In the cyberspace battle of good vs. evil, the bad guys are winning.
That’s the only conclusion to draw from the spate of recent attacks by criminals who seize computer networks and demand ransom. In the past three months they’ve hit a San Diego hospital, a pipeline, a major beef producer and, most recently, as many as 1,500 businesses that used a company called Kaseya to manage their networks.
REvil, the Russian group behind the Kaseya attack, says it will unlock the networks for $70 million. Many past victims have been willing to pay: Colonial Pipeline sent $4.4 million to hackers who threatened East Coast fuel supplies, and JBS paid $11 million after its beef plants were shut down.
Such ransomware attacks aren’t new, but they have become more common. According to global cybersecurity firm Group-IB, the number of attacks increased 150% last year and the average ransom demand nearly doubled.
Each high-profile attack inevitably spawns imitators, but the COVID-19 pandemic also created new vulnerabilities for criminals to exploit. As companies scrambled to allow remote workers full access to their networks, some didn’t pay enough attention to ways others might sneak in.
“The pandemic has opened up a huge opportunity, and the cybercrime cartels are exploiting it to make lots of money,” said Joe Scherrer, who leads a cybersecurity institute at Washington University.
Brian Gant, assistant professor of cybersecurity at Maryville University, said most ransomware victims are small or medium-sized companies. Entities like the federal government or a Fortune 500 company have robust security and monitor their networks constantly for signs of trouble.
Maryville offers free cybersecurity evaluations for small businesses, and Gant says most firms are aware of the threat but don’t know how to respond. “A lot of them want to have something in place,” he said. “They may not have the budget or the manpower to do so.”
Jarrett Kolthoff, chief executive of cybersecurity firm SpearTip in Town and Country, wasn’t surprised to see a managed-services provider like Kaseya get hit. “It is one of the easiest ways to compromise a large part of the commercial market,” he said.
Kolthoff said his firm, on behalf of insurance companies, is working with several victims of the Kaseya attack. “Some of them, just their phone system was hit and they were able to remedy it. For others, the entire enterprise was encrypted.”
Kolthoff said every business, large or small, should back up all data, monitor its network continuously and run a threat-response exercise to ensure that everyone knows how to recover from a data breach.
Unfortunately, as the recent attacks show, the gangs keep finding places that didn’t take those precautions.
Can law enforcement do anything? The Justice Department did recover some of the bitcoin that Colonial Pipeline paid as ransom, but that may have been luck. Other attackers quickly move their bounty to a country like China, where it’s out of U.S. authorities’ reach.
Other steps might help deter ransomware attacks. The U.S. could impose stricter limits on transactions in cryptocurrencies, the hackers’ preferred method of payment. Nations could negotiate a treaty requiring cooperation on fighting crossborder cybercrime and imposing sanctions on any country that harbors illegal hackers.
With nations such as Russia and North Korea either tolerating or actively encouraging such activity, however, Scherrer isn’t optimistic about slowing the tide of ransomware attacks.
“The profits are high, business is booming and the chances of being apprehended are very low,” he said. “It’s going to get a lot worse before it gets better, unfortunately.”