Ransomware Explained: How It Works and Why Cyberattacks Are on the Rise
Hospitals, schools, police departments and state and local governments have all been hit with ransomware attacks over the last year
Recent high-profile “ransomware” attacks on the world’s largest meat-packing company and the biggest U.S. fuel pipeline have underscored how gangs of extortionist hackers can disrupt the economy and put lives and livelihoods at risk.
Last year alone in the U.S., ransomware gangs hit more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.
The broadly disruptive hacks on Colonial Pipeline in the U.S. in May and Brazilian meat processor JBS SA this week have drawn close attention from the White House and other world leaders, along with heightened scrutiny of the foreign safe havens where cybercriminal mafias operate.
WHAT IS RANSOMWARE? HOW DOES IT WORK?
Ransomware scrambles the target organization’s data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.
Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments. That can present problems even for companies that diligently back up their networks as a hedge against ransomware, since refusing to pay can incur costs far greater than the ransoms they might have negotiated.
WHO’S BEHIND THE RANSOMWARE ATTACKS AND HOW DO THEY OPERATE?
U.S. & World
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments — and their laundering — harder to track.
Some top ransomware criminals fancy themselves software service professionals. They take pride in their “customer service,” providing “help desks” that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.
The business is now highly specialized. An affiliate will identify, map out and infect targets using ransomware that is typically “rented” from a ransomware-as-a-service provider. The provider gets a cut of the payout; the affiliate normally takes more than three-quarters.
Other subcontractors may also get a slice. Those can include the authors of the malware used to break into victim networks and the people running so-called “bulletproof domains” behind which the ransomware gangs hide their “command-and-control” servers. Those servers manage the remote sowing of malware and data extraction ahead of activation, a stealthy process that can take weeks.
WHAT ARE SOME RECENT RANSOMEWARE ATTACKS?
An epidemic of ransomware attacks has prompted Biden administration officials to deemed them a national security threat. Hospitals, schools, police departments and state and local governments are regularly hit.
Other recent known targets include a Massachusetts ferry operator, San Diego’s Scripps Health system and the Washington, D.C., police department. New York’s Metropolitan Transportation Authority confirmed this week that its system was targeted by hackers in April, but there was no information was breached and the hack did not impact train or bus service, the agency said.
In March, Chicago-based CNA Financial Corp., among the largest insurance companies in the U.S., announced it was hit with a “sophisticated cyberattack” that disrupted the company’s employee and customer services for three days.
On Wednesday, Japanese conglomerate Fujifilm announced it was shutting down parts of its global network after falling victim to a suspected ransomware attack, TechCrunch reported. Ireland’s health department, the Health Service Executive, was also targeted in a ransomware attack last month.
WHAT IS THE AVERAGE RANSOMWARE PAYMENT?
Colonial Pipeline confirmed that it paid $4.4 million to the gang of hackers who broke into its computer systems last month and CNA reportedly paid $40 million to regain control of its network after a ransomware attack.
The FBI discourages paying ransoms, but a public-private task force including tech companies and U.S., British and Canadian crime agencies says it would be wrong to try to ban ransom payments altogether. That’s largely because “ransomware attackers continue to find sectors and elements of society that are woefully underprepared for this style of attack.”
The task force recognizes that paying up can be the only way for an afflicted business to avoid bankruptcy. Worse, the sophisticated cybercriminals often have done their research and know a victim’s cybersecurity insurance coverage limit. They’ve been known to mention it in negotiations.
That degree of criminal savvy helped drive average ransom payments to more than $310,000 last year, up 171% from 2019, according to Palo Alto Networks, a task force member.
WHAT CAN BE DONE TO HALT RANSOMWARE ATTACKS?
Previous attempts to put ransomware operators out of business by attacking their online infrastructure have amounted to internet whack-a-mole. The U.S. Cyber Command, Microsoft and cross-Atlantic police efforts with European partners have only been able to put a temporary dent in the problem.
In April, a public-private task force including Microsoft, Amazon the FBI and the Secret Service gave the White House an 81-page urgent action plan that said considerable progress could be possible in a year if a concerted diplomatic, legal and law enforcement cooperation is mounted with U.S. allies, who are also under withering attack.
The task force said ransomware actors need to be named and shamed and the governments that harbor them punished. It calls for mandatory disclosure of ransom payments and the creation of a federal “response fund” to provide financial assistance to victims in hopes that, in many cases, it will prevent them from paying ransoms.
It also calls for stricter regulation of cryptocurrency markets to make it more difficult for criminals to launder ransomware proceeds.
The founder of the Securities and Exchange Commission’s internet enforcement office warned Thursday that investors in bitcoin and other digital currencies are empowering online hackers.
“Ransomware is hitting everywhere and they’re all collecting it in bitcoin because there’s no way they’re going to get caught. So you’re also enabling it,” John Reed Stark, now head of an eponymous cybersecurity consultancy, told CNBC’s “Squawk on the Street.”
The task force also calls for something potentially controversial: amending the U.S. Computer Fraud and Abuse Act to let private industry actively block or limit online criminal activity, including of botnets, the networks of hijacked zombie computers that ransomware criminals use to sow infections.
Meanwhile, President Joe Biden signed an executive order in May meant to strengthen U.S. cybersecurity defenses, mostly in response to Russia’s hacking of federal agencies and interference in U.S. politics. But headline-grabbing ransomware attacks on private companies have started to dominate the cybersecurity conversation as Biden prepares for a June 16 summit with his Russian counterpart Vladimir Putin.
White House principal deputy press secretary Karine Jean-Pierre said this week that the ransom demand of JBS meat came from a “criminal organization likely based in Russia.” She said the White House “is engaging directly with the Russian government” and “delivering the message that responsible states do not harbor ransomware criminals.”
Associated Press reporter Matt O’Brien and NBC’s Danielle Abreu contributed to this report.