If you found yourself in an hours-long line for expensive gas last month, then you’re probably familiar with the damage that ransomware attacks can do. The federal government certainly is.
During President Joe Biden’s much-anticipated first meeting with Russian President Vladimir Putin on Wednesday, the two leaders said they talked about the recent cyberattacks on some of the United States’ most crucial systems and infrastructure, many of which have been traced to Russia. They agreed to further discuss both what critical infrastructure should be considered off-limits to cyberattacks and how to go after ransomware gangs operating within their borders. Last year’s SolarWinds hack was directly attributed to the Russian government, and recent ransomware attacks on industries, including energy, food, and transportation, have been blamed on criminal organizations based in or near Russia — possibly with the country’s knowledge and approval.
Putin claimed in a subsequent press conference that Russia had nothing to do with the attacks (he has denied any involvement in the past). In a separate press conference, Biden said he told Putin in no uncertain terms that the cyberattacks couldn’t go on.
“He knows there are consequences,” Biden said.
Biden also said he told Putin that he expects Russia to act against any criminal ransomware organizations operating within its borders, just as the United States would against any organizations operating within its own.
The United States government has already stepped up its response back home. The Biden administration sent a letter to corporations and business leaders with recommendations for how they can better protect themselves from attacks, and a plea that they do so. The DOJ formed a task force dedicated to ransomware, which has already managed to recover part of the ransom Colonial Pipeline paid to its attackers. And FBI director Christopher Wray even compared the ransomware attack epidemic to 9/11.
Wray’s comparison might be a bit extreme. There’s no evidence that a ransomware attack has been directly responsible for any deaths, let alone nearly 3,000 of them. But it should now be clear to everyone that ransomware is a serious issue that affects and disrupts even the most critical sectors. The attacks are ramping up in frequency and severity, and the US government is ready to throw everything it can at the problem in order to stop them — including, reportedly, giving ransomware attack investigations the same priority that they do terrorism.
But for all that, ransomware isn’t new. There have been several high-profile attacks in the last few months that have given the issue more attention, but ransomware has been a major, and growing, issue for years. Wealthier and more sophisticated criminal organizations, new extortion tactics, and the pandemic have exacerbated the problem. But other factors — cryptocurrency, poor cybersecurity, and the fact that the ransoms often get paid and the attackers get away with it — have been around for a long time. And they may be here for a long time to come. A stern lecture at the leader of the Russian government almost certainly won’t be enough to stop them.
Ransomware, explained
Ransomware is malware that locks up access to its victim’s systems and then demands a ransom, usually in cryptocurrency, to unlock them. How the malware gets in the systems depends on the type used, but email phishing attacks are one of the most common ways. You may only need one employee out of thousands to open the wrong email and click on the wrong link if a company’s systems are properly secured, and spoofed emails can be pretty convincing. Hackers may also exploit vulnerabilities in a company’s systems or mount a brute force attack, which involves guessing at access credentials (like passwords) until they get one right.
“It could be a user with a weak password, it could be a user that clicks on a phishing email, or it could be a vulnerability in the system itself,” Jonathan Katz, a professor of computer science at the University of Maryland, told Recode. “One way or the other, they’re able to get this malware installed on computer systems.”
The most common victims have been institutions or companies that are especially vulnerable to an attack and motivated to get their systems back online as soon as possible. The health care sector, for instance, has been one of the most targeted because the consequences of not paying the ransom quickly can be dire, from not being able to provide health care to sensitive patient data being leaked — or even the patients themselves being blackmailed not to have their data released. Municipal or government systems, from school districts to large cities like Atlanta and Baltimore, have also been frequent targets of ransomware.
But just because health and government systems have historically been the most likely targets doesn’t mean organizations in other sectors should assume they’re safe. If it wasn’t obvious by now, attacks can and do hit anyone.
Before the gas pumps went dry, you may have been paying for ransomware attacks without realizing it. When government systems are attacked, the cost is ultimately borne by the taxpayer, just as consumers often cover the cost of attacks on large companies (or smaller ones, assuming the attack doesn’t put them out of business first). And the cost of fully recovering from a ransomware attack often far exceeds the ransom itself — it could be months of time and millions of dollars. Cybersecurity Ventures predicts that ransomware damage will cost $20 billion worldwide in 2021, up from $325 million just six years ago. But it can cost even more not to pay the ransom at all, so the victims pay up.
