Held Hostage: The Threat of Ransomware
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Malik H. Dulaney
July 22, 2021
In my last column, I covered the topic of cybersecurity and critical infrastructure. This column will discuss ransomware, an increasingly utilized method for profit-driven cyber attacks. These attacks are often directed towards critical infrastructure. Ransomware use has increased by 40% and the total cost of ransoms has doubled. Currently, the average ransom cost is $111,600. The proliferation of ransomware attacks has motivated the White House to create a ransomware task force and for the United States Department of Justice to prioritize ransomware investigations at the same level as terrorism. It is an existential threat for organizations with disruptive consequences to our lives.
What is Ransomware?
Ransomware is malicious software designed to prevent access to computer systems or exfiltrate sensitive data. A ransomware attack begins with hacking a computer system through an exploited vulnerability, stolen credentials, malware infection, etc. During an attack, the computer’s files are encrypted. The hacker holds the decryption key hostage until a monetary ransom is paid. The other action the hacker takes is to upload the victim’s data and threaten to release it to the public unless the ransom is paid. The extortion payments are made in cryptocurrency to make it difficult to track the payments back to the hackers.
Because ransomware attacks have become highly profitable, hackers have professionalized their approach to ransomware. They are using customer support websites with FAQs, chat apps and email technical support. The hackers want to protect their reputations for releasing victim data once they have been paid. They are now commoditizing ransomware attack infrastructure, creating ransomware as a service (RAAS). With RAAS, ransomware developers focus on writing the software and maintaining the infrastructure for a 30% stake of the ransom. The attackers focus on finding new targets, initiating attacks and managing the high-pressure extortion tactics. They typically receive 70% of the profit sharing. This is a large cause of the increase in attacks.
Recent examples
The Kaseya ransomware attack is the most recent and the largest ever ransomware attack. It was executed on July 2nd. The Kaseya Virtual System Administration Software (VSA) was compromised and then used to distribute ransomware to upwards of fifteen hundred Kaseya clients. This is called a supply chain attack, similar in tactic to the Solarwinds hack. The Russian hacker group called REvil took credit for the attack. They demanded a total of $70 million from all of Kaseya’s affected customers.
The Colonial Pipeline ransomware attack is another recent high-profile attack that occurred in early May. Hackers encrypted Colonial’s computers and shutdown gasoline pipeline distribution for the southeast and east coast for nearly a week. The shutdown created a gas supply panic resulting in shortages, long lines and a spike in gas prices. Colonial Pipeline paid the DarkSide cybercrime group $4.4 million. In June, a class action suit was filed against Colonial. The Kaseya attack also affected the town of Leonardtown, MD. REvil demanded $45,000 per computer to decrypt their files.
Implications
The previous incidents demonstrate ransomware events are disruptive. For city and state governments, public organizations and critical infrastructure organizations, they can be catastrophic. Public sector organizations are the hardest hit by these attacks. In many cases, they don’t have the resources to establish an effective security posture to thwart ransomware attacks. They also lack resources for cyber insurance policies; to pay exorbitant ransomware payments; to mitigate the original cause of a breach; to rebuild systems after an attack where the ransom wasn’t paid; and to handle the potential legal fallout.
Ransomware attacks can destroy entire computing systems, making them unusable without reinstallation. The only definitive way to know that the original vulnerability has been mitigated is to reinstall and rebuild a system. Otherwise, the hackers may use the same vulnerability to re-hack the victim and demand a second ransom. For victims who pay ransoms, there could be a loss of public trust and reputation. Hackers may choose to release exfiltrated data anyway. After the data has been stolen, it may be publicly available in perpetuity. They could also encourage copycat attacks because it is known that the victims will pay.
Recommendations
There are no absolute protections against ransomware. One of the most important protections against ransomware are tested and verifiable backups of critical data. If your data is encrypted by ransomware, you need to have the ability to recover your data without having to pay a hacker. If possible, maintain offsite and unconnected backups. Conduct ongoing cyber education. Train employees to interact with technology safely; how to spot phishing and social engineering tactics, etc. Some additional suggestions are: obtain cyber insurance; keep critical systems patched; use endpoint detection and response software and data loss prevention software; design your environment utilizing least privilege and zero trust principles; and scrutinize third party vendors that have access to your networks.
As public administrators, it is imperative that you are aware of the dynamic state of cybersecurity. Due to the profit potential of ransomware, hackers are accelerating the volume of attacks and expanding the sectors they are targeting. Focus on maximizing IT resources to increase your organization’s cybersecurity posture against ransomware threats.
Author: Malik H. Dulaney, PhD, CISSP is an information technology professional with the University of Dallas and an adjunct cybersecurity professor with the Gupta College of Business at the University of Dallas. He is also a public sector researcher with research interests in cybersecurity in public and nonprofit organizations, cyber warfare and information technology policy. He can be reached at [email protected].
(No Ratings Yet)
Loading...
