Ransomware is not a new phenomenon. The earliest recorded incident goes as far back as the 1980s. However, today’s ransomware operates at a scale and sophistication that makes it virtually unrecognizable from its early predecessors.
Each year, ransomware attacks are hitting a new high. In its annual Internet Crime Report, the FBI received almost 2,500 ransomware complaints in 2020. This was up about 20 percent from the 2019 numbers. Suppose incidents capturing media attention are anything to go by, in that case, 2021 is proving to continue this trajectory – from disrupting a critical pipeline to obstructing operations at a major insurer.
The relentless attacks are further compounded by ever-higher ransom demands which organizations, worried about the impact of extended disruption, are paying. The payouts have enraged policy and lawmakers while emboldening demands from subsequent ransomware attacks.
So what has been the root cause of this recent rise in ransomware attacks? Multiple factors are at play here.
Global Internet Penetration
Internet penetration has rapidly accelerated in developing economies. By the end of the first quarter of 2021, there were more than 4.7 billion Internet users worldwide. No longer is access limited to the world’s wealthiest countries, or the rich and upper-middle class.
This growth has to a large extent been thanks to the ubiquity of the smartphone. In 2020, smartphone vendors shipped more than 1.3 billion devices, a number that far exceeds the 275 million PCs shipped over the same period.
Whereas having more of the world online is a good thing, it inevitably means more criminals coming online as well. If the opportunity arises, individuals and groups who already have a criminal past offline would have no qualms transitioning their activities online. Ransomware provides an avenue to do just that.
Cryptocurrency’s rise has been a classic case of unintended consequences. It continued to draw attention as an alternative currency outside the control of nation-states and regulators; it has also become a magnet for underworld business. Cryptocurrencies are challenging to track and lightly regulated (if at all), making them attractive to cybercriminals.
In the past, the difficulty of extracting proceeds of crime from the international banking system was a significant impediment to the proliferation of ransomware. Cryptocurrency has effectively ‘solved’ that bottleneck.
A recent Institute for Security and Technology report found the number of victims paying ransoms following a ransomware attack grew 300 percent in 2020 compared to 2019. In 2021, millions of dollars have so far been paid out to ransomware groups.
- Brenntag, a German chemical distributor, paid a $4.4 million ransom.
- Colonial Pipeline paid out $5 million to cybercriminals when a ransomware attack stalled its operations. Fortunately, about half of the ransom was recovered.
- Meat-packing behemoth JBS’s CEO admitted that the company had to part with an $11 million ransom.
- CNA Financial forked out a staggering $40 million.
What these large payouts do is create a precedence that cybercriminals are taking note of. Worse, the attackers are rarely caught since the transactions are difficult to track. Such promising prospects have made ransomware a popular get-rich-quick scheme even for criminals who would otherwise not be interested or have the technical skills to engage in cybercrime.
High Profile Targets
The ransomware targets covered in the previous section are large organizations.
- Colonial Pipeline is one of the largest distributors of petroleum products in the United States, delivering about half of the fuel needs of the East Coast. The pipeline’s shutdown led to fuel shortages, panic buying, price hikes, and the federal government’s declaration of a state of emergency.
- JBS is the world’s largest meat processor by sales. The company generated more than $52 billion in revenue in 2020. Headquartered in Sao Paulo, Brazil, the company has nearly 150 industrial plants across the world. Its US subsidiary raked in nearly $28 billion in sales in 2020.
- CNA Financial is the seventh-largest commercial insurer in the US.
Each of these companies probably invests millions of dollars each year in cybersecurity. To be breached by a ransomware attack sends a message to attackers that no organization is impregnable. This only serves to encourage cybercriminals to seek out the most prominent targets in hopes of securing a significant payoff.
Ransomware-as-a-service (RaaS) refers to a criminal enterprise model whereby ransomware variants are leased to criminals. RaaS initially surfaced a few years ago but has gained traction over the last one to two years.
Its popularity stems from the fact that it makes it possible for non-techie bad actors to launch a sophisticated ransomware attack.
RaaS works like a structured organization with profits shared between the attacker, the service provider, and the programmer. The result of RaaS is that the overall number of people who can effectively launch a complex ransomware attack has grown significantly.
Remote work was already a growing trend, but it received fresh impetus with the COVID-19 pandemic. As governments enforced social distancing requirements, organizations had to scramble to get most of their staff working from home.
This rush resulted in many people accessing business systems and sensitive work-related data over unsecured or less secure personal devices and private networks. Users were also likely to have weaker IT controls at home than they did at work.
All these provided fertile ground for ransomware and other cyber threats to flourish.
No one country is home to ransomware attackers. However, US officials and cyber experts have regularly pointed out that several significant cyberattacks hitting the US recently can be attributed to Russia or Russia-leaning groups.
To many cybersecurity experts and policymakers in the US, Russia is providing a haven for ransomware hacking groups as long as they do not target entities or persons inside Russia. Cybersecurity authorities assert that Russia has cooperated with Eastern European hackers in the past.
The ransomware attacks must be viewed in the context of long-running tensions between the US and Russia. These tensions are hampering the ability to create a united global front in tackling the ransomware problem.
Wrapping Up: Proactive Action is Key
Ransomware is a growing threat. It’s imperative that governments, businesses, and IT security professionals continuously explore ways they can contain or counter the threat. The better prepared an organization is, the less disruptive and less expensive a ransomware attack is likely to be. Acting proactively is vital. Proactive actions include:
- Employee ransomware awareness
- Backing up data
- Applying system updates and security patches as soon as they are available
- Contracting third-party cybersecurity experts and ethical hackers
- Buying cyber insurance
Awareness is necessary because ransomware attacks often tap into social engineering techniques to get ordinary users to download attachments, install programs, or click URLs. Organizations should have a contingency plan that kicks in and transitions operations if central production systems are inaccessible.