The victims are paying more, too: The average ransom amount has increased along with the number of attacks. Due to the fact that the majority of victims never go public, it’s impossible to get an exact number, but one estimate says that the average ransom payment more than doubled between 2019 and 2020, from $115,000 to $315,000. When large companies like Colonial Pipeline, JBS Foods, and CNA Financial get hit, ransom payments are in the millions. It’s believed that ransomware gangs pulled in at least $350 million in 2020. Check Point Software told Recode that the number of attacks doubled between 2020 and 2021. One commonly cited global statistic says businesses will be attacked by ransomware every 11 seconds by the end of 2021, though other estimates are far more conservative. Check Point, for example, says about 1,000 organizations were attacked every week in April 2021 — or, once every 10 minutes.
This all suggests that criminals are becoming bolder and, well, greedy.
“Not only has there been a huge uptick in the number of attacks, but the amount being demanded of victim companies has just skyrocketed,” Peter Marta, cybersecurity law expert at Hogan Lovells and former head of cybersecurity law at JPMorgan Chase, told Recode. “I don’t think anybody could have predicted a year and a half ago, where we would be today.”
And while the US government has issued statements over the years saying that ransomware attacks were a real threat that companies needed to take seriously and protect themselves from, the Colonial Pipeline attack took its response to a new level.
The evolution of ransomware
Ransomware has actually been around since the 1980s (the first known instance was distributed on floppy disks, with ransom payments made in cashier’s checks or money orders mailed to a post office box in Panama), but it wasn’t until 2013, with the emergence of the CryptoLocker virus, that cybersecurity researchers started to see it as a real and growing threat. CryptoLocker was distributed via spoofed emails with attachments. Once the victim downloaded the attachment, their files were locked up, and they were told to pay a small ransom to unlock them, ideally in bitcoin.
“CryptoLocker was the first successful ‘mass distribution’ ransomware,” Lotem Finkelsteen, head of threat intelligence at cybersecurity firm Check Point, explained. “Up until CryptoLocker, it was very rare to see ransomware. … Bitcoin, in a way, assisted in the ransomware blossom. And the rest is history.”
Bitcoin, as a global decentralized digital currency, made it much easier for criminals to collect ransom payments and harder for authorities to trace, let alone recover — although, as we’ve recently seen, recovering the ransom is not impossible. Ransoms were paid, the attackers got away with them, and over time and with more money, they’ve evolved into sophisticated criminal enterprises, offering ransomware-as-a-service to partners and creating what some experts liken to franchises. All of which makes ransomware more accessible to attackers who might otherwise not have had the know-how or payment mechanisms.
“The commoditization of ransomware overall … has made this so much easier for anybody to get into the game,” said Steve Turner, a cybersecurity analyst at Forrester.
And some, it seems, have become brazen enough to attack massive companies and demand huge ransoms while potentially disrupting the lives of millions all over the world.
“There’s no mystery why some of these folks are being targeted,” said Mark Ostrowski, head of engineering at Check Point. “Big bang for the buck. Big interruption, big return.”
In cases where hackers are identified and charged for their attacks, they’re usually well out of the reach of US authorities — in North Korea or Iran, for instance.
Why we’re seeing so many attacks now
With the recent spate of high-profile attacks on companies from different yet important sectors — energy, food, transportation, finance, technology, and communications — it’s understandable that the average person might think the US is under some kind of coordinated attack as part of a brewing cyberwar. That these attacks are coming on the heels of the SolarWinds cyberattack, which is believed to have been orchestrated and carried out by the Russian government, likely contributes to that impression. But SolarWinds was not a ransomware attack, and while it’s true that many ransomware operations are based in or around Russia, possibly with some kind of informal agreement with the Russian government that they can go about their business as long as they don’t attack Russia or its allies, many experts attribute the recent attacks to other factors, and the primary motivation to money.
Starting a year and a half ago, two things happened: Attackers started not just holding systems for ransom, but also stealing their victims’ data and holding that for ransom too. Basically, hackers pivoted to data. You can back up and restore your systems without having to pay a ransom, but there’s not much you can do to stop your data from being released — other than paying for it not to be.
“Yesterday’s ransomware attacks were just encryption events,” Marta said. “Today you have double extortion, where it’s not just that your files and servers are encrypted, but also the threat actor has stolen a bunch of your sensitive data. And they’re saying if you don’t pay, we are going to dump that data on the dark web.”
