Cybersecurity experts like to joke that the hackers who have turned ransomware attacks into a multibillion-dollar industry are often more professional than even their biggest victims.
Ransomware attacks — when cyber attackers lock up their target’s computer systems or data until a ransom is paid — returned to the spotlight this week after attacks hit one of the biggest petroleum pipelines in the US, Toshiba’s European business and Ireland’s health service.
While governments have pledged to tackle the problem, experts said the criminal gangs have become more enterprising and continue to have the upper hand. For businesses, they said, there is more pain to come.
“This is probably the biggest conundrum in security because companies have to decide how far they participate in this cat-and-mouse game,” said Myrna Soto, chief strategy and trust officer for Forcepoint. “It’s a battle, it’s warfare, to be honest.”
Last year, the number of ransomware attacks rose by more than 60 per cent to 305m, according to data from SonicWall, as hackers took advantage of the shift to working from home, and the vulnerabilities that opened up as a result. Just over a quarter of victims pay up to unlock their systems, according to cyber security researchers at CrowdStrike.
About two dozen gangs dominate the market, and business has been brisk. They earned at least $18bn in ransoms in 2020, according to the cyber security group Emsisoft, with an average payout of about $150,000. Once indiscriminate in their attacks, many now engage in “big game hunting” — pursuing the biggest targets to demand huge payouts.
Less technologically minded criminals have also joined in, after the emergence of ransomware-as-a-service, or Raas, where groups rent out their viruses on the dark web to “affiliates” and take a cut of their earnings.
“There are very low barriers to entry now,” said Rick Holland, chief information security officer at cyber security group Digital Shadows.
The alleged perpetrators of the Colonial Pipeline hack, a Russian-based gang called DarkSide, ran one such affiliate programme, according to cyber security group FireEye, meaning another group may have also participated in the Colonial attack.
“There’s now a division of labour and criminals are co-operating transnationally,” said Joshua Motta, co-founder and chief executive of cyber insurance group Coalition.
Follow the money
Cyber experts and governments continue to debate the most effective way to beat the cyber cartels. One of the thorniest questions is whether governments should ban victims from paying ransoms altogether.
“This is something governments seriously need to consider,” said Brett Callow, analyst at Emsisoft. “Make ransomware attacks unprofitable, and the attacks would stop.”
But opponents warn that a ban would do little to deter hackers, given the low cost and low risk of launching attacks, and could push the gangs towards more vulnerable targets, such as hospitals.
The FBI advises against paying ransoms, but in the case of Colonial, the White House acknowledged the difficult position that companies were left in.
Last month, a public-private task force of big tech groups including Microsoft and Amazon, together with US officials, recommended making it mandatory for companies to review alternatives before paying a ransom, and then report to a government body if they pay a ransom.
Many victims are reticent to disclose if they have been attacked or paid, over fears of reputational damage or legal and regulatory backlash. But Jen Ellis, vice-president of community and public affairs at cyber group Rapid7 and a member of the board, said: “It can be done privately, there are ways to do it so that you destigmatise it. But reporting it gives us a greater ability to investigate the payments [and] track them.”
This ties into another demand that the task force and others have called for: greater government oversight of cryptocurrency exchanges, which they believe should adhere to the same “know-your-customer” and anti-money-laundering laws as traditional financial services.
How investigators can find clues
Meanwhile, the US government has ramped up efforts to hunt down and prosecute ransomware gangs themselves, with the Department of Justice last month launching its own dedicated ransomware unit. Among its goals, according to a memo by acting deputy attorney-general John Carlin, seen by the Financial Times, is taking action to “disrupt and dismantle the criminal ecosystem”.
This might typically involve wiping out the servers and other hosting services that facilitate the cyber cartels’ enterprise, according to Tom Kellermann, head of cyber security strategy for VMware and cyber investigations advisory board member for the US Secret Service.
Kellermann suggested that there could be a role for internet service providers to play in wiping out the dark web forums associated with particular gangs. “Why don’t they sinkhole it, just knock it off the internet completely?”
Often it is sloppiness on the part of the criminal affiliates that will leave clues for investigators that will enable such action to be taken, according to Allan Liska of Recorded Future’s computer security incident response team, because they “aren’t as good as covering their tracks” as the ultimate ransomware operators.
Already, there are indications that targeting hackers’ infrastructure helped prevent an even more catastrophic disaster in the case of the Colonial shutdown. On Saturday, a group of tech and cyber companies, as well as US agencies such as the FBI, thwarted the attackers by shutting down US-based servers that the hackers were using to store data before then sending it on to Russia, according to two people familiar with the situation. The disruption was first reported by Bloomberg.
There has been little attempt to prosecute the gangs, many of which operate with impunity from Russia, which is unlikely to extradite them. Last month, the US Treasury even accused one of Russia’s intelligence services, the FSB, of “cultivating and co-opting” the ransomware group Evil Corp.
In return, the criminals typically avoid targeting organisations in Russia, and can be called upon to share their access to a victim’s systems. “I joke that the safest way to protect yourself from ransomware is to convert all your keyboards to using the Russian Cyrillic layout,” said Liska.
Use of sanctions
Dmitri Alperovitch, co-founder of security group CrowdStrike who now runs the Silverado Policy Accelerator think-tank, said on Twitter: “We don’t have a ransomware problem. We have a Russia problem. That’s it.”
The public-private ransomware task force recommended greater international co-ordination and “exerting pressure” on nations that refuse to collaborate — for example, through sanctions or by withholding aid or visas.
So far, the US has opted to slap sanctions on certain groups, such as Evil Corp, as a deterrent to would-be ransom payers. In October, the US Treasury issued a warning to any group that might help facilitate a ransom payment — cyber security, negotiator and insurance companies — not to violate sanctions, and gave a similar warning to financial bodies such as crypto exchanges.
Not everyone has heeded those warnings. According to data from Chainalysis, which analyses blockchain transactions, about 15 per cent of ransom payments it tracked in 2020 — or close to $60m in total — may have violated sanctions, as they appeared to be sent to blacklisted groups or those affiliated with such groups.
With few options for prosecution, one expert familiar with the government’s approach said he expected authorities would wait to go aggressively after the perpetrators of the Colonial hack. “It’s 10 or 15 young guys or girls who party a lot and want loads of money. You don’t go after them in Russia, you go after them when they go on vacation in Greece.”