If you’ve noticed a lot of news stories and social media posts lately blaring the word “ransomware” in the headline, you’re not alone.
Since the start of 2021 (but especially over the last four weeks), ransomware seems to be everywhere: From the attack that shut down a 5,500-mile interstate gas and oil pipeline belonging to Colonial Pipeline Co., to another incident that forced JBS, one of the world’s largest meat producers, to suspend some operations for nearly a week.
Then there’s the money.
The CEO of Colonial Pipeline admitted to paying a ransomware gang called DarkSide a $4.4 million ransom, while JBS’s chief executive made an $11 million payment to the Russian-speaking gang known as REvil or Sodinokibi. Those payoffs to criminal gangs might seem like a bargain compared to the $40 million that insurance firm CNA reportedly forked over following a similar attack.
The failure to prevent these attacks, the fact that cybercriminals are now targeting critical infrastructure within the U.S., and the amount of money used to pay these ransoms have all attracted the attention of Congress, which has held a series of hearings about ransomware that could likely lead to new laws or regulations.
While crypto-locking malware has been around for years, ransomware attacks have evolved from cybercriminals targeting individual users or vulnerable business networks for a few bitcoins into an organized, global criminal operation that includes encrypting files, stealing data and extorting large organizations for millions of dollars in virtual currency, whether it’s bitcoins or monero.
Some gangs, such as DarkSide and REvil, operate in a ransomware-as-a-service model, where some gang members develop the malware, while affiliate groups seek out victims and carry out the attacks.
Ransomware has gotten enough attention that President Joe Biden raised the issue with Russian President Vladimir Putin during a summit in Geneva on June 16, since many of these groups appear to operate from Russia with the government turning a blind eye to some of their activities, according to numerous reports and cybersecurity analysts.
“As companies continue to pay ransoms, cybercriminals are becoming more emboldened and turning their focus to ransomware attacks as a lucrative opportunity. These malicious actors are also moving away from holding data hostage and zeroing in on targeting critical infrastructure that can disrupt society,” Scott Devens, CEO at security firm Untangle, told Dice. “The shift comes as they realized they could get larger ransoms faster if their attack had the potential to cause severe consumer pain.”
If ransomware appears hyped by some headlines, statistics show the problem is deadly serious. Devens pointed to a May report released by Check Point Software that found a 102 percent increase in ransomware attacks this year compared to the same period in 2020.
Karl Steinkamp, director of PCI product and quality assurance at consulting firm Coalfire, points to statistics published by the FBI’s Internet Crime Complaint Center that show how ransomware has progressed over the years. In 2013, IC3 reported 991 incidents and $539,000 lost to these attacks.
By 2020, there were over 2,400 ransomware incidents reported and more than $29 million lost—and these numbers are likely low, since private companies and firms are not required to report ransomware attacks to the FBI.
“Bad actors have realized that the opportunity cost of utilizing ransomware versus other forms of malware is in their favor as well as an increased awareness of crypto assets—principally bitcoin—for a mechanism of payment,” Steinkamp told Dice. “While the incidents don’t directly correlate with the price fluctuations of bitcoin, ransomware attacks are naturally becoming more lucrative as the price of bitcoin increases. As this continues to happen, we will likely see more incidents as more individual and nation-state bad actors continue to move into this space.”
Several cybersecurity analysts noted that many organizations that have sustained ransomware attacks suffered from the same security shortcomings: Weaknesses surrounding email phishing attacks that give attackers initial access; vulnerabilities in remote desktop access protocols that lead to incidents; and unpatched bugs in software and hardware that could leave networks open to an attack.
In the case of Colonial Pipeline, the attackers found a compromised password that gave access to a VPN application that the company had forgotten was still active on its network, according to security firm FireEye, which investigated the incident on behalf of the company.
Several analysts note that the recent spate of high-profile ransomware attacks, combined with the government initiatives such as Biden’s executive order that focuses on cybersecurity, is likely to push more businesses and government agencies to increase their security spending over the next several months.
“Unfortunately, making large changes to the security team and the network will require investments that companies may be hesitant to make due to budget constraints,” Jamie Hart, cyber threat intelligence analyst at Digital Shadows told Dice. “However, given the recent attacks on Colonial Pipeline and JBS, organizations should evaluate their security now and take action to fortify their defenses; the best offense is a good defense. IT and security staff's ability to do their job may come down to the budget allotted to their team to implement the necessary changes.”
Bill Osterhout, director of cloud and IT solutions at Array Information Technology, notes that even with increased spending, there’s still stress on IT and security teams to keep up with the vulnerabilities that could lead to a ransomware attack.
“Frequent penetration testing events and software-based security monitoring controls must be implemented to assure that vulnerabilities are not introduced once a secure baseline is validated,” Osterhout said. “In today’s world of rapid IT innovation, the only constant thing is change. IT and security staff must embrace a continuous learning culture necessary to effectively control this rapidly evolving environment.”
Spotlight on Cryptocurrency
While the attacks against organizations such as Colonial Pipeline and JBS might seem daunting, there is some good news to mix in.
On June 7, the FBI and the U.S. Department of Justice announced that they had recovered $2.3 million of the $4.4 million that Colonial Pipeline paid to the DarkSide gang.
“By reviewing the bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim's ransom payment, had been transferred to a specific address, for which the FBI has the 'private key,'" Deputy U.S. Attorney General Lisa Monaco noted during the press conference. The FBI, however, has not detailed how it came to find this private key to the digital wallet.
For some analysts, the type of investigative techniques used by the FBI might make those IT or security professionals with knowledge of cryptocurrency (especially how blockchains work) more valuable in the months and years ahead.
“As cybercriminals continue to use cryptocurrencies, people with blockchain skills may have doors opened for them,” Hart said. “People with blockchain experience may be able to help law enforcement and security companies track cryptocurrency payments and activity since transactions can pass through many different mediums. These skills could help track payments made by and to threat actors.”
Untangle’s Devens believes that the increases in ransomware and other threats should force more organizations to rethink their cybersecurity policies and also focus on hiring professionals who can help close some of the gaps that lead to these types of attacks.
“These attacks are leading companies to re-evaluate their IT security teams to add specific skills, such as mobile device management, digital forensics, malware prevention, etc., as hybrid work continues and more IoT devices are brought onto networks,” Devens said. “To defend against cyberattacks, network security professionals will also need to continually stay updated on new technology, educate all employees on the latest schemes, and implement policies such as zero trust that may be unpopular with staff, but are necessary to prevent attacks.”