried out by who?
Groups known as ransomware gangs work in jurisdictions where American law enforcement can’t reach them; as with other notable breaches of U.S. cybersecurity, the threat is predominantly coming from Russia. These names are typical of professional online criminals from the former Soviet Republic. Their software weapons also have appropriate monikers that include references to the Greek gods of the dead, and an anime prankster. Unsurprisingly, their threats can be quite sinister. DarkSide, which is responsible for shutting down Colonial Pipeline, was hacked into the data of a small education publisher earlier in the year. The hacker threatened to contact the clients, saying that they could have stolen the information necessary to create fake ID cards that would allow pedophiles access to their schools. The New York Times reports that the ultimatum wasn’t true.
Some hackers are connected to Russian intelligence. The FBI and NSA have both stated that the historic SolarWinds hack first reported in December 2020 was carried out by hackers with links to Russia’s Foreign Intelligence Service. Notably, this was not a ransomware strike but something called a supply-chain attack; hackers infiltrated the information-technology company SolarWinds, then used that access to break into the systems of the firm’s clients, which included servers operated by NATO, the European Parliament, the government of the United Kingdom, and several branches of the federal government, including the Treasury and Commerce Departments. The Biden administration issued a series of economic sanctions on several Russian technology companies and financial organizations for their involvement in the attack.
SolarWinds is one of the most direct collaborations between Russian intelligence, cybercriminals. More often, ransomware groups operate under an unstated agreement with the Kremlin, as cybersecurity experts recently told the AP:
To avoid a crackdown by Russian authorities, hackers in Russia generally avoid targeting any businesses in the Commonwealth of Independent States, the intergovernmental organization made up of former Soviet republics.
Why is this happening?
While the trend is complex due to a mix of cybersecurity and geopolitical factors, the fundamental reasons behind its recent rise are quite simple. Ransomware attacks are much easier to carry out, and criminals have access to more payment options. Meanwhile, businesses are growing increasingly reliant on digital infrastructure and more willing to pay ransoms, thereby increasing the incentive to break in.
The New York Times points out that criminals used psychological tricks to trick people into giving over bank passwords. They also had the technical knowledge to siphon money from secure personal accounts. Now, Russian youth with criminal tendencies and cash shortages can buy the software. Or they can get help from DarkSide, which charges clients a fee to have them hack into businesses. This criminal exchange was demonstrated by the successful breach of an education publisher that involved the false threat of pedophiles.
Cybercriminals have found it easier to collect their funds using Bitcoin. “Cryptocurrency provided the perfect answer to allowing hackers to prey on their victims and extort unlimited and anonymous cash payments while completely minimizing their exposure of being caught by law enforcement,” programmer Stephen Diehl wrote in a Twitter thread following the Colonial Pipeline hack. Dahl explained that cybercriminals used to have to resort to pre-paid gift cards, sometimes as low as $1,500, to pay ransom payments before the crypto boom. This is not a good system considering there are millions at stake. Due to the risk of law enforcement raiding the handoff, in-person payments were not possible. Also, wire transfers were banned because banks wouldn’t allow such a large transfer to a criminal organization. Because Bitcoin transfers are anonymous, there’s now an international method that “there is no upper limit on the extortion amount.” This means that Colonial Pipeline ransom wasn’t $4.4 million but 75 Bitcoin.
The behavioral aspect is the final. Ransomware attacks are a way for criminal organizations to make big money, despite sending hundreds of millions in Bitcoin to their victims. “Attacks happen for one reason and one reason only,” Brett Callow, a threat analyst with the antivirus firm Emsisoft, told NPR. They are profitable. They will cease to be profitable if they are made unprofitable.