Cybercriminals disrupted the U.S. economy on an unprecedented scale this year, shutting down the U.S.’s largest fuel pipeline, temporarily halting meat processing plants that provide about a fifth of the country’s supply, and going after hospitals, clinics and universities.
The pipeline operator, Colonial Pipeline Co. based in Georgia, confirmed in May that it had paid hackers who broke into its computers systems $4.4 million in the ransomware attack. That kind of rich payoff has been driving the stream of assaults that is bedeviling companies and governments around the world.
“Nowadays organizations when they get hit with ransomware they’re just straight up calling their insurance company which negotiates on their behalf, makes a payment, gets a decryption tool and they get these companies back on their feet,” said Vikram Thakur, the technical director of the Symantec division of the security company, Broadcom.
Get Boston local news, weather forecasts, lifestyle and entertainment stories to your inbox. Sign up for NBC Boston’s newsletters.
That is not how insurance is supposed to work, he and others say. Insurance should compensate the victims, not reward attackers, and by paying, the companies are ensuring more attacks.
With the problem worsening, Congress and the White House are trying to combat the problem. In August, a bipartisan group of Congressional lawmakers announced legislation to help better track and analyze cyber crime. The Treasury Department under the Biden administration warned ransomware victims that paying hackers could violate U.S. sanctions and urged them to first notify the government, NBC News reported.
On Sept. 21, the Treasury Department announced that for the first time it had gone after a virtual currency exchange that it said was laundering cyber ransoms. It prohibited Americans from doing business with the cryptocurrency broker SUEX and said that more than 40% of SUEX known transaction history had been with “illicit actors.”
U.S. & World
Some attacks are repelled. The Port of Houston announced in September that it had defended itself against an attempted attack in August and said “no operational data or systems were impacted.”
Among the successful ones, some are more dire than others. The one on Colonial Pipeline might have raised gasoline prices for a short period of time, but those that shut down hospitals, fire or police departments, or utilities can be life-threatening. In those cases ransom payments are less controversial.
“As a security company, we lean towards the theory that no payout is good, but we do recognize that some payouts while really bad, they are warranted,” Thakur said. “And those are situations where somebody’s life might be at stake.”
If a hospital goes dark, or patients’ records cannot be accessed, “I think if you ask anybody in the world, they’ll say you have to make the damn payment.”
In a tragic first, an Alabama mother says in a lawsuit that her baby was born with severe brain injury and later died because of substandard care from a hospital was struggling with a ransomware attack, according to NBC News.
The lawsuit, filed by Teiranni Kidd and first reported by The Wall Street Journal, alleges that Springhill Medical Center failed to tell her that hospital computers were down because of the cyberattack. Doctors and nurses missed tests that would have shown the umbilical cord was wrapped around her baby's neck, leading to brain damage and her death, according to the lawsuit.
A report from the Department of Health and Human Services tracked 82 ransomware attacks affecting health care worldwide as of May 25, 2021. Forty-eight of those attacks, or nearly 60%, affected U.S. systems.
It found that average cost of rectifying a ransomware attack, including the ransom paid and downtime, was $1.27 million in the health sector, and that was lowest amount. The highest was $2.73 million in education.
Criminal groups in Russia, Iran and North Korea are blamed for many of the attacks.
A report from a company called Chainalysis, found that the amount paid by ransomware victims increased by more than 300% in 2020 to reach nearly $370 million worth of cryptocurrency.
Maddie Kennedy, the company's director of communications, cautioned that the amount is likely at the low end because those are only the payments Chainalysis was able to confirm.
"The true cost of ransomware ransoms is likely significantly higher, as many organizations quietly pay ransoms," she wrote in an email. "This is why better reporting is important; people will be able to better understand the true cost of ransomware (which includes not just the cost of ransom, but also costs associated with the disruption of operations), and dedicate resources appropriately."
Chainalysis said that its tools had helped the investigation into SUEX, which it had been tracking.
The cost of the attacks go beyond the ransom paid. Last year, Cybersecurity Ventures, a researcher of cyber statistics and publisher of Cybercrime Magazine, predicted cybercrime would cost $6 trillion in 2021, up from $3 trillion in 2015, according to one estimate. The $6 trillion cost takes into account destruction of data, lost productivity, theft of intellectual property, personal and financial data, embezzlement, disruption to normal business and restoration of hacked systems.
