02-18-2021 , 12:24 AM
In the past five years, ransomware attacks have evolved from rare misfortunes into common and disruptive threats.
Hijacking the IT systems of organizations and forcing them to pay a ransom in order to reclaim them, cybercriminals are freely extorting millions of pounds from companies—and they're enjoying a remarkably low risk of arrest as they do it.
At the moment, there is no coordinated response to ransomware attacks, despite their ever-increasing prevalence and severity. Instead, states' intelligence services respond to cybercriminals on an ad-hoc basis, while cyber-insurance firms recommend their clients simply pay off the criminal gangs that extort them.
Neither of these strategies is sustainable. Instead, organizations need to redouble their cybersecurity efforts to stymie the flow of cash from blackmailed businesses to cybercriminal gangs. Failure to act means that cybercriminals will continue investing their growing loot in ransomware technologies, keeping them one step ahead of our protective capabilities.
Daylight robbery
Ransomware is a lucrative form of cybercrime. It works by encrypting the data of the organizations that cybercriminals hack. The cybercriminals then offer organizations a choice: pay a ransom to receive a decryption code that will return your IT systems to you, or lose those systems forever. The latter choice means that firms would have to rebuild their IT systems (and sometimes databases) from scratch.
Unsurprisingly, many companies choose to quietly pay the ransom, opting never to report the breach to the authorities. This means successful prosecutions of ransomware gangs are exceedingly rare.
In 2019, the successful prosecution of a lone cybercriminal in Nigeria was such a novelty that the US Department of Justice issued a celebratory press release. Meanwhile, in February 2021, French and Ukrainian prosecutors managed to arrest some affiliates Egregor, a gang that rents powerful ransomware out for other cybercriminals to use. It appears that those arrested merely rented the ransomware, rather than creating or distributing it. Cybersecurity experts have little faith in the criminal justice system to address ransomware crimes.
The frequency of those crimes is increasing rapidly. An EU report published in 2020 found that ransomware attacks increased by 365% in 2019 compared to the previous year. Since then, the situation is likely to have become much worse. The US security company PurpleSec has suggested that overall business losses caused by ransomware attacks might have exceeded US$20 billion (£14.3 billion) in 2020, up from US$11.5 billion (£8.2 billion) in 2019.
Even hospitals have suffered attacks. Given the potential impact of a sustained IT shutdown on human lives, healthcare databases are in fact actively targeted by ransomware gangs, who know they'll pay their ransoms quickly and reliably. In 2017, the NHS fell foul of such an attack, forcing staff to cancel thousands of hospital appointments, relocate vulnerable patients, and conduct their administrative duties with a pen and paper for several days.
Waging war?
With ransomware spiraling out of control, radical proposals are now on the table. Chris Krebs, the former head of the US Cybersecurity and Infrastructure Security Agency, recently advocated using the capabilities of US Cyber Command and the intelligence services against ransomware gangs.
The US government and Microsoft coordinated over such a attack in 2020, targeting the "Trickbot botnet" malware infrastructure—often used by Russian ransomware gangs—to prevent potential disruption of the US election.
Australia is the only country to have publicly admitted to using offensive cyber capabilities to destroy foreign cybercriminals' infrastructure as part of a criminal investigation.
Sustained operations of this kind could have an effect on cybercriminals' ability to operate, especially if directed against the gangs' servers and the infrastructure they need to turn their bitcoin into cash. But unleashing offensive cyberwarfare tools against criminals also creates a worrying precedent.
Normalising the use of the armed forces or intelligence units against individuals residing in other countries is a slippery slope, especially if the idea is adopted by some of the less scrupulous regimes on this planet. Such offensive cyber operations could disrupt another state's carefully planned domestic intelligence operations. They could also negatively affect the innocent citizens of foreign states who unwittingly share web services with criminals.
Further, many cybercriminals in Russia and China enjoy de facto immunity from prosecution because they occasionally work for the intelligence services. Others are known to be state hackers moonlighting in cybercrime. Targeting these people might diminish the ransomware threat, but it might just as well provoke revenge from hackers with far more potent tools at their disposal than ordinary cybercriminals.
