fbpx

Rise of ransomware: a multibillion pound industry where no-one is safe

If cybercrime was a country, it would be the world’s third-largest in terms of GDP, just after the US and China. This year, the total cost to the global economy is predicted to top $6 trillion (£4 trillion).

Turbocharging this fast growing crime economy is a method of hacking and extortion known as ransomware.

You may have come across ransomware in the news when large companies are held virtual hostage, leading to headlines like: ‘Gas stations from Florida to Virginia closed as US national pipeline hacked’ or ‘Cyber attack shuts down 20% of all US beef production’.

But the reality is these attacks are happening multiple times a week, to companies and persons large and small – and they’re not going away any time soon.

It’s the type of target, too, that has raised the alarm for many politicians and government officials.

Critical businesses, like hospitals and energy infrastructure, are ripe pickings for cybercriminals that have only a ransom payment in mind.

‘Their intention is to make as much money as possible,’ says Zeki Turedi, chief technical officer for Europe for cyber protection firm CrowdStrike.

‘The types of organisations they’re going to be targeting are the organisations where it’s very critical for them to keep operating, and they’re likely to pay the ransom to keep their businesses up and running.’

But it’s not just big business that’s in the cybercriminals’ crosshairs – for hackers that trade in private and confidential data, there’s not much that’s off limits when it comes to chasing a ransom.

Colonial Pipeline Resumes Operations After Hack Causing Gas Shortages

Colonial Pipeline, whose refineries are picture above, was the target of a vast ransomware attack that disrupted oil supplies in the US for days (Picture: Getty)

‘The attackers don’t care,’ says Kevin Breen of Immersive Labs, a cybersecurity company that helps firms prepare for ransomware attacks.

‘We’ve seen them go after medical records, we’ve seen them go get patient files, and threaten to release this all in an effort to try and harass an organisation into paying.’

Though ransomware hits have become more frequent in recent years, it was the pandemic and the switch to homeworking that galvanized attacks.

‘A lot of the weaknesses that we knew about pre-Covid presented opportunities during [the pandemic] that we saw exploited,’ says Eleanor Fairford, deputy director for incident management at the National Cyber Security Centre.

‘For instance, NCSC flagged vulnerabilities in some virtual private networks (VPNs) in threat advisories over the past few years.  

‘A lot of VPNs were then put to use during COVID, with the expansion of technology to support remote working, and those exact vulnerabilities were exploited.’

As cybercriminals realised the amounts of money that could be made from the pandemic chaos, groups involved in other forms of online crime changed tack.

Online fraudsters, banking Trojans (programs designed to get inside banks) and identity thieves all pivoted to focus on ransomware, a 21st century gold rush to steal data and make a profit.

The global cost of ransomware could be as much as £120 billion, and no less than £30 billion, according to cybersecurity company Emsisoft. Though, because companies are sheepish about admitting whether they were hacked or if they payed a ransom, it’s impossible to know the true cost.

The FBI said last year saw nearly 2,400 US companies, local governments, healthcare facilities and schools suffer ransomware attacks. Internet security company Sonic Wall counted 304.5 million ransomware attacks in total in 2020 – and the deluge of attacks shows no signs of slowing down.

Tom Pelham, head of cyber and data risk at law firm Kennedys, said his team saw a 200% increase in clients seeking legal advice for ransomware attacks last year.

‘We are seeing almost exponential growth in terms of ransomware activity,’ says Pelham.

Cyber security experts like Turedi and Breen, who are at the digital coalface of the ransomware crisis, are also seeing just how organised and prolific ransomware attackers have become.

‘We’re seeing brand new vulnerabilities that can be extremely detrimental and damaging to a business every single week,’ says Zeki Turedi.

‘What ransomware is today is not what ransomware looked like five years ago. It is actually very different to what it looked like even a year ago,’ says Turedi.

To understand the lay of the current ransomware land, you have to go back.

