Ransomware Attacks: The New Pandemic

At the beginning of May, as many Americans were finally starting to spread their wings after a tough year of COVID related lockdowns and travel bans, Russian hackers launched a malware cyberattack against Colonial Pipeline, the largest pipeline system for refined oil products in the U.S. The company, which moves more than 100 million gallons of fuel a day and provides around 45% of the East Coast’s gas, shut down operations for nearly a week. With fuel delivery crippled, panic ensued at the pumps and it was even reported that some worried consumers were using plastic grocery bags to stockpile gasoline – all due to a ransomware attack perpetrated by a Russian-linked hacker group called DarkSide. The FBI does not believe DarkSide is state sponsored, but rather a for-profit criminal organization that operates unfettered by the Russian government. Turns out Colonial Pipeline paid DarkSide a $4.4 million ransom to gain back control of their systems. The company’s CEO Joe Blount said that meeting the ransom demands was “the right decision to make for the country.” After DarkSide received their ill-gotten gains, they reportedly announced they were shutting down business due to what they termed as “pressure” from the United States. It is believed the hacker group ultimately received more than $90 million in ransom from 47 victims before disappearing into the night a la Kaiser Sousay. Less than a month later, meat processing and food supply giant JBS also fell victim to a ransomware attack. JBS is the world’s largest beef and poultry producer with nearly 250,000 employees worldwide and its systems were being held hostage by a hacker group called REvil, thought again to be based in Russia. On Memorial Day JBS USA announced that it was the target of an organized cybersecurity attack, affecting some of its servers supporting its North American and Australian IT systems. With a little help from the Australian government, JBS was back up and running in a couple of days, although the company has not publicly disclosed whether it paid a ransom. It is important to note that in 2021, REvil also launched ransomware attacks on electronics giant Acer and also stole Apple product designs.

RANSOMWARE AS A SERVICE It is certainly relevant to note that most if not all of these ransomware attacks have connections to foreign governments; however perhaps more alarming is that these criminal organizations have become so sophisticated – and so profitable – that they are essentially operating just as a legitimate business would. In the last several years, Ransomware as a Service (RaaS) groups have burgeoned throughout Russia and Eastern Europe. Instead of sourcing talent on LinkedIn as a legitimate business would, RaaS syndicates turn to dark web forums to recruit high level ransomware software service professionals. Again, almost as if they were a mainstream business, RaaS groups provide help desks that assist ransomware victims who forked over the money with file decryption. Surprisingly, they seemingly are quite helpful in this regard, protecting their cybercriminal brand with actual post-ransom customer service. The RaaS provider will rent out ransomware to an affiliate who has identified and targeted a specific victim, usually a big business, but smaller organizations are not immune. The affiliate launches the attack and, if the ransom is paid, it keeps the lion’s share of the ransom after paying the RaaS provider its percentage. Like legitimate businesses, RaaS providers sometimes hire subcontractors like malware authors and “bullet proof domain” operators who hide the RaaS servers that hold and manage the prelaunch malware. Also interesting is that many of these RaaS providers and affiliates truly do their homework, often determining a ransomware victim’s cybersecurity insurance coverage limits before they ever launch their attack. Which brings us to a bit of a double-edged sword. Businesses are increasingly purchasing extensive cybersecurity policies to mitigate losses, while ransomware groups are leveraging that knowledge to demand higher ransoms. The evolution of the hacker is really quite remarkable when you think about it. Just a few years ago, the stereotypical cybercriminal was a kid in a hoodie sitting in a dark room. Now it seems they possess a polish and sophistication that might make James Bond blush.

IS RANSOMWARE REALLY A PANDEMIC? The global cost of ransomware in 2020 was estimated around $20 billion. In its “State of Ransomware 2021” global survey, Sophos stated that “the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021.” Sophos also reports that the average ransom paid hovers around $170,000, while only 8% of organizations who pay a ransom get back all their data. “We are at the cusp of a global pandemic,” Christopher Krebs, former Director of the Cybersecurity and Infrastructure Security Agency, testified in May to Congress. “The virus causing the pandemic isn't biological, however. It's software." He added, “Simply put, ransomware is a business. And business is good.” Cybercrime Magazine reports ransomware attacks will launch every 11 seconds in 2021 – or about 7,850 per day, a number roughly equivalent to the State of New York’s daily COVID infections in early December. So yeah, we can probably call this a pandemic. And it’s going to get worse before it gets better. Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.