Just before the July Fourth holiday weekend began, the computer systems of thousands of mostly small businesses fell victim to hackers who demanded $50 million in cryptocurrency to unlock their files.
The Russian-language hackers who took credit, and who called themselves REvil, were reportedly the same ones that hit the meat processing company, JBS USA Holdings Inc., and they posted that once they got the money, they would publish a “decryptor key.” They likely hoped that the companies' insurers would pay up quickly, especially after the attack generated more attention than they had had anticipated, the Associated Press reported.
JBS said after the attack in May that it had paid $11 million in bitcoin to limit the disruption to restaurants, grocery stores and farmers.
The ransomware epidemic has gone through phases over the last five years, from targeting single computer to taking down entire systems, said Ryan Kalember of the cybersecurity company Proofpoint. Its origin can be traced to cryptocurrency which allows criminals to monetize ransomware software, he said.
In 2016, attacks focused on single computers for a typical ransom of a few hundred dollars, with software that evolved from what were called banking Trojans that sat on a computer until a user logged into a bank. Criminals moved on to sending out hundreds of millions of emails intended to lure recipients into installing malware on their computers, what experts called a “spray and pray game," Kalember said, and from there to what is known as "big game hunting ransomware," in which they might still start with a phishing email but use it to compromise an entire computer system.
Ransomware attackers who once zeroed in on many more victims and charged them smaller amounts now go after very few victims but invest significant effort and expect to be paid a lot to release the data,” Kalember said.
The number of cities that are being targeted by ransomware is down though through no particular security measures on their part. Some attackers apparently have turned from cities, counties and other governmental entities to private companies and corporations judging them to be a better investment of their time. Baltimore and Atlanta were both targeted and neither paid the millions of dollars demanded.
“The attackers just think that there is much lower hanging fruit in the private sector in the United States where they have much higher chances of getting a pay out as compared with a public sector organizations,” Thakur said.
Corporations want to get back to business quickly with as a little disruption as possible and often try keep the ransom demands secret, he said. By contrast a municipality or other public organization face regulations that force them to make an attack public, which can spark a backlash against payments.
“The attackers, they look at it as ‘What is going to help us get a payout’” he said. “And if keeping it private is it, they’ll do it. They know making an incident public very quickly might have negative repercussions for them.”
Kalember cautions that ransomware is highly opportunistic. Municipalities, school districts and other organizations might be easier targets than corporations, which typically have better security and which force hackers to use more sophisticated techniques.
"Ransomware is so big at this point that it’s difficult to actually say that the opportunism is trending in a particular direction," he said. "That said there are definitely groups that will read financial filings and have a very good idea of how much free cash flow certain organizations are generating.
Hackers can try to infiltrate a computer system in three ways: by logging in remotely through a VPN or virtual private network; through email phishing; or through a computer vulnerability that has not yet been patched, Kalember said.
"They all use vulnerabilities that are widely known and should have been patched," he said. "And they tend to actually to be on those VPN devices, so those same devices that made it possible for us to all go work from home and connect back to things that were part of corporate network."
Insurance companies will eventually raise premiums but the amount being paid out is not yet significant enough. In the meantime, a ransomware attack can be good marketing for them if they get enough publicity for negotiating a payment and helping a company limit the damage.
Biden warned Putin on July 9 to act against criminals engaged in ransomware attacks and based in Russia. Ransomware is seen as changing from a criminal threat to a national security one.
“President Biden reiterated that the United States will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge,” according to a readout off the call between the men released by the White House.
The Biden administration also pressured businesses to improve their defenses against attacks.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location," Anne Neuberger, the deputy national security advisor for cyber and emerging technology, wrote in a memo.
Experts are urging the U.S. government to update financial laws and other regulations. Companies must disclose breaches and payments the way financial institutions are already required to disclose transactions over a certain amount. . The concept of 'know your customer' is lost under the current crypto conditions, Thakur said.
“The same thing needs to happen in the crypto world where if somebody pays out a massive amount in the crypto currency world, governments need to be able to be in a position where they can figure out where that money actually went in real life,” Thakur said.