The rise of ransomware

The most successful ransomware hackers now work in groups (Picture: Emily Manley/Metro.co.uk)

The first ransomware scammers operated what was called ‘scareware’ – they would infect unwitting users through a mistaken download and then flash up a screen with a warning about a potential infection or locked files.

Victims’ computers were often virus-free and still able to access their files, but scared targets would accept the warning and coughed up the money to the scammers regardless.

Though this method worked with some inexperienced computer users, it was a ruse that was easy to see through by a company working with a cybersecurity professional – so the scammers upped their game.

‘They’re still using very similar scare tactics, but they needed a way to force people to pay,’ says Kevin Breen of Immersive Labs.

‘That’s when the first real kind of cryptographic ransomware came into play,’ says Breen, referring to the process of ‘encrypting’ a users’ files with secret codes that required a master key to unlock.

‘They would encrypt your files, or delete your files or steal your files and say, “Hey, if you want your data back, you have to pay,” which then puts more force on to the user because it’s like, well, now I have no choice. I can’t just ignore it, I can’t just format my computer, I have to get that data back.’

And once the scammers have control of your data, they can demand money in another way – a ‘double extortion’.

For companies that have secure copies of their files, not having access to one version isn’t the end of the world. But hackers can then threaten to leak the data to the public if they don’t receive their fee, a disaster for a privacy-focused outfit like a bank or hospital.

Some ransomware attacks became so routine that the most successful and talented hackers began offering their products to other less experienced criminals.

A picture of the WannaCry attack, a ransomware attack in 2017 that hit 40 NHS organisations in England (Picture: WebRoot/BBC)

Ransomware as a service, or RaaS, supercharged the volume of ransomware attacks by letting novice cybercriminals pay for a subscription to software that encrypts and extracts ransom from companies almost automatically.

‘What that really opened up was the ability for the organised crime syndicates to get into ransomware,’ says Pelham of Kennedys.

‘If you wanted to do that before, you had to have your own in-house hacker capability.

‘But the ransomware as a service model totally changed the dynamic. If you were an organised crime group, you could go out and buy or loan the malware to then launch your own ransomware attacks.

The criminal syndicates offering these subscription services grew larger and more diverse, advertising openly on websites on the dark web.

Such was their level of success, and low level of legal impunity, that they felt free to document their hacking exploits in detail for all to see. The openness of their crimes would be a taunt to foreign police who struggled to find the true culprits, often hidden behind countless digital veils.

‘Some criminal organisations also have different teams,’ says Turedi of CrowdStrike.

‘They’ll have one team who’s more the professionals, that have been there for a while, and they’ll be working on the larger organisations where they’ll make maybe several million dollars out of a target.

‘Then the more junior cyber hackers will be working on smaller organisations until they’ve got a bit more maturity in them.’

The scale and level of sophistication of some ransomware outfits has concerned politicians and security officials on both sides of the Atlantic.

Last week, US president Joe Biden warned Russian president Vladimir Putin that if Russia didn’t crack down on many of the suspected ransomware hackers in his country, then the US would retaliate.

This warning was echoed by the head of the UK’s National Cyber Security Centre, Lindy Cameron, who said last month that the UK’s ransomware threat was escalating and becoming increasingly professionalised.

‘For the vast majority of UK citizens and businesses… the primary key threat is not state actors but cybercriminals,’ said Cameron.

As working on the internet became routine, so did the act of holding a victim’s data hostage. Just as the world of real-world hostage taking spurred an economy of hostages, hostage-takers and negotiators, so has the act of digital hostage-taking.

‘The best way to explain [ransomware] is it’s just like a regular company: they all have their responsibilities, they all have their their key objectives, and they’re all working together like a very, very well-oiled machine,’ says Turedi.

Preparation is key

Having a plan of action can help to mitigate the worst effects of a ransomware attack (Picture: Getty)

Having a plan of action can help to mitigate the worst effects of a ransomware attack (Picture: Getty)

Most cybersecurity professionals agree that having a plan in place is the best bet at thwarting attackers.

