The good news is that the Covid19 pandemic seems to be more under control, for now, in most developed countries. The bad news is another pandemic is looming on the horizon. If Covid 19 denied many their livelihood, some their lives as they knew it, and yes, many of their loved ones, the ransomware pandemic must be on top of the minds of every country and every citizen. Not to sound alarmist, but the day of reckoning is here and will hit the rich and the poor unsparingly. Ransomware made it to the recent G7 and NATO meetings and was a difficult conversation between presidents Biden and Putin.
Ransomware is a matter of every country’s national security.
As every industry and government agency increases reliance on data-intensive operations and leveraging data for daily business and service delivery, ransomware is a threat to corporate and government digital assets, with many consequences ranging from economic profit loss to risks to lives and critical infrastructure.
- This blog is not for the technologists who understand the risks and the nightmare that is ransomware. It is part of our public educational series and knowledge sharing
- After posting this article, another attack on Kaseya impacted at least 1500 of its customers and the ransom note was at least $70 million.
What is Ransomware, and how it works?
To be brief, ransomware is malware software that infects a computer, encrypts or leaks data, and demands a ransom payment in exchange for keys to get data back. But in many situations, it also steals and or leaks data which will also be devastating and harmful to the victim.
Ransomware is delivered through:
- Tricking users to enter passwords
- Downloading malicious code while internet surfing
- Exploiting vulnerabilities in systems to drop and propagate the malware
- Hacking servers to upload malware
- Hacking software to piggyback on applications’ updates or use
The Solarwinds and MS exchange were attacked through software updates that became a perfect trusted ransomware delivery tool to infect many businesses and agencies. The infected software update allowed attackers to infect a huge number of agencies and businesses in one swoop.
Once ransomware encrypts the data or leaks it, a ransom note is sent to the victim. Ransom notes can range from $10,000 to $100 million. Cleanup costs can go even higher. The most recent known payment “on record” was $4.5 million (FBI recovered some recent payments). The attackers on ACER demanded up to $50 million ransom payment. Quanta Computer, an Apple partner, shelled $100 million.
FBI and other foreign agencies advise victims not to pay. Paying does not guarantee that the data will be recovered. Paying the ransom does not help. It may add the payor to a database of the next re-scheduled target victims (who pay when asked) to be attacked again.
The video below shows a simulation of an infrastructure attack.
Effects on businesses and agencies
Ransomware attacks take over corporate and government data. The number of attacks increased by more than 350% in the last couple of years. The scale of attacks, the economic damage, the risk to the economy, and the loss of property and life are growing.
Ransom payments in the first few months of 2021 have now exceeded one-third of a billion US dollars. Ransomware effects are devastating. The recent case of Colonial led to the disruption of the supply chain for oil distribution. 45% of all sorts of fuel was stopped from flowing on the East coast of the US. Long lines at the pump in many cities reminded people of the 1970s oil embargo. Other attacks on hospitals or emergency services put lives at risk. The lost time, the cost of labor, the lost confidence, and reputation are other side effects. The cities of Atlanta and Baltimore have shelled more than $10 million each to rebuild their systems. Costs can reach $18 million. The costs of the ransom and cleanup will eventually be passed to consumers or taxpayers.
The ransomware pandemic affects everyone.
No one is safe from ransomware. I’m sure by now that everyone got the call from someone pretending to be from Microsoft, Apple, or Amazon trying to direct them to one of their malicious sites. Attackers are equal opportunity targeters. Affected businesses included:
- Financial institutions
- Food companies
- Water plants
- Power stations
- Federal agencies
- Emergency services
- Hospitals and healthcare systems
- Insurance companies
- Car manufacturers (Kia Motors, Honda)
- Supply chain
- Control systems
- Chemical companies (Brenntag)
- Oil distribution companies (Colonial)
- Software companies (Microsoft, Accellion file transfer, ExaGrid, Solar Winds, …)
- Poor and rich countries alike
Nevertheless, we hear only about high-profile cases. For example, data shows that hundreds of healthcare providers were victims where CT scans, X-rays, radiation machines, blood labs, health records, doctors’ notes, and prescriptions were not immune. Imagine, targeted individuals’ prescriptions are changed to inflict harm … Some frightening scenarios should be of serious concern for anyone delivering or receiving care.
We cannot forget about financial institutions, smart and driverless cars, trains, airplanes, gas stations, and grocery stores. Some sinister scenarios discussed in the US Government Accountability Office (GAO, gao.gov) reports must scare home users, businesses, and governments alike.
Monetization of Ransomware using distribution channels
The ransomware industry is a business. Attackers are getting richer by being organized into businesses. They range from loose individuals to well-organized entities and state actors. They create distribution channels (Disti) with their own value-added resellers (VARs) and use a pyramid of payments, making it easy to set up shop and start collecting from their subscription model where percentages of ransom collected trickle up the value chain. They use bitcoin as a form of payment to hide their tracks.
Rising cyber insurance premiums for businesses
Costs to cyber insurance companies are increasing as the ransomware pandemic terrorist attacks continue to grow. GAO reported that some insurance carriers are imposing restrictions and limits on coverage. Ransomware forced insurance companies to review requirements for the insured. According to the GAO, premiums shot through the roof after 2018, increasing by 30% and growing by about 12% per quarter since 2020. Furthermore, insurance companies are increasing the scrutiny, becoming more selective in who is covered, and more restrive in what is covered. However, the number of policies increased from 2.2 million to more than 4 million, with premiums above $3 billion. Even if the available data is sketchy, uncertainty is causing many challenges to cyber insurers (GAO report)
A nightmare scenario is if ransomware dark businesses get hold of the list of the insured, they will target them because they are certain they can pay the ransom. They will hit the insured again and again to extract the maximum value.
Deterrence and prosecutions
It used to be that when a state actor goes against US interests, F16 and F18 are sent to level everything around them. This is hard to do except for rogue nations, and that sort of power cannot serve as a deterrent. Security agencies worldwide made some arrests, but the business model of the attackers continues to evolve and evade the efforts of government agencies. Governments will have to invest significantly to defend the infrastructure and prosecute the culprits. The government and the private industry must fund technologists who work on public policy and technology related to ransomware in government, nonprofits and universities.
What to do to increase the odds of surviving the ransomware pandemic?
The following are some recommendations to reduce the probability of being a ransomware pandemic victim:
- Create an effective backup and data protection strategy and execute it religiously
- Create multiple and frequent backup copies
- Backup on multiple different operating systems
- Lock the backup servers and isolate them from the network in a rotating schedule.
- Establish a reference for file and data changes and resource usage on the systems
- Monitor the frequency file changes on systems
- Monitor the resource usage on the systems
- Educate the family and the workforce to put their safe computing hats whether they are reading emails, clicking on links, or surfing the web
- Patch systems like your life depend on it
- Block URL’s in email or deactivate them
- Avoid visiting the unsafe websites
- Keep an eye for fake sites and avoid hitting that phishing link
- Tighten rules on the firewalls
- Use network and system separations and isolation
- Use role separations
- Install anti-malware, anti-virus, and endpoint security
- Keep all operating systems and applications up to date
- Rely on reputable operating systems
- Identify the weakest links
Related articles to the ransomware pandemic
Share this Post