Do a search for “peak ransomware” and you’ll likely find a dozen articles surmising the end of the ransomware. There is little agreement on that. Nor is their agreement on what to do about it. In the meantime, it may evolve catastrophically.
Ransomware cyberattacks have been with us for several decades, but they have only become mainstream news in the past couple of years. In 2021, cyber criminals using DarkSide ransomware hacked the network of Colonial Pipeline, cutting gasoline supplies for much of north eastern United States. The company paid out almost $5 million. Then the REvil group, just weeks later got $11 million from the meat processor JBS.
- Superpowers engage to fight ransomware
- Gangs go dark
- Legislation to ban ransoms grows popular
- Criminals are adapting faster than legislation can pass
The criminal activity now engages the attention of the global superpowers. There are calls to outlaw paying ransoms. Four states have initiated legislation to do that to some degree. That puts the onus in the victims without significant action against the criminals. However, some strange things have happened.
Law enforcement catching on
In May, the FBI, using a stolen password and the mixer that the hackers stored their bitcoin in and recovered almost all the bitcoin ransom from the Colonial attack. In fact, the news of the recovery caused Bitcoin value to plummet so fast that Colonial didn’t get back the entirety of the ransom. Almost simultaneously, DarkSide, who provided the technology for the Colonial attack, disappeared from the Internet. Social media chatter confirmed that multiple gangs had vanished, as well.
Most recently, REvil hit Kaseya along with hundreds, if not thousands of their customers worldwide with a $70 million ransom demand. A lot of organizations shrugged and gave a virtual finger to the criminals. For example, Leonardtown, Maryland, who used an IT contractor that was a Kaseya customer, decided it could ignore the ransom demand because it had sufficient backups to restore services to residents.
It turns out, that if you have good backups, it takes just as long to restore your data as it would to pay the ransom and get a decryption tool from the criminals, which may not actually work. So paying the ransom doesn’t get you back on your feet any sooner than ignoring the demand.
The combination of the disappearance of the gangs, including REvil as of last week, and the newfound reticence of victims to pay up, is feeding the “peak ransomware” conjecture.
“There is at least a plausible case to be made that the past month has been strategically damaging for the criminals and that one hopes that we might – please note, the very careful language – that we might be able to look back at some point on this period as peak ransomware,” said Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government.
“I completely disagree,“ said Matthew Rosenquist, CISO of Eclipz and a vocal proponent for making paying ransoms illegal. “It is a requirement that we have consistency and a driving force that compels the non-payment, as the attackers will evolve to put more pressure on organizations. Unless there is a hard barrier, they will continue to try an sway victims. We need to take the option completely off the table for widespread deterrence to be effective.”
Ritesh Argarwal, CEO of Airgap.io, disagrees with both Rosenquist and Martin. “We haven’t hit the peak. We are yet to see the full brunt of ransomware. At the same time, No government focus or involvement can help.”
Agarwal said banning ransoms will do nothing to stop ransomware because there are only penalties on the victims, no identification much less arrest of the criminals. Moreover, new gangs and tactics will arise despite the ban “The business has become so lucrative that I can imagine an entire industry farming towards this – sort of drug cartel.”
He may have a point, Adam Kujawa, director of Malwarebytes Lab, said an outright ban on ransom payments would discourage companies from disclosing a breach and just pay the ransom, undermining investigations into the criminal groups.
Kujawa believes a more productive idea is to require companies to report attacks to a central authority. Most of the pending legislation does exactly that. “We’ve clearly seen that a more effective strategy against ransomware is for everyone to share their attack data and use that information to empower our investigative services to go after the criminals, not the victims,” he stated.
The best solution may be to harden infrastructure, which is what Agarwal and pretty much every vendor says. For example, Airgap makes hardware and software that creates a defence against ransomware. That prevents an overt attack, but if the system is already infected, it initiates a “kill switch.” This isolates infected devices from the rest of the network to what they call the “blast radius.”
The more ominous trend, though, is that the criminals preparing to circumvent legislation. Not only are they encrypting data and ransoming it, they first exfiltrate it. Next, they demand payment to not expose the data. This is called double extortion. The latter requires more technical expertise, subterfuge and patience, but some experts are seeing that transition beginning.
According to Darktrace, a cyber defense and monitoring company, the first double extortion attacks began in late 2019. Maze ransomware was the initially popular malware. When REvil got into the game they used a Sodinokibi attack. And by mid-2020, it was big business as hundreds of organizations fell victim to double extortion attacks, leaking company data.
Dozens of countries have tried to reign in the proem by outlawing payments, but here’s the rub: The fines aren’t as big as the fines for violating the GDPR, the CCPA and New York State privacy guidelines. It’s one thing to shut a company down for a couple of weeks. It’s quite another to reveal the financial information of hundreds of thousands of customers. The UK GDPR sets a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets it at €20 million (about £18 million) or 4% of annual global turnover – whichever is greater.
This is where banning ransom payments becomes problematic. A company may pay more in fines for a breach of customer data than the fine for paying the ransom. The problem is a lack of preparation for an attack.
Darktrace claims a potential client was attacked during their trial phase, and it wasn’t because the service didn’t work. They just never turned on the protection features and failed to see if they had already been infected.
“When it comes to cybersecurity,“ said Agarwal, “the more prepared you are the safer you are. The attackers are playing the ROI game.” Agarwal claimed gangs are investing in each other now. As any venture capitalist group, they are looking at the quality of the return. “If you just make it expensive for them to breach you then they go somewhere else.”
George Finney, CISO of Southern Methodist University and author of Well Aware, takes a more nuanced approach to the issue of banning ransom payments. “Banning ransomware payments, or just restricting them somehow is going to be very complicated to do,” he said, but at the same time, “It would stretch the imagination to think that this problem is just going to go away.”
Finney believes that the answer lies in changing the culture. “I think if people understood that their cyber insurance premiums were going to fund terrorist groups or cyber criminals, I think the industry would would radically change. We ought to do better.”
His primary goal is for individual users to adopt a nine-fold mindset: literacy, scepticism, vigilance, secrecy, culture, diligence, community, mirroring, and deception. “Yeah, that’s a lot,” he admits. “But the first four habits are all internal. They’re things that you do inside yourself by yourself. And the final five habits are all external. We don’t operate in a vacuum, we’re always connecting with other people. Finney said organizations need to build teams around what people can and want to do, but at the same time, learning proper security practices are becoming as necessary as knowing how to drive a car.
“If you want to be a CFO one day, or if you want to be a vice president of sales, you’re going to have to show some acumen when it comes to cybersecurity. It’s not just an IT practice anymore, right? We know that CEOs are being fired for not getting cyber security, right for not protecting their organizations.”
So, in the end, legislation, refusal to participate or spending lots of money on security vendors are half measures. The answer is in getting serious about our use of the tools. Preparation and defence not only makes an organization safer but cost less money.