Ransomware attacks are bad and getting worse.
The Washington Post found that ransomware attacks in the United States more than doubled from 2019 to 2020. The Post analysis looked at publicly reported ransomware attacks against healthcare providers, government agencies and schools.
This study includes only the publicly reported attacks. An unknown number of companies paid the ransom without reporting the attacks!
This criminal activity adds up to hundreds of millions of dollars lost every year.
How they do it
Some hackers use sophisticated malware that can infiltrate a company’s computer system and shut down operations.
But many use cruder methods; they send phishing emails that dupe employees into opening an attachment or clicking on a link that downloads malicious software, which can encrypt files and bar access to the network, as the Post noted.
Businesses and government agencies in the United States are prime targets.
Ransomware accounted for 30% of all U.S.-based cyberattacks reported to and confirmed by Verizon data breach researchers in 2020.
This is more than twice the rate for the world, the Post found in its analysis.
Handling an attack
If your organization is attacked by ransomware, do not waste time.
Immediately call a cyber-resilience company that can investigate the attack and repair your system while keeping the damage as low as possible.
“Cryptocurrency is invading all forms of criminal activities, and criminals follow the money,” said Gurvais Grigg, a former assistant director of the FBI and now global public sector chief technology officer of blockchain analysis firm Chainalysis.
The transactions are also irreversible, said Rich Sanders, co-founder and lead investigator at CipherBlade, which analyzes the blockchain. “You can’t go to complain to bitcoin and ask for a chargeback.”
Some of the JBS funds were sent through digital “mixers,” which operate as a digital form of money laundering. Mixers use software to commingle and swap one bitcoin for another, all with the purpose of breaking the chain so the history of a single coin is more difficult to trace.
Hackers tend to get caught when they want to exchange their digital currency for traditional cash, experts said.
Investigators try to identify and label funds on the blockchain to keep track of them. If the money is ever moved from a private wallet to a public exchange, the researchers or law enforcement can directly contact the exchange operators and ask them to lock the account in question while they investigate.
Many exchanges based in the United States will cooperate with these requests, said Megan Stifel, senior policy analyst at the Global Cyber Alliance. They comply with common financial regulations, such as “know your customer,” meaning they have identification for account holders.
But there are exchanges that purposely ignore or try to resist requests, or are based in jurisdictions that have lax regulations or look the other way.
Federal authorities did manage to recover more than $2 million worth of Colonial’s $4.3 million ransom payment. In that case, researchers say, officials seem to have accessed a private wallet that contained the cryptocurrency.
Private wallets are difficult to access because they require an encryption key, a long string of numbers and letters, that only the wallet holder possesses. It’s unclear how officials got hold of the wallet’s key.
The Hackers The Hack The Negotiation The Payment The Aftermath
It takes the better part of a year — an average of 287 days — for a company to fully recover from a ransomware attack, according to a wide-ranging April report from a group of more than 60 experts from industry, government, nonprofits and academia known as the Ransomware Task Force.
For many companies, the actual ransom payment isn’t even the most expensive part of the attack. Companies have to restore backups, rebuild systems, work with forensic investigators to ensure that the hackers are truly locked out and, in many cases, implement stronger cybersecurity controls to prevent future attacks.
And the effects of an attack can reach well beyond the company’s own doors, affecting people’s everyday lives and crucial services. Ferry services were disrupted on the East Coast when a breach brought down a ticketing system. JBS meat-processing plants temporarily shuttered some operations when an attack hit the company’s systems.
Governments around the world are trying to find ways to crackdown, with the Group of Seven industrialized countries committing to work together to thwart the attacks, and the White House saying it’s “not taking any options off the table” when it comes to possible responses to the Russian government being slow to stem the tide of attacks originating from inside the country.
Various U.S. agencies began earlier this year to launch ransomware initiatives. The Department of Homeland Security’s cybersecurity agency in January kicked off a campaign to prod public and private-sector organizations to adopt measures to reduce their risk of being victimized by ransomware. Last fall 2019, that agency launched a similar initiative to encourage state and local officials to secure election infrastructure against ransomware attacks. In April, the Justice Department created a task force to disrupt the criminal ecosystem that fuels ransomware attacks.
But the Colonial Pipeline attack fueled a more concerted effort as the White House with President Biden launching an initiative to address the dangers of ransomware. The initiative complements an executive order he signed in May to shore up the federal government’s digital defences, which officials hope will spur the private sector to bolster its own.
During a June 16 summit in Geneva, Biden and Russian President Vladimir Putin discussed cyberattacks and agreed that the two countries would begin strategic talks on cybersecurity.
In the meantime, cybercriminals are doubling down on ransomware attacks, having proven to themselves and other potential hackers that they can be extremely profitable.
“You’ve got a lot of folks out there, bad threat actors, that are now emboldened and certainly motivated by the high numbers that are reported on the ransomware payments,” Turgal, the cybersecurity expert from Optiv said. “It’s not going to go away.”