Last year in the United States, ransomware gangs affected more than 100 federal, state, and municipal agencies, more than 500 health care centers, and 1,680 educational institutions.
WASHINGTON – Recent high-profile ransomware attacks on the world’s largest meat packaging company and the largest gas pipeline in the United States have highlighted how extortionist hacker gangs can disrupt the economy and put them at risk. lives and livelihoods.
Last year alone in the United States, ransomware gangs hit more than 100 federal, state and municipal agencies, more than 500 health care centers, 1,680 educational institutions and thousands of businesses, according to cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are hard to dodge. Many victims shun the complaint, fearing a deterioration in reputation.
Among the most recent known targets are a Massachusetts ferry operator, the Irish health system and the Washington, DC police department. But the disruptive widespread hackers of Colonial Pipeline in the United States in May and this week’s Brazilian meat processor JBS SA have caught the attention of the White House and other world leaders, along with intense control of foreign safe havens where cybercriminal mafias operate.
WHAT IS RANSOMWARE? HOW IT WORKS?
Ransomware mixes data from the target organization with encryption. Criminals leave instructions on infected computers to negotiate ransom payments. Once paid, they provide decryption keys to unlock these files.
Ransomware criminals have also expanded into data theft blackmail. Before enabling encryption, they silently copy confidential files and threaten to publish them publicly unless they get their ransom payments. This can pose problems even for companies that make diligent backups of their networks as protection against ransomware, as refusing to pay can cost far more than the ransoms they could have negotiated.
HOW DO RANSOMWARE GANGS WORK?
The criminal unions that dominate the ransomware business are mostly Russian-speaking and operate with near impunity outside of Russia and allied countries. Although just three years ago, unions have grown in sophistication and skill. They take advantage of dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments and money laundering harder to track.
Some major ransomware criminals are imagined software service professionals. They are proud of their “customer service,” which offers “help desks” that help pay for victims in file decryption. And they tend to keep their word. After all, they have marks to protect.
Now the business is highly specialized. An affiliate will identify, track, and infect targets using ransomware that is typically rented to a ransomware service provider. The provider gets a reduction in payment; the affiliate usually takes more than three-quarters.
Other subcontractors can also get a portion. These may include the perpetrators of the malicious software used to break into victim networks and the people who run so-called “bulletproof domains” behind which ransomware gangs hide “command and control” servers. These servers handle the remote seeding of malware and data extraction before activation, a stealthy process that can take weeks.
WHY DO RANSOMANS CONTINUE TO CLIMB? HOW CAN THEY STOP?
Colonial Pipeline confirmed it paid $ 4.4 million to the gang of hackers who broke into its computer systems last month.
The FBI advises against paying ransom payments, but a public-private task force that includes U.S., British and Canadian tech companies and crime agencies says it would be wrong to try to ban ransom payments. This is mainly because “ransomware attackers continue to find sectors and elements of society that are sadly unprepared for this style of attack.”
The working group recognizes that payment may be the only way for an affected company to avoid bankruptcy. Worse, sophisticated cybercriminals have often investigated and know the coverage limit of a victim’s cybersecurity insurance. They are known to be mentioned in the negotiations.
This degree of criminal knowledge helped increase average ransom payments to more than $ 310,000 last year, 171% more than in 2019, according to Palo Alto Networks, a member of the task force.
WHAT HAS BEEN DONE ABOUT THEM?
President Joe Biden signed an executive order in May aimed at strengthening U.S. cybersecurity defenses, primarily in response to Russian piracy by federal agencies and interference in U.S. policy. But ransomware attacks on private companies have begun to dominate the cybersecurity conversation as Biden prepares for a June 16 summit with Russian counterpart Vladimir Putin.
White House Deputy Press Secretary Karine Jean-Pierre said this week that the demand for the rescue of JBS meat came from a “criminal organization probably based in Russia.” He said the White House “is directly related to the Russian government” and “sending the message that responsible states do not harbor ransomware criminals.”
The new industry working group set up to combat ransomware says it is important to have concerted diplomatic, legal and police cooperation with key allies.
Ransomware developers and their affiliates should be named and embarrassed, though not always easy to identify, and regimes that allow them to be punished with sanctions, his report urges.
It calls for mandatory disclosure of ransom payments and a federal “response fund” to provide financial assistance to victims in the hope that, in many cases, it will prevent them from paying ransoms. And he wants stricter regulation of cryptocurrency markets to make it harder for criminals to launder revenue from ransomware.
The task force also calls for something potentially controversial: amending the U.S. Computer Fraud and Abuse Act to allow private industry to actively block or limit online criminal activity, including botnet networks, hijacked zombie computer networks that ransomware criminals use to sow infections.
Associated Press reporter Matt O’Brien contributed to this report.