The day the Irish Health Service Executive computers were crippled by Russian hackers may never be forgotten by the medics, IT specialists, government officials and others who quickly grasped the potential impact of such a crisis during a pandemic and played their part in ensuring it did not cost lives.
But for Sergey Golovanov, in the Moscow headquarters of Russia’s main cybersecurity firm, May 14th was just another day, and the HSE was just another hapless victim of a straightforward attack using the online weapon of the moment: ransomware.
“There was nothing special or magic about it,” says Golovanov, chief security expert for Kaspersky Lab, one of the specialist firms that Interpol and other international law enforcement agencies approach for assistance with such incidents.
“The number of victims of this type of ransomware is in the thousands. The tactics and processes that the bad guys use are working. So for us, it was just a regular case.”
Golovanov has seen a surge in recent years in the volume and scale of ransomware attacks – in which criminals hack into computer systems, encrypt important data and demand money to unlock it – and especially since the emergence of Covid-19.
Coronavirus has prompted much of the world to work remotely via often poorly protected computers, massively expanding what experts call the “attack surface” for hackers to exploit. In a similar way, the growth of cryptocurrencies has made it much easier for criminals to collect ransoms anonymously and remotely, without needing to move or launder cash or goods at a time of widespread travel restrictions.
Golovanov says Covid-19 has fuelled an “epidemic of ransomware” – a scourge that the US and its allies now recognise as a security threat and is set to thrive as the Omicron strain of the virus races around the world.
Healthcare has become a more frequent target of cybercrime during the pandemic, due in part to the vulnerability of many hospitals’ ageing IT systems and to the huge pressure that can be exerted on officials to pay up when patients’ lives could be at risk.
“Healthcare systems in many states are privatised and therefore … not necessarily covered by state protection,” says Rónán O’Flaherty, operations researcher at the Nato Co-operative Cyber Defence Centre of Excellence in Estonia.
“Healthcare companies, being private and containing sensitive personal data, may, in the assessment of ransomware gangs, be ideal victims: pay or go out of business.”
Last year the US medical sector reported dozens of cyberattacks and data breaches, potentially affecting more than 40 million patients – a trend that is predicted to continue this year.
“Our assessment is that Covid-19 cybercriminal activities will continue and will adapt to emerging Covid-19 topics and regional phases of the pandemic,” European Union cybersecurity agency Enisa says in a recent report.
“Healthcare and the public health sector will certainly continue to be heavily targeted by ransomware groups as long as the pandemic lasts,” the agency adds. “We are observing the golden era of ransomware – it has become a national security priority.”
The US treasury department’s financial crimes enforcement network reported $590 million (€525 million) in suspicious activity related to ransomware during the first half of 2021, compared with $416 million (€370 million) for the whole of 2020; over the first six months of 2021, the agency also identified some $5.2 billion (€4.6 billion) in bitcoin transactions from virtual wallets that are associated with groups controlling 10 major types of ransomware.
The danger of ransomware appeared to have hit home in Washington last spring and summer, with attacks attributed to Russian hackers on major software firm Kaseya; the world’s largest meat processor JBS; and on the Colonial Pipeline, the biggest carrier of petrol and jet fuel in the US, which shut down for six days in May.
Those incidents, like the attack on the HSE, highlight the havoc-wreaking potential of crooks who can be thousands of miles away, safe from extradition, and endowed with relatively few resources or technical skills
Such is the boon for the criminal world – and the nightmare for law enforcement and potential targets – that there has been an emergence of “ransomware as a service”.
For a subscription fee or a cut of profits, a creator of ransomware will now lease it to others, even offering technical support as part of a package that “sets a relatively low barrier for conducting this type of cybercrime and allows inexperienced cybercriminals to conduct ransomware attacks,” according to Enisa.
“It’s a business,” says Golovanov, “and the organisers are looking for affiliates to be involved in a criminal scheme.”
Ransomware syndicates – most of which operate with impunity in Russia – still mount attacks on their own behalf. One of the most notorious, known as Wizard Spider, is suspected of attacking the HSE with powerful malware called Conti.
“There are leaders who develop technologies, and another group hacks the victims and a third group negotiates,” Eugene Kaspersky, founder of Kaspersky Lab, says of the structure of such syndicates.
“The different groups don’t know each other, only by nicknames, and they share the profits. Or sometimes there are scandals and they don’t share the profits and they blame each other,” he says.
