Last year’s SolarWinds hack was directly attributed to the Russian government, and recent ransomware attacks on industries, including energy, food, and transportation, have been blamed on criminal organizations based in or near Russia — possibly with the country’s knowledge and approval.
Ransomware, explained
Ransomware is malware that locks up access to its victim’s systems and then demands a ransom, usually in a cryptocurrency, to unlock them. How the malware gets in the systems depends on the type used, but email phishing attacks are one of the most common ways.
You may only need one employee out of thousands to open the wrong email and click on the wrong link if a company’s systems are properly secured, and spoofed emails can be pretty convincing. Hackers may also exploit vulnerabilities in a company’s systems or mount a brute force attack, which involves guessing at access credentials (like passwords) until they get one right.
“It could be a user with a weak password, it could be a user that clicks on a phishing email, or it could be a vulnerability in the system itself,” Jonathan Katz, a professor of computer science at the University of Maryland, told Recode. “One way or the other, they’re able to get this malware installed on computer systems.”
The most common victims have been institutions or companies that are especially vulnerable to an attack and motivated to get their systems back online as soon as possible.
The health care sector, for instance, has been one of the most targeted because the consequences of not paying the ransom quickly can be dire, from not being able to provide health care to sensitive patient data being leaked — or even the patients themselves being blackmailed not to have their data released.
Municipal or government systems, from school districts to large cities like Atlanta and Baltimore, have also been frequent targets of ransomware.
But just because health and government systems have historically been the most likely targets doesn’t mean organizations in other sectors should assume they’re safe. If it wasn’t obvious by now, attacks can and do hit anyone.
Before the gas pumps went dry, you may have been paying for ransomware attacks without realizing it. When government systems are attacked, the cost is ultimately borne by the taxpayer, just as consumers often cover the cost of attacks on large companies (or smaller ones, assuming the attack doesn’t put them out of business first). And the cost of fully recovering from a ransomware attack often far exceeds the ransom itself — it could be months of time and millions of dollars.
Cybersecurity Ventures predicts that ransomware damage will cost $20 billion worldwide in 2021, up from $325 million just six years ago. But it can cost even more not to pay the ransom at all, so the victims pay up.
The victims are paying more, too: The average ransom amount has increased along with the number of attacks. Due to the fact that the majority of victims never go public, it’s impossible to get an exact number, but one estimate says that the average ransom payment more than doubled between 2019 and 2020, from $115,000 to $315,000.
When large companies like Colonial Pipeline, JBS Foods, and CNA Financial get hit, ransom payments are in the millions. It’s believed that ransomware gangs pulled in at least $350 million in 2020. Check Point Software told Recode that the number of attacks doubled between 2020 and 2021.
One commonly cited global statistic says businesses will be attacked by ransomware every 11 seconds by the end of 2021, though other estimates are far more conservative. Check Point, for example, says about 1,000 organizations were attacked every week in April 2021 — or, once every 10 minutes.
The evolution of ransomware attack
Ransomware has actually been around since the 1980s (the first known instance was distributed on floppy disks, with ransom payments made in cashier’s checks or money orders mailed to a post office box in Panama), but it wasn’t until 2013, with the emergence of the CryptoLocker virus, that cybersecurity researchers started to see it as a real and growing threat.
CryptoLocker was distributed via spoofed emails with attachments. Once the victim downloaded the attachment, their files were locked up, and they were told to pay a small ransom to unlock them, ideally in bitcoin.
“CryptoLocker was the first successful ‘mass distribution’ ransomware,” Lotem Finkelstein, head of threat intelligence at cybersecurity firm Check Point, explained.
“Up until CryptoLocker, it was very rare to see ransomware. … Bitcoin, in a way, assisted in the ransomware blossom. And the rest is history.” Bitcoin, as a global decentralized digital currency, made it much easier for criminals to collect ransom payments and harder for authorities to trace, let alone recover — although, as we’ve recently seen, recovering the ransom is not impossible.
Ransoms were paid, the attackers got away with them, and over time and with more money, they’ve evolved into sophisticated criminal enterprises, offering ransomware-as-a-service to partners and creating what some experts liken to franchises.
All of which makes ransomware more accessible to attackers who might otherwise not have had the know-how or payment mechanisms. “The commoditization of ransomware overall … has made this so much easier for anybody to get into the game,” said Steve Turner, a cybersecurity analyst at Forrester. And some, it seems, have become brazen enough to attack massive companies and demand huge ransoms while potentially disrupting the lives of millions all over the world.
“There’s no mystery why some of these folks are being targeted,” said Mark Ostrowski, head of engineering at Check Point. “Big bang for the buck. Big interruption, big return.” In cases where hackers are identified and charged for their attacks, they’re usually well out of the reach of US authorities — in North Korea or Iran, for instance.
Why so many attacks now
Starting a year and a half ago, two things happened: Attackers started not just holding systems for ransom, but also stealing their victims’ data and holding that for ransom too.
Basically, hackers pivoted to data. You can back up and restore your systems without having to pay a ransom, but there’s not much you can do to stop your data from being released — other than paying for it not to be. “Yesterday’s ransomware attacks were just encryption events,”, “Today you have double extortion, where it’s not just that your files and servers are encrypted, but also the threat actor has stolen a bunch of your sensitive data. And they’re saying if you don’t pay, we are going to dump that data on the dark web.”
The other thing that happened, of course, was the pandemic. This opened up tons of new attack vectors for hackers — not just unsecured remote systems, but an exponential rise in phishing emails that took advantage of the circumstances and collective fear. The situation made people more likely to click on a link that would then infect their computers — and, from there, the rest of the system.
