• Wed. Oct 27th, 2021

Special report: Ransomware gangs are extorting money like never before

ByAmeerah O'Connor

Jun 7, 2021
Special report: Ransomware gangs are extorting money like never before

The gangs are posing a threat to the infrastructure of modern civilisation, including the supply of food, energy and healthcare – Alexander Ryumin/TASS via Getty Images

The White House calls it a “rising national security threat”. The US Justice department has been instructed to treat it as seriously as terrorism. And President Joe Biden is to raise it with Vladimir Putin at a high-stake summit in Geneva next week.

Ransomware – cyber criminals forcing companies to pay millions for the return of stolen data – has reached heights of greed, audacity and reach unmatched in criminality since the heyday of Somali piracy.

Now, the gangs are posing such a threat to the infrastructure of modern civilisation, including the supply of food, energy and healthcare, that the director of the FBI has compared it to the 9/11 terror attacks.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Christopher Wray said in an interview with the Wall Street Journal this week.

Cyber security experts say attacks have mounted rapidly since 2019. Britain’s National Cyber Security Centre says its incident management operation handled more than three times as many ransomware incidents in 2020 as the year before.

And the events of the past few weeks have prompted alarm at the top of Western governments.

Screenshot made on Tuesday May 18, 2021 showing part of the ransom negotiation page on the darknet site of Conti, a Russian-speaking ransomware group, demanding $20 million from Ireland's publicly funded health care system -  AP

Screenshot made on Tuesday May 18, 2021 showing part of the ransom negotiation page on the darknet site of Conti, a Russian-speaking ransomware group, demanding $20 million from Ireland’s publicly funded health care system – AP

Since April, ransomware hackers have targeted Quanta Computer, a Taiwanese firm that supplies Apple; ExaGrid, a US firm that provides backup data storage (ironically, partly as insurance against a ransomware attacks); the Colonial fuel pipeline in the United States; Ireland’s healthcare system, which saw its systems frozen for a full week; and France’s Axa insurance group, which had days earlier said it would no longer offer coverage against such attacks because of a French government warning against paying ransoms.

The most recent attack, on May 30, saw the multinational meat supplier JBS forced it to shut down cattle slaughter in Australia and the United States.

Malicious programs that encrypt computers and force the owner to pay a fee to get their data back have been around for years. And from the programming point of view, little has changed.

“Ransomware is just malware – viruses and Trojans like we’ve known before. Nothing remarkable from a technology point of view,” said Charl van der Walt global head for security research at Orange Cyber Defence. “The innovation is in the crime part, not the cyber part.”

Mr van der Walt identifies three shifts that have contributed to today’s crisis. The first was the emergence of Bitcoin and other cryptocurrencies in 2012, which suddenly provided a secure way of monetising large sums without using international bank transfer and credit card systems that could easily be traced or shut down.

That fuelled the rise of what hackers call “big game hunting” – targeting major firms, freezing their entire data systems, and demanding hundreds of thousands or even millions of dollars in ransom.

Service stations in the eastern United States had to ration petrol after a ransomware attack led to to the Colonial Pipeline shutdown in May -  WILL OLIVER/ Shutterstock

Service stations in the eastern United States had to ration petrol after a ransomware attack led to to the Colonial Pipeline shutdown in May – WILL OLIVER/ Shutterstock

The second shift came around 2019, when a criminal group called Maze added a second threat: if payment was not prompt, they warned one victim, they would no only withhold the decryption key but leak hundreds of gigabytes of sensitive commercial data onto the internet.

This double extortion was designed to defeat companies who had conscientiously kept off-line back ups of their data, and it was a feature of all the recent high-profile attacks.

The hackers who targeted Ireland’s health system last month eventually handed over the decryption tool for free – but warned patient data would still be leaked if a cash settlement was forthcoming.

The third shift was the evolution of opportunistic criminality into a sophisticated industry employing multiple highly skilled specialists.

Again, the parallel with Somali piracy is striking, says Mr van der Walt.

A typical operation today will see an “operator” build code and infrastructure for an attack, then hire affiliates to carry it out in exchange for a share in the profits.

The affiliates in turn might turn to ‘initial access brokers’ – hackers who specialise in gaining access to the systems of potential targets and auctioning that access to the highest bidder. Others specialise in laundering the proceeds.

Paul Chichester, the NCSC director of operations, urges companies and individuals to make themselves hard targets. “It is vital that preventative measures are put in place, including additional security around sensitive data and up-to-date offline back-ups,” he said in a statement.

Others have urged a war on cryptocurrency that would emulate the crackdown on payments via the international banking system which destroyed the Russia-based Viagra-spamming empires in the late 2000s.

Paul Weaver, a security researcher at International Computer Science Institute in Berkeley, argued in a blog last month that such payment interdiction also proved effective against an earlier ransomware epidemic in 2012 and 2013.

The British government officially takes a take a strong line against paying cyber ransoms. There is evidence that could eventually defeat the market, but others are sceptical.

Experience of dealing with real life kidnappers suggests payments will occur under the table even if officially banned when victims have no other choice.

But in the end it is a diplomatic problem.

Almost all the prominent groups involved in the recent surge of attacks are run by native Russian speakers and based in the former Soviet Union. The other major source of ransomware activity is North Korea, but Russian speakers have dominated the recent wave of large scale attacks.

Mr Biden has been careful to say there was no evidence the Russia government was behind the recent spate of attacks.

But many Western cyber security experts and officials assume the gangs enjoy some level of protection – or at least indifference – from the Russian state. And Mr Biden is expected to raise the issue directly with Vladimir Putin at their summit in Geneva on June 16.

Leave a Reply

Your email address will not be published. Required fields are marked *