During the Covid-19 pandemic, ransomware attacks have grown at a rapid rate and major attacks now feature in headline news on an almost weekly basis. Organisations face the dilemma of whether to invest now in initiatives such as modern backup capabilities to mitigate such attacks, or to gamble that they will escape the attentions of the ransomware criminals. The odds are not good for those who do nothing. As George Bernard Shaw wrote: “In gambling, the many must lose in order that a few may win.”
One of the reasons the odds are so bad is that ransomware attackers have no moral conscience and are not likely to get one anytime soon. We can see that in recent attacks that took out critical parts of our infrastructure and risked lives in the process. However, we live in a world where hackers are beyond the reach of our jurisdictional powers. With the governments of those countries where hackers enjoy the freedom to perpetrate these crimes unwilling to do anything about their activities, we will continue to suffer these attacks and they will only increase in terms of volume and complexity.
A further risk is that organisations mistakenly believe that because they are relatively small or obscure, they will not be targeted. Unfortunately, attacks often take place on an industrial scale, with the attackers simply sending out the equivalent of mass mailings. All they need is for one user to click on a link and provide their details and the ransomware is deployed.
Allied to this ability to hide out of reach of law enforcement, ransomware attacks have also become increasingly easy to mount. There are online tutorials, or the attacks are supported by criminal syndicates that treat it as a professional business, charging would-be ransomware criminals fees to set them up in exchange for a portion of the ransomware proceeds. In the current Covid-19 environment, businesses are increasingly reliant on digital infrastructure and more are willing to pay a ransom, further incentivising the crime.
Payment methods to collect the ransom are now much easier for criminals to exploit. Although the value of cryptocurrency is fluctuating, the level of profitability in conducting ransomware attacks, along with the lack of any other alternative anonymous payment method, will not deter the attackers for now. For those unfortunate to have been attacked and who decide to pay the ransom, there is no guarantee that the attackers will return an organisation’s data, and those known by attackers to be willing to pay may well be targeted again.
Even those who refuse to pay the ransom remain exposed. In a recent case in Ireland, the Conti ransomware group was reportedly asking the health service for $20m (£14m) to restore services. Although the health service declined and the attackers eventually handed over a decryption key without receiving a ransom, they still published stolen patient data.
This is an indication that we may see a wave of significant attacks related to extortion of money through the publication of sensitive information secured through data breaches. This is often traded on the dark web and can include critical intellectual property assets, which are highly valued by organisations.
So, will the odds change anytime soon? Well, there are some positive moves. The US’s newly established Ransomware and Digital Extortion Task Force, set up to take down services that “support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns”, is one such step. In early June, the Department of Justice announced it had recovered 85% of the bitcoin that Colonial Pipeline had paid to DarkSide. There is now a focus on exploiting the underlying blockchain technology that supports bitcoin to provide a way of trying to track funds.
There is a possibility that international action or diplomacy may yet offer some hope. The Biden administration seems to have grasped the issue, recognising that it is becoming a political issue that needs to be addressed. Biden raised the surge in ransomware attacks with Russian president Vladimir Putin at their 16 June summit in Geneva. This resulted in an agreement in principle that something must be done to tackle the issue, but whether the Russian authorities are willing to join forces with the US to tackle the problem is still to be seen.
In the meantime, to reduce the odds of a successful ransomware attack, organisations should make sure they have an effective backup and restore approach. They should also conduct rigorous patching of applications and networks, continuously train their employees on how to avoid clicking on suspicious links and providing their details.
This should be underpinned by ensuring that their critical assets are protected through a layered cyber defence, including encrypting data at rest or various anonymisation techniques, intrusion detection and network segmentation through the use of data diode technologies, for example, NCSC-approved solutions such as Oakdoor.
Gambling is a high-risk strategy. Doing nothing in the face of the threat from ransomware and hoping for the best provides some of the worst odds you will ever come across.