Figure 1. A hacker/cyber-criminal demanding ransomware payment in exchange for decryption codes. Source: Pexels.
Understanding the terminology - Ransomware Attacks
As the world slowly drifted into an environment of work from home due to the COVID-19 pandemic, amongst many cybersecurity issues, ransomware attacks have taken over the headlines, and are increasing dramatically in 2021.
According to the US Government Cybersecurity and Infrastructure Assurance Agency (CISA), ransomware is defined as an “ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors or cyber-security criminals then demand for ransom to be paid in exchange for decryption.” Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. These ransomware hackers gain access to an organisation's security system, exploit its weaknesses and hold company data hostage. This often results in the organisation being locked out of its own system, leaving the company with no choice but to pay up to tens of millions of dollars (usually in cryptocurrency) as its only route to regain access and prevent information from being leaked. According to the Harvard Business Review, these attacks were up 150% and the amount paid by the victims rocketed over 300% over the past year.
Figure 2. Graphical representation of the damage cost in percentage of ransomware attacks. Source: Google
How have ransomware attacks evolved?
Previously, most of the ransomware attacks only involved the deployment of ransomware. When an unsuspecting employee would click on a link through a phishing email, the hackers would gain access that would deploy malware and encrypt company servers. The decryption keys would then be offered to the victim in exchange for a ransom in bitcoin or cryptocurrency- typically in five or six figures.
More recently, this position has undergone a drastic evolution. Perpetrators of ransomware attacks now see it as a massive source of business, with the ransom demand growing to high seven-figure ranges in 2020 and reaching into tens of millions of dollars at the onset of 2021.
Along with the outrageous and soaring demands, there has been a change in methodology. For instance, these highly organised cybercriminals located in Eastern Europe, Russia and elsewhere have complete knowledge and understanding of the company’s financial standing, the operating industry, and how exactly to exploit the company to its fullest extent. These threat actors follow up by undertaking the “pay up or else” ultimatum, which leaves the company hanging between two options- to pay a massive amount of ransom or have sensitive and valuable information exposed to the wider public.
Figure 3. A Russian based cyber-criminal organisation called “Dark Side” which was behind the attack against Colonial Oil Pipeline. Source: Google.
Recent ransomware attacks making the news headlines - under the spotlight.
Over the past few months, several high-profile ransomware attacks perpetrated against some major critical infrastructural organisations including the breach of Colonial Oil Pipeline serving the Eastern United States in late April. This attack had the most substantial impact as noted by Joe Giordano, Director of Touro College Illinois Cybersecurity Program because “the pipeline is a crucial part of the national critical infrastructural system and taking the system down disrupted gas supplies across the East Coast of United States, causing panic and chaos.” The gang “DarkSide” – a Russian based criminal organisation is said to be behind this attack that targeted the firms billing system and internal business network leading to widespread shortages in multiple states. The consequences of this attack were quite dangerous as the panic set in, and consumers started to ignore safety precautions. To prevent further disruption, the Colonial Pipeline eventually succumbed to the demands of the gang and paid USD 4.4 million in bitcoin. Government officials later confirmed that that the Colonial Pipelines cybersecurity measures were effective and up to date and the attack may have been prevented with stronger protection in place.
Another high-profile ransomware attack was perpetrated this May on JBS Foods, the world’s largest meatpacker. The attack raised a shortage of domestic beef supply, panic buying by consumers and the halting of cattle slaughtering at all US plants, ultimately threatening to disrupt food supply chains and further inflate already high food prices. It caused the disruption and shutdown of its North American, Canadian and Australian operations, with JBS USA paying a ransom demand of USD 11 million and is said to be the largest ransomware payments of all time. The CEO of JBS USA stated that “this decision was made with the utmost difficulty; however, it had to be made to avoid potential risk for their customers.” As a consequence of these attacks, the crippling of key infrastructures and business organizations are now posing a serious threat to national security.
Figure 4. The FBI J. Edgar Hoover Building. Source: Unsplash.
The role of the US Justice Department and law enforcement.
The US Department of Justice (DOJ) is now conferring ransomware attacks a similar priority as that of terrorism and elevating investigations, in light of the Colonial Pipeline hack and the ever-increasing damage caused by them. John Carlin, principal associate deputy attorney general at the Justice Department said that “a specialised process of centrally coordinating information about ransomware investigations with a recently created task force in Washington would ensure the tracking of all ransomware cases in the country. This would help make connections between threat actors and subsequently disrupt the entire chain.” He also stated that “this model has been used around terrorism but never in the field of ransomware.” Legal experts say that this process has been commonly reserved for a brief list of topics, including national security cases. Mark Califano, a former US attorney and cybercrime expert, said that “heightened reporting would allow DOJ to allocate resources more effectively and identify common exploits used by cybercriminals.” The decision of integrating ransomware into this special process demonstrates the efforts taken by the Justice Department to prioritize the ransomware issue.
Regarding the colonial Pipeline case, it was noted that the US law enforcement, FBI and Justice Department were able to trace and recover much of the USD 4.4 million ransom payment. However, Deputy Attorney General Lisa Monaco said that recovery cannot always be guaranteed in every instance since the FBI’s resources are limited and cannot be utilized for every ransomware attack considering the large number. The colonial pipeline was an exception due to its very high profile.
Figure 5. Representation of JBS plants shut down across the US. Source: Google.
Have the Bitcoin and Cryptocurrency fuelled ransomware attacks?
The invention, rise and use of Bitcoin and cryptocurrency across the world is seen as a fast and easy method for payments and transactions. Moreover, due to its anonymity and hard to trace characteristics, it has become an almost perfect solution for ransomware hackers.
Yonatan Striem-Amit, a co-founder of Cybereason (Boston based company offering protection from hackers) stated that “it is now possible to move millions of dollars’ worth of cryptocurrency across national boundaries within seconds.” This could be seen as a very powerful instrument in the hands of cybercriminals to perform money laundering, to transfer currency from one state to another especially in a sense that is untraceable and uncontrollable. Cryptocurrencies are not even regulated in some jurisdictions, and in a country like the US, it can be difficult to track transactions depending on which exchanges criminals use. Companies are willingly buying and keeping stocks of bitcoins available in case they are confronted with a ransomware attack. There have been some talks of regulating cryptocurrencies by the Biden administration and members of Congress, but implementation of serious action is yet to be witnessed. Therefore, this aspect can definitely be seen as a fueling agent for hackers to increase the already alarming number of attacks seen presently, and it will only get worse from here.
Comments