Decrypting ransomware: Weapons-grade or casual attacks?
By Arghyadeep on Jun 04, 2021 | 05:34 AM IST
Over the last few months, the surging number of cyber attacks —started with dozens of government agencies, then Florida’s water supply, a major gas pipeline, and now on one of the world’s top meat suppliers — is disrupting products and services that are key to everyday lives.
What often begins as an employee inviting the hackers into the system by clicking a seemingly harmless link in their email brings multibillion-dollar business establishments to knees, fuels geopolitical tensions and sends ripple effects throughout the global economy.
Most of the attacks have used ransomware, a malicious tool that lets hackers access computer systems and lock them until they get paid.
While ransomware has maintained prominence as one of the biggest threats since 2005, the first attack can be traced back to 1989, when cyber criminals attacked the computer system of Becker’s Hospital Review.
But recently, the growing trend of cyberattacks on critical infrastructure and business operations makes the attacks more lucrative for the hackers and more devastating for the victims. And with the rise of remote work during the pandemic, it is getting much more accessible for the bad actors to find vulnerabilities and get into the secure networks of the establishments.
In April, the U.S. Department of Justice formed a task force to deal with ransomware attacks and declared 2020 the “worst year ever” for extortion-related cybercrimes.
The global ransomware attacks increased 102% this year compared to the beginning of 2020, according to a report from cybersecurity firm Check Point Software, which doesn’t even factor in the most recent attacks, including Martha’s Vineyard, Cape Cod and Nantucket.
Many think cyberattacks steal sensitive data, but ransomware attacks have the potential to create mayhem in people’s lives, leading to product shortages, higher prices, and disruption in many other ways. The greater the turmoil, the greater the probability that companies will pay to get rid of the situation.
“If you’re a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you,” Katell Thielemann, Gartner’s vice president analyst for security and risk management, told CNN. “This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly, that’s where the most pain is felt because that’s where they make money.”
According to the U.S. government, multiple recent ransomware attacks have originated from Russia.
On Wednesday, the Federal Bureau of Investigation linked the ransomware attack on meat supplier JBS to a Russian cybercriminal group called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year.
REvil is similar to another cybercriminal group, DarkSide, responsible for the Colonial Pipeline ransomware attack last month.
According to experts, these groups operate “ransomware-as-a-service” businesses, often employ cyber engineers to develop malicious software to help others execute cyberattacks, take a cut of the profits, and carry out their own attacks. Cybersecurity experts say Russian law enforcement leaves such groups to operate within the country if they target elsewhere because they bring money into the country.
JBS has not confirmed if it has paid any ransom to the attackers, but Colonial Pipeline’s CEO admitted to paying $4.4 million in ransom to resume operations.
Though experts advise not to pay ransoms to avoid funding the criminal groups, companies sometimes have little to no option to get back up and running.
The U.S. Cybersecurity and Infrastructure Agency (CISA) has listed 16 “critical infrastructure sectors,” including energy, healthcare, financial services, water, transportation, food, and agriculture, which could have a “debilitating effect” on the U.S. economy and security if any of them gets compromised. However, most of the infrastructure is aging, and its cyber defenses haven’t evolved with time.
To make matters worse, many companies in those industries haven’t historically thought of themselves as tech companies, meaning their systems may be less sophisticated and easier to compromise, Mark Ostrowski, head of engineering at Check Point, told CNN.
“So hospitals, their business is to save lives; meat and poultry is to produce goods and services; pipelines are to create gas exchange or oil exchange,” he said. “Those certain industries also may be targeted because maybe they’re behind in their [software] patching, maybe their cyber program is not quite what it needs to be.”
As technology has evolved, more and more physical infrastructure has been added to a company’s network embedded with connected devices.
“The world is becoming more connected,” and we should expect the risks “to multiply across all of these industries,” Thielemann said.
The pandemic and the health crisis is a perfect storm, to be the most perfect and vulnerable time to have cyberattacks with millions of people working remotely — including workers having access to critical infrastructure systems — and ransomware that can be deployed simply by opening a link in an email.
“Critical infrastructure was always designed to have the control systems isolated and physically separate from the corporate network and the internet,” Eric Cole, a former cybersecurity commissioner to the Obama administration, told CNN.
“Initially for automation and accelerated by the pandemic, these systems are now connected to the internet. ... The known vulnerabilities make them an easy target,” Cole added.
Hospital systems and other health providers are attacked frequently, particularly during the pandemic, while struggling to deal with COVID-19 — with little to no time to update defenses.
CISA surveyed between March and November 2020 showed that 49% of healthcare service providers had “risky ports and services,” while 58% were using software versions vulnerable to attack.
In an analysis by cybersecurity firm Emsisoft published in January showed 560 healthcare facilities were hit by ransomware last year, with more than 1,500 schools and 113 government agencies.
Companies and organizations need to quickly plug potential vulnerabilities in the systems, update software to insulate themselves from cyberattacks.
President Joe Biden last month signed an executive order for the companies working for the government to improve their cybersecurity practices.
On Wednesday, following the JBS and ferry attacks, White House press secretary Jen Psaki said the government is “building an international coalition to hold countries who harbor ransom actors accountable.”
The White House has also sent an open letter to private companies to take urgent actions to protect themselves against ransomware attacks, saying companies that “view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”
“Every company needs to be able to heighten this and become preventative because these attacks are weapons-grade. They’re not just casual attacks,” Ostrowski said.
Cole recommends the easiest fix is to keep the most crucial infrastructure functions off the web.
“I think the industries expect these number of attacks to continue to increase,” Ostrowski said. “If anything, what this has highlighted is how important our supply chains are.”
(With inputs from CNN)
Picture Credit: MindSmith