Dozens of corporate IT directors received the late-night call they dread on the evening of July 3. An aggressive cyber security breach known as a "ransomware attack" was underway against Irish software company Kesaya Ltd. While the company may not be well known to most of us, its customers include some large corporations and thousands of smaller enterprises whose critical operations may be interrupted by the attack. Security experts believe this could prove to be the largest ransomware attack to date.
The perpetrator, a confederation of hackers calling themselves "REvil," is believed to be based in Russia and was responsible as well for the May 30 penetration of JBS S.A. that briefly halted one quarter of beef production in the United States. Earlier that same month, nearly half of east coast gasoline distribution was shut down when the Colonial Pipeline was targeted by another hacker gang known as DarkSide.
Given the explosion of such attacks and the implications for critical U.S. infrastructure, it is useful to understand how ransomware works and what precautions users can take to reduce the threat.
The term ransomeware is a portmanteau that aptly describes its nefarious purpose. In essence, malicious actors infiltrate computer systems to lock up or disable user files. The attacker then typically demands a ransom payment in exchange for a key to unlock the user's data or system. Hackers started small in the late 1980s, targeting individual users by freezing their PC operating systems or renaming data files, then seeking payment of a few hundred dollars to a premium text number, or ultimately in untraceable forms like iTunes gift cards.
The infiltrations grew bigger and more aggressive with the expansion of broadband internet-connected devices and the ability to collect larger anonymous payments in cryptocurrencies like Bitcoin. Targets today include corporations, industrial facilities, federal, state, and local governments, as well as critical infrastructure like hospitals and water systems. And with bigger targets came bigger ransoms: the first $1 million Bitcoin payment was extorted in 2017, but that was just the appetizer. The U.S. Department of Homeland Security estimates that victims coughed up $350 million in 2020.
Experts also note that the COVID-19 pandemic has magnified the scope of the threat, with hordes of employees working remotely through less secure connections that provide easier access to the crooks.
Cyber criminals successfully gain access to computer systems through various routes, known to security experts at "attack vectors". One avenue is to penetrate known vulnerabilities in software packages that have not yet been plugged by developers. Hackers also attempt to log into systems through the Remote Desktop Protocol (RDP), either by brute force (guessing passwords thousands of times) or by purchasing stolen credentials on the "dark web". But by far the most fruitful vector is exploiting the predictable human element: so-called "phishing" emails containing malicious viruses that users activate by clicking a link in the message. Phishing expeditions have gotten more sophisticated and often utilize "social engineering" techniques to gain the confidence of the recipient. These techniques leverage information known about the victim or pose as legitimate institutions with whom the victim is connected to create trust.
The threat has become an epidemic. Cyber security firm Recorded Future estimates there were 65,000 successful ransomware attacks in 2020 alone, about one every eight minutes. And while large institutions and businesses are better equipped to recover from an attack, smaller enterprises face existential risk given their more limited budgets and expertise to address the threat. The National Cyber Security Alliance estimates that over 50% of small businesses have been targeted, and that of those who were successfully hacked, 60% go out of business within one year. And the bad guys are franchising. Relatively unsophisticated criminals can now launch attacks by "renting" ransomware from syndicates in exchange for a share of the take, a practice known as "Ransomware as a Service (RaaS)".
The White House has elevated the priority of beefing up America's cyber security infrastructure and is considering retaliation against Russia's for its escalation of attacks. but ultimately the responsibility falls on individual governments, organizations and businesses to better train and educate users to avoid falling victim to phishing scams. Loose clicks sink ships.
Christopher A. Hopkins is a chartered financial analyst (CFA) in Chattanooga.