In the second of a series of blogs on cyber risk and national security, Conrad Prince, Senior Cyber Terrorism Advisor to Pool Re, looks at the increasing threat of ransomware, what it means for business, and how it could be employed by malicious actors for strategic effect.
By Conrad Prince CB, Pool Re’s Senior Cyber Terrorism Advisor – May 2021
Conrad Prince CB, was formerly Director General for Operations and Deputy Director of GCHQ, and subsequently Cyber Security Ambassador for the UK Government.
Ransomware attacks, where cyber criminals seize control of victims’ computers and demand payment in return for restoring access, are a major criminal growth industry. According to one report, last year a new organisation became a victim of ransomware every 20 seconds.
Until recently, ransomware was mostly associated with attacks on individuals and relatively small ransom demands. But there is now a relentless rise in attacks on businesses, with more sophisticated cyber intrusions identifying a company’s most valuable data, and ransom demands for significantly larger amounts. Already in 2021, computer companies ACER and Quanta (a key supplier to Apple) have each reportedly received ransomware demands of $50 million. And the USA is currently wrestling with the serious consequences of a significant ransomware attack affecting the Colonial oil pipeline.
There has been a disturbing growth in ‘double extortion’ attacks, where criminals prevent companies accessing their data, and also threaten to leak or sell the most sensitive information. In Quanta’s case, it seems as though designs for a new Apple MacBook have been posted online to increase the pressure to pay.
When a ransomware attack strikes, companies are potentially faced with complete shutdown of their IT systems and the resulting disruption might spread across almost every area of business. The total impact can be severe. According to one estimate, it takes an average of 287 days for a business to recover fully from a ransomware attack. Norsk Hydro’s recovery from a 2019 attack took months and cost up to $78 million. Add to this the potential loss of intellectual property and reputational damage from a leak of customer data, and paying the ransom can seem attractive. Estimates vary, but it has been suggested that 25% of organisations hit by ransomware pay up, and that the average ransom paid is around $1 million.
However, payment is no guarantee that access to data will be restored. Even if it is, cleaning up the network is still essential. And companies fail to do so at their peril – the UK’s National Cyber Security Centre (NCSC) recently reported a case where a company paid a multi-million pound ransom and took no further action, only to be hit with an identical attack two weeks later.
Ransomware as a national security issue
Ransomware is a major cyber crime challenge. But it can also represent a significant national security threat. On 7th May, the Colonial pipeline in the USA fell victim to what is potentially one of the most significant attacks on critical national infrastructure we have seen. The pipeline transports nearly half of the fuel supplies for the American East Coast, and was forced to shut down as the result of a ransom attack. The attack appears to have targeted the business side of Colonial rather than its operational technology – however the oil company took multiple systems offline to contain the threat, thereby halting all pipeline operations. Widespread fuel shortages and price rises have resulted across the Southeastern states, with Atlanta, Georgia, reporting that 60% of gas stations had run out of gasoline after just six days. The US Government has been forced to issue an emergency declaration permitting the transport of fuel by road.
The Colonial attack seems to be a criminal one, not state sponsored, according to President Biden. But the gang accused of it, DarkSide, is widely believed to have Russian connections and President Biden has announced he will raise the matter with President Putin and believes that the Russians “have some responsibility to deal with this.”
Ciaran Martin, the founding CEO of the NCSC, has said that during his time in that role he believed that the most likely cause of a major cyber incident in the UK would be a ransomware attack on an important service. The Colonial attack is potentially one of the most significant examples of this risk there has been to date, but key public sector organisations worldwide, including schools, local authorities and healthcare, have increasingly become a focus for ransomware attacks. This represents a significant disruptive threat that goes well beyond the financial impact an attack can have.
The infamous 2017 North Korean Wannacry ransomware attack, essentially a hostile state criminal fundraising operation that got out of control, came extremely close to causing significant strategic impact to the NHS. And there is now at least one case where a ransomware attack seems to have had lethal consequences, with the tragic death of a hospital patient in Germany whose treatment was fatally delayed because of a ransomware attack on a hospital.
There can be a blurred line between a hostile state ransomware attack, like WannaCry, and a purely disruptive cyber attack. The 2017 Russian NotPetya operation, which ended up impacting a wide range of organisations worldwide at a cost of $10 billion, initially seemed like a global ransomware attack. But it turned out to be purely about causing disruption, with no money-making dimension. The potential for hostile states to deliver widescale ransomware attacks (or things that look very much like them) remains a significant national security concern.
Policy responses to the growing ransomware threat
There are no easy policy answers to this.
As far as ransomware as cyber crime is concerned, attempts to track down perpetrators and bring them to justice have had limited success to date, especially when the criminal groups involved are based in Russia or Eastern Europe.
Using cyber operations to disrupt the ‘infrastructure’ ransomware groups use to launch their attacks is an attractive option, but the groups can soon create new infrastructure. This is likely to be an ongoing game of ‘whack-a-mole’ rather than something that provides a lasting solution.
There is much discussion about banning ransom payments, an option partially implemented in the USA. But a ban could effectively punish the victim of a cyberattack, and inevitably, some companies would go out of business if denied the option of paying up. Then there is the question of what organisations like hospitals should do, if paying a ransom seems the best option for rapidly restoring life-saving services.
And there seems to be no real way to deter states like Russia or North Korea from launching disruptive and destructive attacks, at least that fall below the threshold of war.
The questions are complicated, but governments are increasingly focusing on the issue. It will be interesting to see how successful they are. In the meantime, for many organisations, there is more they can do to protect themselves.
What can businesses do to protect themselves?
Effective cyber security measures are essential. There are three key things to focus on: stop the attackers getting into the business in the first place, make it harder for them to spread through the network should they manage to get in, and have robust arrangements in place to enable rapid recovery should the worst happen.
Most ransomware still originates in phishing attacks, communications which fool employees into clicking a link that loads malware on to the network. Many companies have done good work in training staff and implementing technical measures to help prevent this type of attack. But the cyber threat is constantly evolving. A growing risk is through supply chain attacks, such as the recent Chinese attack on Microsoft exchange servers which gave the attackers access to thousands of victim organisations worldwide. These attacks can be exploited by criminal ransomware groups. So companies have to pay attention to the security of their suppliers, as well as their own.
Protecting the perimeter is not enough. All too often, companies can be tough to break into, but once a cyber attacker has succeeded, they can move around the company’s internal networks with relative impunity. This can be made harder by building security into network architecture design and implementing enhanced security measures such as two-factor authentication, supported by active cyber security monitoring.
Finally, businesses need to focus on resilience and plan for ‘when not if’ an attack succeeds. Measures like offline data backups are fundamental, as is a clear crisis management plan for the whole business, regularly tested and updated.
The ransomware threat is growing in scale and sophistication, and anyone can be a victim. Every organisation needs to think through how to deal with this threat, and prepare for the worst.