“Some groups develop malicious code and sell it to hackers … Others sell access to a pre-infected botnet (a network of compromised computers); others steal data and sell it.”
One part of a cybercrime gang might try to hack into a business with the aim of gradually draining funds from its accounts; but if they fail, the firm’s stolen data will be given to another “department” for extortion through ransomware.
“It’s like a business,” says Kaspersky, “but they don’t pay taxes.”
Ciaran Martin, who was the first chief executive of Britain’s National Cyber Security Centre in 2016-2020, believes that even before the pandemic, ransomware was “visibly getting out of control to people who paid attention to cybersecurity”.
“The ubiquitous availability of cryptocurrency was fuelling it, the total absence of consequences and the willingness to pay amongst victims,” says Martin, who grew up in Omagh and is now professor of practice at Oxford’s Blavatnik School of Government.
“One of the great lessons of cybersecurity in the past 10 years is that we did fixate a lot on major state threats – and that’s understandable – and we probably underestimated just how far cybercrime was getting out of control,” he says.
“The core reason is, for the first time in human history you can inflict large-scale crime on a wealthy entity without you or an accomplice ever setting foot in it. And the safe haven problem is really difficult. That’s why I think we’ve seen a noticeable increase in cybercrime, not just because we’re all working from home insecurely.”
The main safe haven for cybercriminals is Russia, and Kaspersky, like Irish investigators, thinks the HSE hackers probably launched their attack from Moscow.
US president Joe Biden has repeatedly urged Russian counterpart Vladimir Putin to take action against Russian hackers, but to little effect.
At a meeting in Geneva in June last year, Biden handed Putin a list of 16 sectors, including healthcare, which he said should be off-limits to cyberattacks; in October, he hosted a two-day online summit on the threat of ransomware, to which the leaders of 30 states – but not Putin – were invited.
“Based on levels of activity, it seems that after the summer crisis – HSE, the big US hacks … and Geneva summit – there was a bit of pushback from the [Russian] state at least to get [cybercrime groups] to lie low for a while,” says Martin.
“Now that seems to be easing back to pre-summer levels … It appears to have been just a brief lull. We’re not seeing any effective signs of co-operation.”
Martin was speaking to the Irish Times before Russia’s security services announced on Friday afternoon that they had arrested members of the notorious REvil hacking group and “neutralised” it at the request of the US. On Twitter, Martin said of the operation: “If true, and sustained, then extraordinarily significant on Russia and ransomware.”
The West’s relations with the Kremlin are dominated by fears that Moscow could launch an all-out invasion of Ukraine, which analysts say would include cyberattacks by highly skilled Russian operators who work in a grey zone that overlaps the state security services and the criminal world.
Since Moscow annexed Crimea and launched an undeclared war in eastern Ukraine in 2014, hackers in Russia have subjected its neighbour to a barrage of cyberattacks, including at least two operations that temporarily shut down power stations in Kiev and other Ukrainian cities.
Ukrainians woke up on Friday to find that many of their government’s websites had been brought down by an overnight cyberattack and defaced with a message reading: “All your personal data was uploaded to the public network…be afraid and expect worse.”
The identity and location of the hackers and the scale of the damage were not immediately clear. “Russia bombards and batters Ukraine through cyberattacks,” Martin says. “You could expect that if the situation gets worse there, then there would be further cyber disruption.”
The growing availability of powerful malware increases the risk that an attack could spiral out of control as in 2017, when a Russian computer “worm” dubbed “NotPetya” infected business software in Ukraine, then tunnelled through networks around the world, causing chaos at several major companies in what technology magazine Wired called “the most devastating cyberattack in history”.
The attack fuelled concerns that a major ransomware or other cyberattack could have unintended consequences, potentially endangering critical infrastructure and pushing states towards conventional war between armed forces.
Martin, a former head of cybersecurity at Britain’s GCHQ electronic surveillance agency, is sceptical about such a scenario, saying it is “thankfully harder to start a war via cyber than it looks”.
Severe IT disruptions to healthcare, a power grid, transport network or other systems are more likely to cause mass inconvenience than mass casualties, he argues, and countries with cutting-edge cyber capabilities know that their deployment against another state could not be disguised as the work of clumsy crooks.
“I think the evidence of the last 10 years is that Russia is no more likely to deliberately target, say, a British hospital or cause a power outage in London than it is to bomb the facility from the air, because it knows that would be a geopolitical act.”