Danny Palmer
| June 22, 2021 — 11:44 GMT (12:44 BST)
| Topic: Security
Why ransomware is a big cybersecurity problem and what needs to be done to stop it
Watch Now
Ransomware has become such a significant problem that now even leaders of the global superpowers are discussing these attacks at high-profile summits.
The cyberattacks – which involve criminals encrypting networks and demanding payments that can reach millions of dollars in exchange for the decryption key – were one of the key discussion points during the first face-to-face meeting of US President Joe Biden and Russian President Vladimir Putin.
Ransomware was on the agenda following several high-profile campaigns against US targets, which caused significant disruption.
Hard-to-trace payments
When organisations do pay the ransom, it’s paid in cryptocurrency – and there’s an argument that it’s helped cyber criminals easily make money from ransomware.
For criminals, getting the money out is the key thing and by using cryptocurrency like bitcoin, they’re able to do it in a way that’s difficult to trace – and crucially, avoids anything like a regular bank account that could be used to identify them.
“When it comes to cybercrime, monetization becomes really complicated. It’s always been sort of the bottleneck – you can get your hands on a bajillion credit-card numbers, but the part where you convert it, that’s where everything stops,” says Hultquist.
“Cryptocurrencies provided sort of a way around that because it allows them to move this cash freely around outside of regular systems and provided much easier monetization. It’s not necessarily the cryptocurrency that is fuelling this, the tremendous payouts are fuelling this. Cryptocurrency just makes the monetization easier,” he adds.
The Russian angle
And when ransomware attacks are this financially successful, they’ll keep happening – especially if cyber criminals are operating from countries where their governments turn a blind eye to their activities.
The consensus is that many of the most notorious ransomware gangs are operating from within Russia and that they’re allowed to make money from ransomware, so long as they focus their activities against the west.
“The Russian state and Russian criminal underworld are not the same thing, but there is understanding between them and understanding is that as far as the state’s concerned, Russians can make money a way that suits them,” says Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government – and former director of the NCSC.
Time for change?
Ransomware has been a problem for years – particularly with hospitals regularly falling victim to attacks during the peak of the coronavirus pandemic, but the attack against Colonial Pipeline has struck a particular chord.
The pipeline that provides almost half the gasoline supply to the north eastern United States was shut down and that was obvious to all: this wasn’t just a business not being able to operate without the use of particular files, this was critical infrastructure that got shut down due to ransomware.
“There will be ‘before Colonial Pipeline’ and ‘after Colonial Pipeline’, it’s that much of a milestone in the way that the threat actor economy is going to work,” says DeGrippo. “It’s not a ransom of files any more, it’s a ransom of your existence. Ransoming the ability to get hot dogs and beer and gasoline is a whole different ballgame.”
The United States has a strong relationship with oil and gas and that made the disruption caused by Colonial Pipeline ransomware attack impossible for the Biden administration to ignore – and it started with the Department of Justice seizing most of the bitcoin used to pay the ransom.
Even the operators of DarkSide ransomware-as-a-service attempted to distance themselves from the attack, claiming that “our goal is to make money, and not creating problems for society”. They even claim that they’ll establish additional checks and balances on their “partners” in future.
But now the ransomware gangs may have bitten off more than they can chew.
“They don’t want this much notoriety, they want to be recognised, they want people to pay – but I don’t think they necessarily want the US government on their trail – they probably took it a step too far. I’m sure the other ransomware gangs are pretty upset with them,” says Hultquist.
The threat from ransomware is still high – as evident by how Ireland’s healthcare service continued to suffer disruption weeks on from a Conti ransomware attack, which hit days after the Colonial Pipeline attack – but there’s a feeling that recent events could potentially be a turning point.
“There is at least a plausible case to be made that the past month has been strategically damaging for the criminals and that one hopes that we might – please note, the very careful language – that we might be able to look back at some point on this period as peak ransomware,” says Martin.
“Now that’s by no means certain yet, it’s not even likely yet, but governments are starting to see this can do real harm.”
However, in the immediate future, ransomware will remain effective as long as organisations are vulnerable to being hacked by cyber criminals, as demonstrated by how attacks have continued to cause disruption around the world.
But it is possible to build resilience to cyberattacks – including ransomware – and make it much harder for cyber criminals to compromise the network in the first place.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Much of this resilience can be built-up by ensuring that cybersecurity hygiene procedures, such as installing security patches in a timely manner, preventing the use of simple passwords and using multi-factor authentication, are applied across the network. Because ransomware gangs are opportunists, by making things more difficult for them, it decreases the likelihood of a successful attack.
“The sorts of things that are useful: having visibility on your network to be able to see if precursor activity is taking place, understanding where your assets and network are, and properly having that mapped and understood. These standard good processes will defend against ransomware,” says Fairford.
Regularly updating backups – and storing them offline – also provides another means of lessening the severity of ransomware attacks, because even in the event of the network being encrypted, it’s possible to restore it without paying cyber criminals, which cuts off their main means of income.
Nonetheless, the rise of double extortion attacks has added an extra layer of complexity to this issue because if the organisation doesn’t pay a ransom, they’re faced with the prospect of potentially sensitive information about employees and customers being leaked.
“Do you have a plan if if your information starts leaking out?,” says Hultquist. “Those pieces need to be in place now, not when it hits the fan”
The fact that the US and other governments are talking about ransomware should also act as a catalyst for any organisation – that, for whatever reason, didn’t have any specific plans for preventing or protecting against a ransomware attack – to decide on their plans now.
Because even in the worst-case scenario, when the network has been encrypted with ransomware, having a set plan can help manage the incident and potentially make it less damaging.
“Companies must sit down with their executives and they must decide, ‘if we are a victim of ransomware, how much are we willing to pay, who on the board is going to be authorized to negotiate this and what is our relationship, going to be with law enforcement when it happens?’. Then every quarter, you revisit it and you ask, ‘is this still our decision if we come under a ransomware attack, is this still our plan of action?'” says DeGrippo.
“If you haven’t made the decision on how you’re going to handle it yet, it’s not going to work out in your favour,” she adds.
MORE ON CYBERSECURITY
Ransomware is growing at an alarming rate, warns GCHQ chiefWhite House urges US companies to take ransomware seriouslyRansomware is now a national security risk. This group thinks it knows how to defeat itNew DOJ task force to take on ransomware, says reportRansomware: Dramatic increase in attacks is causing harm on a significant scale
Related Topics:
Security TV
Data Management
CXO
Data Centers
Danny Palmer
| June 22, 2021 — 11:44 GMT (12:44 BST)
| Topic: Security