Ransomware in the Spotlight: What Security Pros Need to Know

If you’ve noticed a lot of news stories and social media posts lately blaring the word “ransomware” in the headline, you’re not alone.

Since the start of 2021 (but especially over the last four weeks), ransomware seems to be everywhere: From the attack that shut down a 5,500-mile interstate gas and oil pipeline belonging to Colonial Pipeline Co., to another incident that forced JBS, one of the world’s largest meat producers, to suspend some operations for nearly a week.

Then there’s the money.

The CEO of Colonial Pipeline admitted to paying a ransomware gang called DarkSide a $4.4 million ransom, while JBS’s chief executive made an $11 million payment to the Russian-speaking gang known as REvil or Sodinokibi. Those payoffs to criminal gangs might seem like a bargain compared to the $40 million that insurance firm CNA reportedly forked over following a similar attack.

The failure to prevent these attacks, the fact that cybercriminals are now targeting critical infrastructure within the U.S., and the amount of money used to pay these ransoms have all attracted the attention of Congress, which has held a series of hearings about ransomware that could likely lead to new laws or regulations.

While crypto-locking malware has been around for years, ransomware attacks have evolved from cybercriminals targeting individual users or vulnerable business networks for a few bitcoins into an organized, global criminal operation that includes encrypting files, stealing data and extorting large organizations for millions of dollars in virtual currency, whether it’s bitcoins or monero.

Some gangs, such as DarkSide and REvil, operate in a ransomware-as-a-service model, where some gang members develop the malware, while affiliate groups seek out victims and carry out the attacks.

Ransomware has gotten enough attention that President Joe Biden raised the issue with Russian President Vladimir Putin during a summit in Geneva on June 16, since many of these groups appear to operate from Russia with the government turning a blind eye to some of their activities, according to numerous reports and cybersecurity analysts.

“As companies continue to pay ransoms, cybercriminals are becoming more emboldened and turning their focus to ransomware attacks as a lucrative opportunity. These malicious actors are also moving away from holding data hostage and zeroing in on targeting critical infrastructure that can disrupt society,” Scott Devens, CEO at security firm Untangle, told Dice. “The shift comes as they realized they could get larger ransoms faster if their attack had the potential to cause severe consumer pain.”

Beyond Headlines

If ransomware appears hyped by some headlines, statistics show the problem is deadly serious. Devens pointed to a May report released by Check Point Software that found a 102 percent increase in ransomware attacks this year compared to the same period in 2020.

Karl Steinkamp, director of PCI product and quality assurance at consulting firm Coalfire, points to statistics published by the FBI’s Internet Crime Complaint Center that show how ransomware has progressed over the years. In 2013, IC3 reported 991 incidents and $539,000 lost to these attacks.

By 2020, there were over 2,400 ransomware incidents reported and more than $29 million lost—and these numbers are likely low, since private companies and firms are not required to report ransomware attacks to the FBI.

“Bad actors have realized that the opportunity cost of utilizing ransomware versus other forms of malware is in their favor as well as an increased awareness of crypto assets—principally bitcoin—for a mechanism of payment,” Steinkamp told Dice. “While the incidents don’t directly correlate with the price fluctuations of bitcoin, ransomware attacks are naturally becoming more lucrative as the price of bitcoin increases. As this continues to happen, we will likely see more incidents as more individual and nation-state bad actors continue to move into this space.”

Several cybersecurity analysts noted that many organizations that have sustained ransomware attacks suffered from the same security shortcomings: Weaknesses surrounding email phishing attacks that give attackers initial access; vulnerabilities in remote desktop access protocols that lead to incidents; and unpatched bugs in software and hardware that could leave networks open to an attack.

In the case of Colonial Pipeline, the attackers found a compromised password that gave access to a VPN application that the company had forgotten was still active on its network, according to security firm FireEye, which investigated the incident on behalf of the company.

Several analysts note that the recent spate of high-profile ransomware attacks, combined with the government initiatives such as Biden’s executive order that focuses on cybersecurity, is likely to push more businesses and government agencies to increase their security spending over the next several months.

“Unfortunately, making large changes to the security team and the network will require investments that companies may be hesitant to make due to budget constraints,” Jamie Hart, cyber threat intelligence analyst at Digital Shadows told Dice. “However, given the recent attacks on Colonial Pipeline and JBS, organizations should evaluate their security now and take action to fortify their defenses; the best offense is a good defense. IT and security staff’s ability to do their job may come down to the budget allotted to their team to implement the necessary changes.”

Bill Osterhout, director of cloud and IT solutions at Array Information Technology, notes that even with increased spending, there’s still stress on IT and security teams to keep up with the vulnerabilities that could lead to a ransomware attack.

“Frequent penetration testing events and software-based security monitoring controls must be implemented to assure that vulnerabilities are not introduced once a secure baseline is validated,” Osterhout said. “In today’s world of rapid IT innovation, the only constant thing is change. IT and security staff must embrace a continuous learning culture necessary to effectively control this rapidly evolving environment.”