Ransomware just got real.
This costly nuisance has been around for decades, but never before has it done such high-profile harm to the nation’s critical industries. Since early May, ransomware gangs have disabled a major fuel pipeline, shut down a key producer of the nation’s meat supply, and even affected the ferries that serve Nantucket and Martha’s Vineyard.
The attacks showed how key sectors of the US economy can be crippled by a few lines of toxic computer code, planted by criminals thousands of miles away. Because our most vital utilities, like electricity, gas, and water, are also connected to the Internet, the next attack could be even more devastating.
“Since the beginning of April, we’ve seen an average of a thousand organizations impacted by ransomware every single week,” said Mark Ostrowski, head of engineering for the US East Coast at the cybersecurity firm Check Point Software. That’s about twice the rate of attacks seen last year. And those are just the cases Ostrowski knows about.
Since victims aren’t obligated to report such attacks, the problem may well be far worse. And there’s no easy fix.
In a ransomware attack, hackers use malware to lock up a target’s critical files, then they demand payment to release them. There are obvious technical safeguards, but they run up against human nature.
People will always forget to install the latest software security patches, or they’ll be tricked into activating infected files. It takes only one such error to take down an entire corporate network. “These kinds of belt-and-suspenders activities are not being done,” said John Shier, senior security adviser for data security company Sophos.
“We can’t legislate our way out of this, and we can’t just throw technology at it,” said Shier.
Instead, Shier and other industry analysts say, the United States must deploy a complex array of legal, technical, and even diplomatic tools to crack down on the ransomware gangs. Kellen Dwyer, a former deputy assistant US attorney general, calls for more aggressive prosecution of cyber criminals.
Even those based in countries such as Russia, which turn a blind eye to attacks on foreign targets, can be arrested once they set foot outside that country, Dwyer said. The United States should also apply tough economic sanctions against any country that provides a safe haven to ransomware criminals, Dwyer added. The goal is to convince those countries that shielding hackers isn’t worth the hassle.
The government could force US companies to report all ransomware attacks, so federal agencies can more accurately monitor the threat. “There is no federal law which requires companies that are victims of a computer breach to report that,” said Dwyer, “and that’s a major, major problem.” Dwyer also suggests requiring companies to report when they actually pay a ransom.
This stops well short of a more controversial idea — a federal ban on all ransom payments. This would take the profit out of ransomware, but Jen Ellis, vice president of community and public affairs at Boston-based data security firm Rapid7, warned that it would pose a massive risk.
If a hospital was attacked, such a ban could jeopardize patients’ lives. If the law made an exception for hospitals, they’d soon be prime ransomware targets.
These days, ransomware gangs demand payment in digital currencies like Bitcoin, because they’re outside the traditional banking systems and hard to trace.
A task force report from the Institute for Security and Technology says that Bitcoin and other digital currencies ought to comply with the same regulatory standards as traditional currencies. That would make these currencies far less attractive to criminals, but also to many law-abiding users who value the privacy that digital currencies provide.
Taken together, these reforms could take a bite out of digital crime, but implementing them all will be a long, hard slog.
“It’s going to have to be a really thoughtful process of looking where both technology and the law can come together,” said Shier.
There’s nothing new about ransomware. The first known example was unleashed in the United Kingdom in 1989 by Joseph Popp, a Harvard-trained evolutionary biologist, and distributed on pre-Internet floppy disks. But Popp never did hard time; a British court ruled that he was mentally ill.
Alas, today’s ransomware criminals know exactly what they’re doing. Ransomware gangs seek out computers running insecure software that can be easily infected. Or they send out floods of email messages with attachments that infect the recipient’s computer if they’re opened.
Once they’ve penetrated a target, the attackers use encryption software to lock down data on the network, making it unusable. They then demand hundreds, thousands, or millions of dollars for a digital key that restores access to the data.
Companies can protect themselves by making frequent backups of their data, but many ransomware gangs also steal sensitive files and vow to release this data unless they’re paid — a tactic called “double extortion.”
Ellis, of Rapid7, estimates that ransomware gangs collected about $350 million in ransoms last year. But that’s a fraction of the economic damage they cause. There’s also the money businesses lose when they’re forced to shut down, as well as the large sums they must spend on cleaning up their infected computer networks.
While many ransomware attacks are random hits on targets of opportunity, a growing number seem to be deliberately aimed at highly vulnerable organizations.
For example, said Ellis, the COVID-19 crisis saw a sharp uptick in attacks on hospitals and other health care businesses, which couldn’t afford to go offline. “I think we are fighting two pandemics at the moment,” said Ellis, “and one has arguably exacerbated the other.”