The last few months have seen a sharp rise in cyberattacks, often disrupting products and services that are key to our everyday lives. Many of those attacks have used ransomware, a set of tools that lets hackers gain access to computer systems and disrupt or lock them until they get paid.
Ransomware is not new. But there is a growing trend of hackers targeting critical infrastructure and physical business operations, which makes the attacks more lucrative for bad actors and more devastating for victims. And with the rise of remote work during the pandemic, significant vulnerabilities have been revealed that only make it easier to carry out such attacks.
The US Department of Justice in April created a ransomware task force, after declaring 2020 the “worst year ever” for extortion-related cyberattacks. The issue only seems to be getting worse: The first half of 2021 has already seen a 102% increase in ransomware attacks compared to the beginning of last year, according to a report from cybersecurity firm Check Point Software. That doesn’t even factor in the most recent events, including the announcement Wednesday from a ferry operator in Martha’s Vineyard, Cape Cod and Nantucket that it was hit by a ransomware attack.
The US government is now ratcheting up efforts to address the threat of ransomware, but experts warn that without significant cooperation and investment from the private sector, these attacks are likely here to stay.
Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money online. But now hackers have found a significant moneymaker in targeting physical infrastructure.
Bigger targets, better returns
These attacks have potential to spark mayhem in people’s lives, leading to product shortages, higher prices and more. The greater the disruption, the greater the likelihood that companies will pay to alleviate it.
“If you’re a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you,” said Katell Thielemann, Gartner’s vice president analyst for security and risk management. “This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that’s where the most pain is felt because that’s where they make money.”
Multiple recent ransomware attacks have originated from Russia, according to US officials. On Wednesday, the FBI attributed the attack on meat producer JBS to Russia-based cybercriminal group called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar to DarkSide, the group US officials said was behind the ransomware attack that shut down the Colonial Pipeline last month.
Experts say both REvil and DarkSide operate what are essentially “ransomware-as-a-service” businesses, often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut of the profits. In some cases, they also carry out their own attacks. Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere, because they bring money into the country, cybersecurity experts say.
JBS has not said whether it paid any ransom to the attackers, but Colonial Pipeline’s CEO admitted to paying $4.4 million in ransom to resume its operations. Experts typically advise against paying ransoms to avoid funding the criminal groups that impose them, but companies sometimes have little choice to get back up and running.
The list of potential targets is long. The US government’s Cybersecurity and Infrastructure Agency (CISA) lists 16 different industries as “critical infrastructure sectors,” including energy, healthcare, financial services, water, transportation, food and agriculture, the compromise of which could have a “debilitating effect” on the US economy and security. But experts say much of this infrastructure is aging, and its cyber defenses haven’t kept up with the evolution of bad actors.
To make matters worse, many companies in those industries haven’t historically thought of themselves as tech companies, meaning their systems may be less sophisticated and easier to compromise, according to Mark Ostrowski, head of engineering at Check Point.
“So hospitals, their business is to save lives; meat and poultry is to produce goods and services; pipelines are to create gas exchange or oil exchange,” he said. “Those certain industries also may be targeted because maybe they’re behind in their [software] patching, maybe their cyber program is not quite what it needs to be.”
This has become increasingly true in recent years. As technology has evolved, more physical infrastructure has been embedded with connected devices that link it with a company’s larger network. Even if a hacker enters a company’s network through its email system, for example, they could have the opportunity to wreak havoc on the machines in its production facilities or other areas of the business.
“The world is becoming more connected” and we should expect the risks “to multiply across all of these industries,” Thielemann said.
How the pandemic made things worse
It’s not a coincidence that ransomware has spiked during the pandemic.
The health crisis is a perfect storm, with millions of people shifting to remote work almost overnight — including workers who may have access to critical infrastructure systems — and ransomware that can be deployed simply by clicking a link in an email.
“Critical infrastructure was always designed to have the control systems isolated and physically separate from the corporate network and the internet,” said Eric Cole, a former cybersecurity commissioner to the Obama administration and author of the new book “Cyber Crisis.”
“Initially for automation and accelerated by the pandemic, these systems are now connected to the internet. … The known vulnerabilities make them an easy target,” Cole added.
The pandemic also heightened certain targets, as hackers sought opportunities to profit by attacking crucial services.
In particular, hospital systems and other health providers frequently came under attack even as they struggled to deal with the strain of Covid-19 — leaving them little time to respond and update defenses. An analysis by CISA between March and November 2020 showed that 49% of healthcare providers it surveyed had “risky ports and services” and 58% of them were using software versions vulnerable to attack.
An analysis by cybersecurity firm Emsisoft published in January showed that as many as 560 healthcare facilities were hit by ransomware last year. More than 1,500 schools and 113 government agencies were also impacted, the firm said.
The targeting of healthcare facilities appears to predate the pandemic — Emsisoft’s previous research showed that 764 healthcare providers suffered ransomware attacks in 2019, though overall attacks tracked by the firm went up in 2020.
What needs to be done
Companies, organizations and agencies will now need to work as quickly as possible to plug potential gaps in their systems, updating software and ensuring that their most critical functions are sufficiently insulated from cyberattacks.
President Joe Biden last month signed an executive order requiring companies doing work for the government to improve their cybersecurity practices — stipulations that Congress could expand to other private firms underpinning infrastructure and other critical levers of the US economy. On Wednesday, following the JBS and ferry attacks, White House press secretary Jen Psaki said the administration is also “building an international coalition to hold countries who harbor ransom actors accountable.”
On Thursday, the White House issued an open letter urging companies to treat the threat of ransomware attacks with greater urgency, saying companies that “view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”
“Every company needs to be able to heighten this and become preventative because these attacks are weapons-grade. They’re not just casual attacks,” Ostrowski said.
For companies, the easiest fix is to keep the most vital infrastructure functions off the web — and to keep any online systems up to date with software patches, Cole said.
And while systems-level upgrades or overhauls may sometimes be necessary, Ostrowski said the risk often comes down to individual behavior. Most ransomware is distributed through phishing attacks, where users are tricked into clicking a link on an email that gives the hackers broad access to their system.
“It’s actually very simple. As a cybersecurity community we’ve been trying to solve the email problem for decades,” he said. “It’s about solving and preventing phishing attacks, number one, and that will lead to anti-ransomware technologies.”
In many cases, companies in healthcare, food or energy have few, if any, executives or board members with the technical background or know-how needed to help mitigate cyber risks, something that also needs to change as bad actors become increasingly sophisticated.
“I think the industries expect these number of attacks to continue to increase,” Ostrowski said. “If anything, what this has highlighted is how important our supply chains are.”