Held Hostage: The Threat of Ransomware
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Malik H. Dulaney
July 22, 2021
In my last column, I covered the topic of cybersecurity and critical infrastructure. This column will discuss ransomware, an increasingly utilized method for profit-driven cyber attacks. These attacks are often directed towards critical infrastructure. Ransomware use has increased by 40% and the total cost of ransoms has doubled. Currently, the average ransom cost is $111,600. The proliferation of ransomware attacks has motivated the White House to create a ransomware task force and for the United States Department of Justice to prioritize ransomware investigations at the same level as terrorism. It is an existential threat for organizations with disruptive consequences to our lives.
What is Ransomware?
Ransomware is malicious software designed to prevent access to computer systems or exfiltrate sensitive data. A ransomware attack begins with hacking a computer system through an exploited vulnerability, stolen credentials, malware infection, etc. During an attack, the computer’s files are encrypted. The hacker holds the decryption key hostage until a monetary ransom is paid. The other action the hacker takes is to upload the victim’s data and threaten to release it to the public unless the ransom is paid. The extortion payments are made in cryptocurrency to make it difficult to track the payments back to the hackers.
Because ransomware attacks have become highly profitable, hackers have professionalized their approach to ransomware. They are using customer support websites with FAQs, chat apps and email technical support. The hackers want to protect their reputations for releasing victim data once they have been paid. They are now commoditizing ransomware attack infrastructure, creating ransomware as a service (RAAS). With RAAS, ransomware developers focus on writing the software and maintaining the infrastructure for a 30% stake of the ransom. The attackers focus on finding new targets, initiating attacks and managing the high-pressure extortion tactics. They typically receive 70% of the profit sharing. This is a large cause of the increase in attacks.
Recent examples
The Kaseya ransomware attack is the most recent and the largest ever ransomware attack. It was executed on July 2nd. The Kaseya Virtual System Administration Software (VSA) was compromised and then used to distribute ransomware to upwards of fifteen hundred Kaseya clients. This is called a supply chain attack, similar in tactic to the Solarwinds hack. The Russian hacker group called REvil took credit for the attack. They demanded a total of $70 million from all of Kaseya’s affected customers.
The Colonial Pipeline ransomware attack is another recent high-profile attack that occurred in early May. Hackers encrypted Colonial’s computers and shutdown gasoline pipeline distribution for the southeast and east coast for nearly a week. The shutdown created a gas supply panic resulting in shortages, long lines and a spike in gas prices. Colonial Pipeline paid the DarkSide cybercrime group $4.4 million. In June, a class action suit was filed against Colonial. The Kaseya attack also affected the town of Leonardtown, MD. REvil demanded $45,000 per computer to decrypt their files.
Implications
The previous incidents demonstrate ransomware events are disruptive. For city and state governments, public organizations and critical infrastructure organizations, they can be catastrophic. Public sector organizations are the hardest hit by these attacks. In many cases, they don’t have the resources to establish an effective security posture to thwart ransomware attacks. They also lack resources for cyber insurance policies; to pay exorbitant ransomware payments; to mitigate the original cause of a breach; to rebuild systems after an attack where the ransom wasn’t paid; and to handle the potential legal fallout.
Ransomware attacks can destroy entire computing systems, making them unusable without reinstallation. The only definitive way to know that the original vulnerability has been mitigated is to reinstall and rebuild a system. Otherwise, the hackers may use the same vulnerability to re-hack the victim and demand a second ransom. For victims who pay ransoms, there could be a loss of public trust and reputation. Hackers may choose to release exfiltrated data anyway. After the data has been stolen, it may be publicly available in perpetuity. They could also encourage copycat attacks because it is known that the victims will pay.
Recommendations
There are no absolute protections against ransomware. One of the most important protections against ransomware are tested and verifiable backups of critical data. If your data is encrypted by ransomware, you need to have the ability to recover your data without having to pay a hacker. If possible, maintain offsite and unconnected backups. Conduct ongoing cyber education. Train employees to interact with technology safely; how to spot phishing and social engineering tactics, etc. Some additional suggestions are: obtain cyber insurance; keep critical systems patched; use endpoint detection and response software and data loss prevention software; design your environment utilizing least privilege and zero trust principles; and scrutinize third party vendors that have access to your networks.
As public administrators, it is imperative that you are aware of the dynamic state of cybersecurity. Due to the profit potential of ransomware, hackers are accelerating the volume of attacks and expanding the sectors they are targeting. Focus on maximizing IT resources to increase your organization’s cybersecurity posture against ransomware threats.
Author: Malik H. Dulaney, PhD, CISSP is an information technology professional with the University of Dallas and an adjunct cybersecurity professor with the Gupta College of Business at the University of Dallas. He is also a public sector researcher with research interests in cybersecurity in public and nonprofit organizations, cyber warfare and information technology policy. He can be reached at [email protected].
Follow Us!