A successful ransomware attack will likely be on a victim who is unprepared. Having no back-up plan to access data that’s been held hostage makes many businesses panic and pay a ransom for even a slim chance at restoring access.

A plan ‘means having things like offline backups sorted out, but it also means understanding what data you’re holding,’ says the NCSC’s Eleanor Fairford.

‘You need to know what it would mean if your data was accessed and made publicly available – reinforcing the need for good data protection.’

Pelham, of Kennedys, says that alongside ‘having backups that are clean, segregated and incapable of further infection by the threat actors’, minimising the total data that companies keep stored can also help reduce the potential threat from ransomware attackers.

But the most successful ransomware outfits will often scope out a target for weeks or months before acting, making it as difficult as possible for their victims to do anything but pay the ransom.

‘What they do is very effective,’ says Immersive Labs’ Kevin Breen.

‘They come in, they’re stealthy, they’re hidden, they destroy data, they destroy backups. They have such an impact on the business that you have very little choice in a lot of cases other than to pay.’

But planning for an inevitable ransomware attack can still mitigate the worst effects of a hack.

‘If you have a really good robust strategy to respond to a threat to the point where you can mitigate against the attackers, then there’s no incentive for them to continue,’ says Breen.

Turedi adds: ‘We have to make their life really hard.’

‘If we have the best of the right security and our [computers] are patched as often as possible, it then becomes really hard for these threat actors to get into organisations.’

Still, thousands of businesses each year that are targeted with an attack don’t have a backup plan. This often leaves them with one of two options: pay or don’t pay the ransom.

Should you pay the ransom?

An image of the 2017 WannaCry attack that widely affected NHS England (Picture: Getty)

If you talk to a lot of cybersecurity experts, the general advice is that paying ransoms only encourages hackers to keep making attacks. But if you run a business whose livelihood can be endangered by not paying, the calculus becomes more complicated.

‘The reality is that many of the companies that are hit by ransomware face total business loss overnight,’ says Tom Pelham of Kennedys.

‘They sometimes have very little choice but to engage with the threat actor, and the only other option they have is to close doors and cease trading – it’s more of a nuanced issue.’

From a legal perspective, Pelham adds, companies have to consider the sanctions risks. Some governments impose sanctions on certain criminal hacker groups, leading to penalties for doing business with them.

However, the bigger practical issue for clients is whether their reputations might be damaged by paying the ransom.

Immersive Labs’ Kevin Breen adds: ‘From a moral, ethical point of view, the default is to say no. But when you actually put that into practical terms, it’s not so black and white.’

Though the payment of ransom sometimes seems unavoidable for businesses (as the hackers will have planned), it almost certainly contributes to more attacks.

‘Clearly, paying the ransom involves paying criminals and thereby potentially perpetuating the ransomware market,’ says the NCSC’s Eleanor Fairford.

‘The UK government does not support paying criminals or exacerbating the [criminal market]. It’s also worth saying that even if you pay the ransom, you still might not get the decryption key or get your systems back online any quicker.’

While paying the ransom might seem like the end of the road for many businesses, it’s often just the beginning.

When Colonial Pipelines was hacked earlier this year, causing vast oil shortages, they paid hackers roughly $5 Million in bitcoin ransom. The US Justice Department later recovered $2.3 million of the paid ransom (Picture: Getty)

‘We have to remember that paying the ransom is not the end game,’ says Zeki Turedi.

‘It’s not over, you still had a foreign actor in your organisation and they did a lot of stuff when they were there.

‘Unfortunately, in the criminal world, when they see someone who has paid the ransom, they look like an easy target for someone else to go in and do the exact same thing again.

‘Their core modus operandi is to try and make as much money as possible. So if more people are stopped paying the ransom it will make this not as lucrative for these criminal actors.’

But rather than penalising or trying to discourage companies from paying ransoms, as the US justice department has issued an edict for, it makes more sense to provide alternatives for companies in sticky situations, argues Fairford.

