Not long ago, the most prevalent type of cybercrime was the theft of personal data or intellectual property, mostly the stealing of industrial designs. This is changing rapidly, however, and there is no better example of this than the explosion of ransomware.
Ransomware – a cyberattack in which attackers hijack computer systems and demand payment to release them – has skyrocketed from a relative rarity a few years ago to the single biggest type of cybercrime today. And there is no end in sight to its growth trajectory. Last year, 2,354 American government entities, healthcare organizations and schools were the victims of ransomware attacks. The average ransomware payout swelled to $178,000 in the first half of 2020, up from $112,000 a year ago, according to ransomware incident response firm Coveware, and few clandestine culprits were caught.
The picture keeps darkening as the most lucrative potential victims are increasingly targeted and as companies and some towns and cities have become more inclined to pay ransoms. Criminals, meanwhile, have turned to new and more powerful forms of encryption and more ingenious ways of injecting the code into computer networks – all while continuing to cloak their identities and whereabouts via clever digital diversions.
The COVID-19 pandemic makes things even worse because it has resulted in a shortage of digital pros on-hand to back up data – currently the single best way most organizations can protect themselves from a ransomware attack. “Ransomware victims have been hit by a perfect storm,” says Karim Hijazi, the founder and CEO of Prevailion, a Maryland-based cyber intelligence company that protects organizations by providing insight into real-time threats.
For the first time last year, Hijazi adds, hackers spend time analyzing exactly which organizations they wanted to attack. “They developed victim pipelines,” Hijazi says. “Very few attacks were random.”
Cities, as well as many corporate victims, underscore the point. For a while, small cities and towns, not big cities, were attacked. The thinking was that they were less resource-rich and so more likely to pay a ransom than fix the problem themselves. Fast-forward to 2018, and that started changing. Atlanta became the victim of a huge ransomware attack, and that was followed in 2019 by successful attacks against Baltimore and New Orleans.
So far, big cities, unlike most ransomware victims, are loath to pay the ransom. While this sets a good if atypical example, it has been extremely expensive, respectively costing Atlanta, Baltimore and New Orleans $2.7 million, $18 million and $7 million to fix things. (New Orleans mitigated the damage via a $3 million cyber insurance policy purchased before the incident.)
Somewhat surprisingly, ransomware attacks temporarily slowed roughly two years ago and dropped from local headlines. But that turned out to be a fluke. In hindsight, the consensus is that hackers had decided to slow down to carefully pursue targets most likely to know how Bitcoin works. (The cryptocurrency is typically used for payment because it helps anonymize transactions to prevent hacker tracking). As it turned out, most organizations knew how to use Bitcoin or at least how to learn about it quickly.
What the episode illustrates, among other things, is that ransomware hackers tend to be strategic, as well as technically proficient. Many of these hackers are based in Russia and Eastern Europe, and they have come a long way since they entered the picture between 2005 and 2009. The attacks made strides but were hamstrung by the lack of a reliable way to collect money from victims – at the time, mostly through text messages.
The arrival of Bitcoin later speeded their progress, as, too, did the arrival of CrypoLocker, which used public and private cryptographic keys to lock and unlock a victim’s files.
The most momentous leap of all occurred in 2017, when ransomware grabbed the spotlight amid the outbreak of two global WannaCry attacks that shut down hospitals in Ukraine and radio stations in California. Shortly afterward, the data in 250,000 computers in scores of countries running Microsoft Windows were encrypted by hackers and ransom demanded.
The latest iteration is ransomware-as-a-service, a new business model for ransomware developers. Like software-as-a-service, ransomware developers sell or lease their ransomware variants affiliates via social media and other open sources and use them to orchestrate an attack.
The FBI and many pundits have said repeatedly that ransomware victims should pay ransoms only as a last resort. They note, correctly, that ransomware flourishes because hackers know that victims will foot the ransom tab. But this advice is unrealistic – at least at this time – because the alternative for victims is to pay much more to restore data and computer systems, or, in some extreme cases, flatly go out of business.
In addition, corporate executives don’t like to show up in the news for the wrong reasons. And sometimes, a ransomware attack can be a matter of life and death. Hospitals, for instance, often face this issue.
At this juncture, an obvious question is this: Just what can organizations do to help mitigate ransomware attacks?
Because ransomware attacks are launched via emails that dupe employees into clocking on a malware link or opening an attachment, better employee security training is imperative, including in the habit of right-clicking on email attachments to scan for malware before opening them.
The embrace of more sophisticated technology would also be helpful. When the help of appropriate vendors, so-called canary files, or fake documents, can be deployed in various computer systems directories and monitored for inappropriate changes. When such files are altered or deleted, it triggers a warning that may better contain an attack.
There are other safety techniques offered by vendors. Most ransomware attacks are preceded by a digital “spy” that checks out the vulnerability of a potentially lucrative network and then flags a ransomware attack if deemed enticing. Some vendor technology can spot the spy as soon as it communicates with the hacker and immediately stop an attack.
Over time, different organizations will adopt different protective strategies and technologies. What is important is that they analyze the defensive prospects in the market to enhance their protection. Setting digital traps, among other things, is a good idea if effective.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.