The Second Wave of a Ransomware Pandemic
In January, we published the Ransomware Pandemic, a report discussing the ever-evolving threat of ransomware and the growing devastation disseminated by these malicious malware strains. The report discussed the future forecast for ransomware and how we imagined the threat would progress in the immediate future. Just six months later, these predictions have already become a reality. In this part of our discussion about the ransomware pandemic, we shall examine these developments and discuss exactly how we, as a community, can begin to confront this ongoing struggle.
Six Months of Chaos
Since the beginning of 2021, ransomware has dominated headlines across the globe. We have witnessed some of the most significant ransomware attacks the world has ever seen—events that have already changed the landscape, evidenced in the way world leaders are responding to these attacks, altering policies and beginning to consider real-world responses.
It is now estimated that worldwide, the cost of ransomware attacks will exceed $265 billion in the next decade, spiralling out of control by 2031 if a solution is not identified. Health care has continued to be a high-value target in these attacks, with significant breaches against Ireland’s department of health and a major attack against New Zealand’s health care system so far this year, both attributed to ransomware. These compromises led to the cancellation of major surgeries and appointments, causing disruption and backlogs in a sector already under a phenomenal amount of pressure.
In May 2021, cyberinsurance giant AXA was hit by a controversial attack, just one week after announcing that they would no longer be covering ransom payments in their cyberinsurance policies. In June 2021 JBS USA Holdings Inc., the world’s largest meat supplier, met an $11 million ransom demand after their systems were compromised, with the CEO stating, “It was very painful to pay the criminals, but we did the right thing for our customers.”
Another sector that has taken a huge hit in 2021 is critical infrastructure. The attack against U.S. fuel supplier Colonial Pipeline in May this year attracted arguably the most public attention the cybersecurity community has ever witnessed following a ransomware attack. A $4.4 million ransom was paid by the CEO just hours after systems were compromised; president Joe Biden declared a state of emergency across America and Colonial Pipeline suffered a six-day shutdown that left 10,600 gas stations without fuel for over a week.
The frightening truth is that cyberattacks are now threatening critical infrastructure and national security, prompting world leaders to consider taking serious physical actions in response to these attacks. In March 2021, the UK government announced that they would be prepared to launch nuclear weapons if the country faced an exceptionally destructive cyberattack. And in June, North Atlantic Treaty Organisation (NATO) stated that they were also prepared to launch a military response to cyberattacks. Cyberwarfare spilling over into the physical world is not only terrifying but may become a widespread reality in the near future.
There are many justifiable concerns about this approach; exactly how governments will monitor attacks and identify assailants are just two. It is not always clear during nation-state attacks who your attacker is. Attributed threat groups often change during the investigation stage of an attack, and it can take months before researchers can indisputably establish a connection between a threat group and a specific attack. Many attackers use all available means and measures to hide their identity. If governments react too quickly to these attacks—say, releasing a nuclear weapon or launching a military response on an innocent country—the results could be catastrophic.
One of biggest ongoing challenges is knowing exactly how organizations should respond to these attacks. It was recently found that 92% of organizations who paid a ransom did not, in fact, get all their data back. Even worse, 80% of businesses that did choose to pay a ransom experienced a subsequent ransomware attack; among those, 46% believe it was caused by the same attackers. Paying the ransom has long been a hotly debated subject within the cybersecurity community and, unfortunately, recent statistics reinforce why paying up may not be your best option when faced with one of these attacks.
A recent study conducted by Talion found that 78% of consumers believe ransomware payments to cybercriminals should be made illegal. If we are to break this illicit ecosystem that is, ultimately, funding criminal empires, we need to cut it off at its financial source. Suppose industries stood together and refused to meet these ransom demands—we could have a long-term solution. However, we cannot ignore the fact that in the short term, this solution would not be so straightforward.
Currently, there is no legal framework in place to guide organizations in responding to a ransomware attack and payment demand. For some time now, discussions have centered around the possibility of making it a crime to pay a ransom demand because, for example, the cybercriminal organization could be funding terrorism. What we need is clear guidance from governments that supports organizations when they are faced with this difficult situation. We need to remove the ambiguity that exists in what is currently a virtual wild west and create an environment that allows organizations to make lawful decisions with support from the government, to limit the impact of an attack. We must consider that banning organizations from paying ransom demands could potentially have catastrophic consequences if it is critical national infrastructure or vital services that are targeted. While paying a ransom is an outcome no CEO desires, sometimes the financial loss is an easier hit to take than the impact to services and supply. If better victim-support mechanisms could first be developed before implementing a ban, we have a better chance at making this option a success.
The Talion survey found that 81% of security professionals believe sharing information between businesses that have been attacked is the key to building better defenses. For many years now, organizations have avoided the limelight post-attack, covering up any compromise and sweeping crucial details under the proverbial carpet. Unfortunately, these actions have contributed to the current global ransomware crisis we face. A more realistic approach, in the short term, is to appeal to organizations to start sharing intelligence with the wider community.
The rejection of secrecy and welcoming of transparency must be adopted worldwide if we are to make real progress in combating these attacks. Breaches are now so common that they can happen to any organization, no matter the size. Being compromised by ransomware does not mean an organization has failed, and while a CEO may feel they are protecting their organization’s reputation by hiding the attack, they are also hiding critical details other organizations need to protect their own estate.
As a community, we grow and learn from mistakes; we should adopt a ‘benefit one, benefit all’ approach. If we, as a nation, can track all ransomware cases, we stand a chance at establishing connections between threat groups, with the potential for ultimately disrupting the whole criminal ecosystem.