‘We need to do everything we can to bear down on the payment of ransoms and make it as easy as possible not to pay for it by looking at alternatives to help victims recover.’

The seemingly unavoidable act of paying ransoms is just one of the problems that makes ransomware an exceedingly difficult problem to solve.

What will it take for ransomware to stop?

Even if the police or a security agency can track down the physical location of the hackers the ransom was paid to, arrests are tricky.

‘Ransomware activity is geographically and spatially dispersed over the globe,’ says Edward LeGassick, a Cyber Claims Handler with Kennedys.

‘As soon as policing becomes involved in terms of tracking and finding these threat actors, it becomes quite complex, because we’re talking about people who might be in one country and moving money via another country with a victim in a third country.’

One potential solution, though requiring a huge international cooperation, would be allowing law enforcement to cross international borders and treating the hackers as organised crime.

‘If law enforcement has that kind of reach, then we can shut those gangs down and force them into smaller units, which then become less effective over time,’ says Kevin Breen.

Another tactic that has been floated by legal and security authorities is clamping down on cryptocurrency. Ransoms are almost exclusively paid in cryptocurrency, due to their anonymous nature.

The surge in value of many cryptocurrencies over the pandemic has been a boon for many criminal syndicates, which have made large profits from their cryptocurrency holdings, giving them more capital to invest in ransomware technologies.

Bitcoin, a digital form of money known as cryptocurrency, is a favourite payment method for ransomware hackers (Picture: Getty)

But some professionals have argued that cracking down on cryptocurrency won’t solve the problem.

‘Cryptocurrency is not the cause of ransomware incidents,’ says Tom Pelham.

‘The cause of ransomware is the fact that threat actors are able to exploit vulnerabilities within a system or pieces of software.’

Pelham adds: ‘This style of ransom tactic has occurred for centuries.

‘It’s exactly the same as what happens with piracy on the oceans. “We’ll take something of yours. If you want it back, you give us money.” Piracy existed a long time before cryptocurrency.’

Criminal groups have invented ways to launder and anonymously siphon money over decades: ‘If cryptocurrency wasn’t here, there’d be something else,’ adds CrowdStrike’s Zeki Turedi.

Without an unprecedented global effort to crack down on these groups, or an unlikely move away from an online world, it’s likely that ransomware attacks will continue to proliferate.

One promising avenue is the Ransomware Task Force (RTF), a US-led, global coalition of technology companies and law enforcement bodies that have called for ‘aggressive and urgent’ action.

Organisations that have joined up for the service include the FBI and the UK’s National Cyber Security Centre, as well as tech giants like Microsoft and Amazon.

In May, the RTF suggested government a list of nearly 50 recommendations to help reduce the volume and severity of ransomware attacks.

The EU has also announced its own Joint Cyber Unit to tackle large scale cyber attacks as they occur.

There are some early signs of success – payment websites belonging to one of the biggest ransomware-as-a-service groups, REvil, went offline this week. Though cybersecurity experts don’t know exactly why, some suspect it might be the work of US or UK authorities.

But before these efforts kick into gear on a large scale, nearly every person and business using the internet is vulnerable.

‘The reality is that if you’re a business that’s making money and has money sat in your bank, the criminal actor group wants to get access to it,’ says Turedi.

‘It doesn’t matter how much is in that bank account, they still see you as a victim and an opportunity to try and make some money.’


MORE :
Joe Biden calls Vladimir Putin demanding Russia ‘take action’ on ransomware attacks


MORE : From Russia with hate: How pro-Kremlin bots are fuelling chaos and lies about the pandemic

Thanks for reading the whole article. If you wish to get an daily update about Rise of ransomware: a multibillion pound industry where no-one is safe , click on the bell button to subscribe for the notifications.

Also, we are now available on all social media:
Follow us for Giveaways and Offers: https://www.flow.page/g-covers

For any Paid Promotions contact us here: https://www.flow.page/g-covers