Governments around the world look for ways to fight back.
Cybercriminals are getting more sophisticated and brazen in ransomware attacks, freezing computer systems at school districts, major universities, police departments and hospitals. Now the US government is stepping up its approach to fighting computer crimes.
Earlier this week, the White House convened an international counter-ransomware event. Representatives from more than 30 countries, including big US allies like the UK, Canada and Japan, participated in the virtual gathering. Notably absent: Russia, which the US and other countries blame for harboring and possibly encouraging the groups behind the attacks.
The high-level government attention to ransomware underscores its growing reach. Once nothing more than garbage malware locking up the hard drives of the tech unsavvy or of small businesses running dated versions of Windows, ransomware has become a global digital scourge. Earlier this year, a major oil pipeline and one of the world’s largest meat processors were both hit by cybercriminals who demanded millions of dollars in ransom.
The attacks on Colonial Pipeline and JBS USA Holdings made headlines for weeks. They also marked a nefarious rise in the ambitions of cybercriminals and caught the attention of government officials and cybersecurity experts.
“It’s really become a national security threat,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told the Billington Cybersecurity Summit last week. “Everything is connected, everything is vulnerable, and the threat actors are just getting more sophisticated.”
According to a report from the Institute for Security and Technology’s ransomware task force, the total amount paid by ransomware victims more than tripled in 2020, reaching nearly $350 million.
Colonial Pipeline and JBS both forked over millions in ransom payments. The FBI was able to recover about $2.3 million of the $4.4 million paid by Colonial. Both ransoms were paid in bitcoin, a popular cryptocurrency.
Both attacks wreaked temporary havoc, pushing up the price of gasoline and meat as the companies lost control of their supplies.
“It’s amusing to the outside world that America doesn’t care until it’s about oil and meat,” says Chester Wisniewski, a principal research scientist for the global cybersecurity firm Sophos.
Wisniewski says earlier attacks would target a dozen or so different entities. They didn’t grab the same kind of national headlines, however, because they were separate, smaller attacks.
By today’s standards, cybercriminals also weren’t as talented. They bought the malware online and sent it out without much research into their targets. Companies would often pay the ransom, try to keep things quiet and move on.
That started to change a few years ago. As malware became more sophisticated, cybercriminals began hacking into a company’s financial records to determine exactly how much money the company would likely be able to pay. Now ransoms often reach millions of dollars.
And other attack-related costs far outweigh the actual ransom. Even if a company pays and has its data restored, it still has to bring in experts to rebuild its systems and confirm they’re no longer compromised.
On top of that, an attack usually prompts a company to upgrade its cybersecurity defenses, another cost.
Sometimes it can be tough for an entity to know exactly how much cybersecurity it should install. Even though JBS is a big company, many experts wouldn’t have previously considered it to be an obvious target for a cyberattack.
While acknowledging in a June statement that it did pay the equivalent of $11 million in ransom, JBS said it was able to “quickly resolve” the issues resulting from the attack, thanks to its “cybersecurity protocols, redundant systems and encrypted backup servers,” adding that it spends $200 million annually on IT and employs more than 850 IT people around the world. The company didn’t immediately return an email seeking further comment for this story.
Even small companies should follow best practices that’ll lessen the chances of a cyberattack or the fallout from one, says David Cowen, managing director of US Cyber Security Services at professional-services company KPMG. And those practices can be as simple as making sure employees protect their access to systems with strong passwords and always use two-factor authentication.
The government can help, too, he says.
“Look at what happened with Colonial Pipeline,” Cowen said. “That group initially got paid but then they got tracked down and some of the money got returned. That’s what happens when the government gets involved.”
A recently introduced Senate bill would require critical infrastructure owners and operators, which would include companies like Colonial Pipeline, to report cyberattacks within three days.
In addition, nonprofits, businesses with more than 50 employees, and state and local governments would be required to notify the federal government within 24 hours if they make ransom payments.
Meanwhile, the Treasury Department says it’ll sanction cryptocurrency exchanges, insurance companies and financial institutions that facilitate ransomware payments. It also said it was taking action against virtual currency exchange SUEX OTC for allegedly facilitating ransomware payments. Officials for SUEX couldn’t be reached for comment.
Wisniewski, the cybersecurity researcher, says he likes the idea but questions how much good it’ll do if the government doesn’t take action against the countries behind the exchanges and financial institutions.
“Are we going to sanction China?” he asked. “I don’t think so.”