
On 7 May, hackers forced a major oil pipeline in the US to shut and prompted US president Joe Biden to declare a state of emergency. Within hours of the hack, which started the day earlier, Colonial Pipeline Company paid a ransom of 75 bitcoin – worth $4.4 million at the time – to recover the data being held hostage.
According to the US Federal Bureau of Investigation, the , a criminal group that rents software to third parties to carry out cyberattacks in return for a share of ransoms. Retaliatory action from a US government agency has reportedly .
Ransomware isn’t limited to one bad actor. There are a host of competing, interlinked outfits that are large, organised and difficult to prosecute. And as long as people keep paying the ransoms, the problem isn’t going away.
Advertisement
Ransomware is a particularly insidious type of malware that seizes data and threatens to release it publicly or destroy it if a ransom isn’t paid. Regular backups can solve half that problem, but huge data leaks of customer or citizen information can still spell disaster. In one notorious case from 2018, hackers released patients’ private details and sensitive session notes from a chain of Finnish psychotherapy clinics, and then directly extorted the patients.
Many ransomware gangs are based in countries beyond the reach of Western law enforcement, which makes stopping them tricky. Nigel Leary at the UK’s National Crime Agency says that perpetrators are often found to be Russian speaking, although their exact location can be hard to determine.
But he says one thing is certain: groups like DarkSide have lowered the barriers to entry for ransomware attacks. No longer is technical savvy a prerequisite. As a result, the number of attacks has risen rapidly.
Business consultancy Accenture says there was a 160 per cent increase in ransomware attacks in 2020 compared with the previous year. Some ransomware gangs are thought to have made hundreds of millions of dollars and more than half of businesses pay up, according to security firm Kaspersky.
It is so widespread that a recent cyberattack on Ireland’s Department of Health was described by a minister as a “commonplace” event. But these attacks can have huge consequences. The in 2017 reportedly cost the UK’s National Health Service £92 million.
The groups target a range of weaknesses, both technical and human. Updating software and educating staff will help, but in truth there is a game of cat and mouse between ransomware groups, software developers and law enforcement agencies – and no end in sight.
David Rose runs a small UK-based software company and was recently hit by just such an attack. “We had to take all the servers down. It just spread through everything,” he says. “All our customers are running their businesses from the software, so all their customer details are in the database.“
The attacker provided a bitcoin address for a ransom payment. Rose simply restored the servers from recent backups and refused to pay, but èƵ investigations showed that at least one other victim did make a payment of the same amount requested to the same wallet.
Rose tried to report the matter to police via Action Fraud – a centralised reporting service run by the City of London Police – but was told in an email that “Home Office Counting Rules set out the circumstances under which we can record a crime and on this occasion the matter you reported to us cannot be classified as a police recorded crime”. After further enquiries from èƵ, the City of London Police said that the matter had been “misclassified” and would now be investigated.
UK home secretary Priti Patel said earlier this month that companies should stop paying ransoms. The same approach has long been advocated by the FBI. Insurance giant AXA has already said that it will no longer be reimbursing those who pay ransoms in France – a week before it was itself victim of a ransomware attack. It isn’t known if that was direct retaliation or coincidence, or whether the company chose to take its own advice.
at tech company Cisco agrees that companies should refuse to pay. “Anyone paying the ransom should be under no illusion that they are not contributing to the problem. They should also be aware that they are highlighting themselves as a profitable prospect for future attacks,” he says.
Given the large costs involved in data losses, it is easy to see why a business would pay a ransom. Particularly if it also means that they can keep their breach under wraps from customers and investors. But a payment is no guarantee that an attacker will do what they promise, or that they won’t come back for more cash.
One solution would be increasing the amount of resources available to investigate and prosecute these crimes, says Leary.
The takedown of DarkSide shows that states can take offensive action when ransomware groups affect critical infrastructure, but as long as attackers can hide behind borders free from prosecution or extradition, the problem is unlikely to disappear.
Sign up for a weekly newsletter of èƵ’s best content for Americans