How cryptocurrencies have fuelled the ransomware business
You do not necessarily need to have an avid interest in the topic of cybersecurity to appreciate the threat of ransomware. Daily news headlines focusing on the topic mean that the threat being faced by organisations worldwide has become part of common discourse.
In the first half of this year, there have been dozens of widely publicised ransomware attacks. They include an attack on the US Colonial Pipeline, which disrupted fuel supply to much of the East Coast for several days. While the ransomware affected only IT systems, the company shut down its pipeline operations as a precautionary measure. It was later revealed that Colonial paid a $4.4 million ransom, despite having backups, in an effort to get back online as soon as possible.
In July, US IT firm Kaseya was the focus of an attack by REvil ransomware actors, which used the software vendor to breach and infect hundreds of other organisations and caused disruption worldwide in what is thought to be one of the largest ransomware attacks ever. In Sweden, hundreds of supermarkets had to close because their cash registers were inoperative, and in New Zealand schools were knocked offline. The hackers reportedly demanded $70 million in Bitcoin – to date Kaseya has refused to say whether an extortion payment was made.
As with any illegal criminal activity, the perpetrators are only in it for the money. If you take that away, you take away the incentive. Unfortunately, for a lot of cybercriminals the risks are small, they have little to no chance of getting caught, and if they are detected virtually, they have no worry of prosecution.
So, logic dictates that if the money is there, they will carry out the crime. The old cliché “crime doesn’t pay” doesn’t hold any water. Just in the last 12 months, we have observed a sharp increase in the amount of money that attackers are asking for. Amounts that would have previously seemed extreme are now the norm, with most demands that we see coming in being over £200,000, and sometimes running into the millions.
So how did we get into a situation where criminals see companies as easy targets for this level of extortion?
The rise of bitcoin and other cryptocurrencies has enabled ransomware to become one of the most profitable business models in the cyber criminal’s arsenal. Bitcoin is a safe, cheap and reliable means of payment that allows for a high degree of anonymity. Hackers just need to monitor the public blockchain to find out if, and when, their target has paid up. They can also create a unique payment address for each victim and have the locked files automatically released on confirmation of payment.
In order to manage the threat, there are changes that need to be made that are outside the control of individual companies. Cyber extortion is a crime like any other, and a crime first and foremost. Enhanced international collaboration is required in law enforcement, as well as greater scrutiny of and better legislation around cryptocurrency payments, and the ease with which such currencies can be used to settle ransomware demands.
There has been some development in this area – last year the UK High Court ordered a proprietary injunction on bitcoin following a $1.2million ransomware attack on a Canadian insurance company that took down more than 1,000 of its computers.
Specialist cyber insurance is available, but that is simply passing on the risk – and also exacerbating the situation. Moreover, if cybercriminals know there is insurance they are, logically, far more likely to attack insured organisations. The result remains the same – everyone loses except the criminals.
From an organisational standpoint, start with the basics – even the most organised of ransomware groups use simple off-the-shelf attack tools, exploit poor user and network controls, and go undetected because of poor network visibility. This means ensuring good security hygiene behaviours are implemented throughout the organisation – if staff members don’t understand the security risks associated with bad security hygiene, then it doesn’t matter what technology is put in place to protect the organisation, the “human element” will ultimately always be the businesses greatest vulnerability.
Any firm with a network needs to conduct a thorough review of processes and procedures around security, both from a technological and a human error viewpoint. Ensure a high degree of cyber-hygiene, with “next gen” endpoint protection and software patches. Business continuity plans should always include an offline back-up of all data. You should be treating your backup sources as your crown jewels or get out of jail free cards. They should be fully segmented from the main networks and monitored within an inch of their lives. Any attempt to access them should be alerted upon and fully investigated.
These are just the starting points for protecting against ransomware. Once you are happy with the basics you can start looking at your detection and response, policy and procedure, and more advanced threat hunting and system hardening. The market conditions for ransomware, the availability of cryptocurrency, and the head-in-the-sand approach of many organisations, have created a fertile environment. We must all work together to prevent further growth.