All eyes turned to ransomware last week as D.C. police suffered an attack and the a public-private sector collaboration known as the Ransomware Task Force (RTF) delivered an intensive slate of recommendations for tackling these cyber threats.
Loss to ransomware intensified over the course of 2020, and the Department of Justice reportedly said last year was the most expensive yet for victims of these attacks, with cyber criminals demanding an average of $100,000 in each incident.
Recent years have seen growing recognition that ransom money is far from the only matter at stake in such events, either. Attacks that disrupt hospitals, utilities and other critical services providers or expose data kept secret for safety reasons, can put health and life at risk, the RTF said in its report.
“Cyber crime is typically seen as a white-collar crime, but while ransomware is profit-driven and ‘nonviolent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives,” the group wrote.
ASSESSING THE THREAT
Bad actors deploy ransomware to seize control of victims’ files and typically encrypt them, preventing the victims from accessing the data until they pay up. More recent trends see criminals instead — or in addition — threaten to publish the sensitive data.
Ransomware is also becoming accessible to a wider array of perpetrators as it becomes more common for developers to make and provide malware to less tech-savvy criminals for the latter’s use in exchange for a fee or cut of the ransom — an illegal business practice known as ransomware as a service (RaaS).
Governments have a variety of tools at their disposal for responding to these and other kinds of cyber crime. Agencies such as the U.S. Secret Service (USSS) and FBI investigate such threats, dividing up responsibility based on the severity of the events and motives. The USSS only investigate cyber crime that has a financial objective, while the FBI acts more broadly, said U.S. Secret Service Assistant to the Special Agent in Charge and Chicago Cyber Fraud Task Force member Patrick Hogan, during the recent Information Security Media Group (ISMG) Virtual Cybersecurity Summit: Midwest event.
The federal government also ranks cyber incidents from a low of 0 to a high of 5 based on their level of impact, with FBI covering incidents rating 3 or higher, Hogan explained. For comparison, the 2013 Target data breach ranked as a 1, he said. Criminals in that malware attack penetrated Target’s customer service database to access payment card account details for 41 million customers and contact information on 60 million. The retailer ultimately paid $10 million in a class-action lawsuit settlement with impacted customers.
Some ransomware deployments are politically motivated and launched by terrorist and nation-state actors, while others are driven primarily by financial desires. All cases can pose serious threats.
Hacking group Babuk claimed responsibility for the April 2021 ransomware strike on the D.C. Metropolitan Police Department and threatened to expose the identities of police informants, which could jeopardize their safety, for example.
Jersey City’s Municipal Utilities Authority, meanwhile, signed a six-figure technical restoration service contract in January 2021 to stave off a “public health crisis,” after it continued to wrestle with the aftermath of a September 2020 attack that had locked up “vital” water and sewer services data.
A RISING PRIORITY
The past few years have seen states reassess the threat, with Texas in 2017 making use of ransomware a misdemeanor or felony — depending on the kind of data seized and the ransom size sought — while West Virginia made it a felony in 2020 and Oklahoma mulled following suit in March 2021. While these policies specifically call out ransomware, the events are prosecuted on the federal level based on broader anti-cyber crime laws that prohibit kinds of activities under which ransomware typically fall.
The RTF’s report now calls for the U.S. and other governments and stakeholders worldwide to elevate ransomware in their priorities and take a more coordinated approach to thwarting perpetrators. Reducing the danger of these schemes involves not only bolstering efforts to prevent them from occurring in the first place but also stepping up efforts to help victims better respond when hit by such attacks and to impede bad actors’ abilities to profit even if they do secure ransoms, authors said.
The report reflects views of more than 60 representatives of academic institutions, cybersecurity solutions providers, public agencies, nonprofits and software companies gathered by the Institute for Security and Technology (IST) to form the task force.
THE VICTIM’S DILEMMA
Those subjected to ransomware face a difficult choice. Paying brings no guarantee that cyber criminals will uphold their ends of the bargain, and not all hackers may even manage to successfully hand back the data, with threat protection solutions provider Emsisoft stating that issues in Babuk’s code could inadvertently cause even some compliant victims to still lose their data.
Handing over funds also, of course, reinforces to cyber criminals that these are profitable attacks. Victims may also be hit with fines by the federal government should they pay ransom to bad actors who are on sanctions lists, and it is not always easily to quickly discern which perpetrators qualify.
But paying up sometimes feels like the better of two bad choices. It means critical infrastructure providers can restore services rapidly before loss of access to them causes serious damage. It also may be the relatively affordable option for smaller entities when weighed against the costs of rebuilding permanently locked-up systems, the Task Force report notes.
MAKING SURE CYBER CRIME DOESN’T PAY
The RTF report recommends governments therefore take steps like providing financial support to help injured parties hold out longer and require victims to consider alternative responses and perform cost benefit analyses to make sure it’s really worth paying. But authors stopped short of recommending a ban on paying ransom entirely, because such a freeze would likely trigger criminals to seek to make their attacks more painful, such as by ramping up efforts and more heavily targeting the kinds of victims that can least afford operational interruptions.
“Any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing,” said the task force.
Stymieing cyber criminals can entail making it harder for them to make profit with any money they do collect from victims. To that end, the RTF recommended nations tighten oversight and compliance rules on the cryptocurrency sector to make it more difficult for perpetrators to receive ransoms anonymously or laundering the ill-gotten gains. The task force suggested governments worldwide bring crypto exchanges and similar business’ anti-money laundering (AML), countering the financing of terrorism (CFT) and know your customer (KYC) requirements into closer alignment with those followed by financial institutions.