Source
Hijacking the IT systems of organizations and forcing them to pay a ransom in order to reclaim them, cybercriminals are freely extorting millions of pounds from companies—and they're enjoying a remarkably low risk of arrest as they do it.
At the moment, there is no coordinated response to ransomware attacks, despite their ever-increasing prevalence and severity. Instead, states' intelligence services respond to cybercriminals on an ad-hoc basis, while cyber-insurance firms recommend their clients simply pay off the criminal gangs that extort them.
Neither of these strategies is sustainable. Instead, organizations need to redouble their cybersecurity efforts to stymie the flow of cash from blackmailed businesses to cybercriminal gangs. Failure to act means that cybercriminals will continue investing their growing loot in ransomware technologies, keeping them one step ahead of our protective capabilities.
Daylight robbery
Ransomware is a lucrative form of cybercrime. It works by encrypting the data of the organizations that cybercriminals hack. The cybercriminals then offer organizations a choice: pay a ransom to receive a decryption code that will return your IT systems to you, or lose those systems forever. The latter choice means that firms would have to rebuild their IT systems (and sometimes databases) from scratch.
Unsurprisingly, many companies choose to quietly pay the ransom, opting never to report the breach to the authorities. This means successful prosecutions of ransomware gangs are exceedingly rare.
In 2019, the successful prosecution of a lone cybercriminal in Nigeria was such a novelty that the US Department of Justice issued a celebratory press release. Meanwhile, in February 2021, French and Ukrainian prosecutors managed to arrest some affiliates Egregor, a gang that rents powerful ransomware out for other cybercriminals to use. It appears that those arrested merely rented the ransomware, rather than creating or distributing it. Cybersecurity experts have little faith in the criminal justice system to address ransomware crimes.
The frequency of those crimes is increasing rapidly. An EU report published in 2020 found that ransomware attacks increased by 365% in 2019 compared to the previous year. Since then, the situation is likely to have become much worse. The US security company PurpleSec has suggested that overall business losses caused by ransomware attacks might have exceeded US$20 billion (£14.3 billion) in 2020, up from US$11.5 billion (£8.2 billion) in 2019.
Even hospitals have suffered attacks. Given the potential impact of a sustained IT shutdown on human lives, healthcare databases are in fact actively targeted by ransomware gangs, who know they'll pay their ransoms quickly and reliably. In 2017, the NHS fell foul of such an attack, forcing staff to cancel thousands of hospital appointments, relocate vulnerable patients, and conduct their administrative duties with a pen and paper for several days.
Waging war?
With ransomware spiraling out of control, radical proposals are now on the table. Chris Krebs, the former head of the US Cybersecurity and Infrastructure Security Agency, recently advocated using the capabilities of US Cyber Command and the intelligence services against ransomware gangs.
The US government and Microsoft coordinated over such a attack in 2020, targeting the "Trickbot botnet" malware infrastructure—often used by Russian ransomware gangs—to prevent potential disruption of the US election.
Australia is the only country to have publicly admitted to using offensive cyber capabilities to destroy foreign cybercriminals' infrastructure as part of a criminal investigation.
Sustained operations of this kind could have an effect on cybercriminals' ability to operate, especially if directed against the gangs' servers and the infrastructure they need to turn their bitcoin into cash. But unleashing offensive cyberwarfare tools against criminals also creates a worrying precedent.
Normalising the use of the armed forces or intelligence units against individuals residing in other countries is a slippery slope, especially if the idea is adopted by some of the less scrupulous regimes on this planet. Such offensive cyber operations could disrupt another state's carefully planned domestic intelligence operations. They could also negatively affect the innocent citizens of foreign states who unwittingly share web services with criminals.
Further, many cybercriminals in Russia and China enjoy de facto immunity from prosecution because they occasionally work for the intelligence services. Others are known to be state hackers moonlighting in cybercrime. Targeting these people might diminish the ransomware threat, but it might just as well provoke revenge from hackers with far more potent tools at their disposal than ordinary cybercriminals.
Source