Four years ago, in a May 2017, Take on Payments post, my colleague Doug King echoed the concern of cybersecurity experts, warning that 2017 and 2018 were going to be the “Year(s) of Ransomware.” This warning came as ransomware attacks were increasing in frequency and being carried out against higher-profile targets. In 2018, the City of Atlanta was attacked. Following the recommendations of law enforcement officials, the city refused to pay the $51,000 ransom. Many city services involving utility billing and traffic court were disrupted for as long as a year, and officials estimated the price tag of investigation and remediation at $17 million.
In its latest report, cybersecurity firm Group-iB described the results of its analysis of more than 500 ransomware attacks: not only did the numbers of attacks in 2020 increase by more than 150 percent over the previous year, but also the sophistication of the attacks themselves had substantially increased.
Over the last month, high-profile attacks against an oil pipeline operation, meat processor, and digital services provider have been reported. While attacks against corporate targets often have limited impact on the general public, the Colonial Pipeline attack led to a shutdown of a major supply pipeline servicing the eastern United States, triggering panic buying and complete outages at more than 11,000 gas stations in addition to a spike in retail gasoline prices, according to a Newsweek article.
Ransomware attack strategies have a number of variables, including the type of criminal organization behind the attack, the target industry, or the size and method of infiltration, whether that’s phishing or finding a network or software security vulnerability or something else. One of the largest concerns of law enforcement is the emergence over the last few years of criminal organizations that provide ransomware as a service (RaaS), as was the case in the Colonial Pipeline cyberattack. Under this scheme, the criminal organization sells or leases their ransomware programming code to users who use it to attack their targets. The Group-iB report indicated that RaaS was used in approximately two-thirds of the ransomware attacks in 2020.
The Ransomware Task Force—an international group of cybersecurity experts from industry, government, law enforcement, and the public sector—was formed in early 2019 to address this threat. In early April, it delivered to the U.S. government a report with recommendations for combatting ransomware attacks. The following list includes some of the 48 recommendations:
- Make proactive diplomatic and law enforcement efforts to reduce and eliminate nation-states from providing protection to ransomware criminals.
- The United States should take a lead role in implementing a comprehensive anti-ransomware campaign including creating a task force composed of government agencies and private industry.
- Organizations should be mandated to report ransomware payments and to consider alternatives before making such payments.
- Since cryptocurrency is predominantly used for ransomware payments, the cryptocurrency operators should be more closely regulated.
On April 21, the U.S. Department of Justice (DOJ) announced the formation of the Ransomware and Digital Extortion Task Force to “bring the full authorities and resources of the Department to bear to confront the many dimensions and root causes of this threat.” An early success of the departments working through the Task Force was detailed on June 7, when the DOJ announced that it had recovered approximately $2.3 million of the $4.4 million ransom paid by Colonial Pipeline.
We will continue to follow the ransomware threat, recognizing that no type of industry or size of business is safe from such an attack.