“Normally, personnel are physically at the location and do not need remote access,” Prashant Anantharaman, a researcher at Dartmouth’s Institute for Security, Technology, and Society, told Recode. “With the push for remote work, we had to make many of these facilities internet-connected and remotely operable, increasing the attack surface.”
It’s hard to know the full extent of ransomware attacks because the vast majority of them aren’t reported. But even before the Colonial Pipeline attack — which introduced many Americans to the concept of ransomware, or at least how it could personally affect them — happened, the FBI had formed its ransomware task force and the Institute for Security and Technology had created a ransomware task force of its own, with an April launch event that featured a keynote speech from Secretary of Homeland Security Alejandro Mayorkas. The Cybersecurity and Infrastructure Security Agency (CISA) has steadily rolled out ransomware guides and fact sheets for everyone from individuals to businesses that run critical infrastructure.
What happens next
Americans’ shock over the recent spate of attacks may not be so much that ransomware exists or that cyberattacks are a threat, but that even massive companies and large governments can’t or won’t take steps to prevent them from happening in the first place. And that’s a very difficult problem that will probably need several different solutions.
“Americans should be concerned about this,” said Michael Hamilton, former chief information security officer (CISO) for the city of Seattle and current CISO of CI Security, which specializes in local government cybersecurity. “But I believe there is help on the way, and I think it’s going to come in a number of parts.”
In some cases, the government can — and does — require that certain sectors meet cybersecurity standards. Pipeline cybersecurity, for instance, is overseen by the Transportation Security Administration (TSA), but it did very little to ensure compliance from the companies under its purview. This will supposedly change soon. Colonial was breached through an account that didn’t have multi-factor authentication, which is a basic cybersecurity step. (CEO Joseph Blount told a Senate committee that the password was “complicated.” Any cybersecurity expert — or even a humble data privacy reporter — will tell you passwords, even the most complicated, are not enough. Safe to say that Blount knows this now, too.)
“Regulations are part of it, but it’s not going to solve the problem,” Ostrowski, of Check Point, said. “How you’re going to solve the problem is actually taking cybersecurity seriously. And I think a lot of verticals don’t take cybersecurity as seriously as they should. They look at cybersecurity as an expense versus as a critical piece of their business. And that’s how you’re going to solve it.”
The recent law enforcement crackdown on ransomware — and the results — may go a long way to alleviate the threat. After all, if hackers think they might actually get caught or have their operations shut down or their ransom payments seized, they’ll think twice about who they attack. The FBI was able to break into a crypto wallet and seize much of the ransom Colonial paid, and the group responsible for the attack, DarkSide, claimed its servers had been taken down and that it was disbanding (you can decide if you want to take that claim at face value or not — it’s pretty common for hacker groups to “disband” and then resurface with a different name). This shows that even those sophisticated ransomware-as-a-service organizations aren’t completely immune from some consequences.
And, Hamilton points out, there’s a big difference between being a cybercriminal and being labeled a terrorist by the US government.
“We change the rhetoric, we let them know we’re coming after you in a much different way now,” he said.
On the other hand, the aggressive response could make things worse if hackers are confident enough that they still won’t get caught.
“If they’re being targeted now, they’re going to get much more bold on the targets that they’re going after,” Forrester’s Turner said. “It becomes about getting revenge.”
New laws could also make it harder to pay and collect ransoms. If organizations are forbidden from paying ransom and cryptocurrencies become better regulated, that could go a long way to cutting off the money stream that is believed to fuel many of these attacks. Of course, both of these things are easier said than done. But it’s not impossible, either: Look at China’s crackdown on cryptocurrencies. Experts are split on whether ransom payments should be banned.
One silver lining to all of this is that organizations that haven’t invested in cybersecurity will finally realize that they could be attacked and make cybersecurity a priority — and have better guidance and resources to do so.
“I think with CISA finally on its way to getting the funding and resources, I think that there’s a very big opportunity to make security better for everybody,” Turner said. “At the end of the day, all of these folks are chasing the almighty dollar or the almighty bitcoin … And if it continues to be lucrative and there are no penalties or there’s no traceability to what some of these folks are doing, they’re going to continue to do it.”
Correction, June 17, 10:45 am: The $20 billion global damage by 2021 was not predicted by AIG, as initially written, but cited by AIG from a CyberSecurity Ventures report.