The ransomware epidemic – The pace of attacks is relentless

A once-quiet cyber threat, ransomware has emerged in 2021 as an epidemic even a national security issue. Picture: www.carriermanagement.com

The cybersecurity industry is stretched thin. Ransomware attacks are now so prolific that some companies simply cannot help every newly hacked victim get back online. And a shortage of workers means no immediate help in sight.

A once-quiet cyber threat – ransomware in which hackers, often from Russia, China  r other former Soviet bloc countries, break into private computer systems to encrypt and often steal fi les to hold for ransom – has emerged in 2021 as an epidemic even a national security issue. In recent months, ransomware gangs have launched several high-profi le attacks, including on a US major pipeline, a major Swedish supermarket giant and frequently crippled schools and hospitals globally. Ransomware cost victims an estimated $US3 billion ($F6.23b)in the last year.

The pace of attacks is relentless, leading to renewed efforts from President Joe Biden to deliver a message to Russian leader Vladimir Putin that they’re unacceptable.

In mid-June, Biden met with Putin and discussed the issue, stressing how much ransomware emanates from Russia, where the criminals behind it seem to operate with impunity. Over the following two weeks, confirmed ransomware attacks briefly went down to just over 100 publicly confirmed new cases, analysts say – most victims were American.

But then ransomware exploded again.

One of the most prolific ransomware gangs, REvil, conducted its boldest attacks yet over the Fourth of July weekend, on Kaseya, which services customers who in turn contract with thousands of businesses.

Though the dust has yet to settle, researchers say the hack allowed REvil to infect at least 1500 different organisations.

The gang seems to have been surprised at their own success and asked for a $US70 million lump sum to unlock all infected computers.

Cybersecurity professionals can barely keep up despite signifi cant industry growth in recent years — and plenty more money is pouring in. That money is chasing a limited talent pool, with almost 1.5 million jobs unfilled, according to Cyber- Seek, a project that tracks the industry and is sponsored by the US National Institute of Standards and Technology (NIST).

But the current work is still a hard job, exacerbated by the long, stressful hours that cybersecurity incident responders have to spend putting out the fires that ransomware lights.

However, if you read the comments on virtually any news story about a ransomware attack you will almost surely encounter those ‘in hindsight’ comments that the victim organisation could have  avoided paying the hackers ‘if only they’d had proper data backups’. But the truth is there are many non-obvious reasons why victims end up paying, even when they have done nearly everything right from a data backup perspective! Sad but true.

So why do victims still pay for a key needed to decrypt their systems, even when they have the means to restore everything from backups on their own?

Cybersecurity experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups is that nobody at the victim organisation bothered to test in advance how long this data restoration process might actually take! Think about it…in a lot of cases, companies do have backups, but they’ve never actually tried to restore their entire system from backups before — so they have no idea how long it’s going to take!

They realise they have several terabytes of data (or whatever) to restore over the Internet, and they realise that even with their fast connections it’s going to take three months to download all these backup fi les! A lot of IT departments never actually make even a rough back-of-the-envelope calculation of how long it would take them to restore from a data rate perspective.

Or the next most-common scenario involves victims that have off-site, encrypted backups of their data but discover that the digital key needed to decrypt their backups was stored on the same local filesharing network that got encrypted by the ransomware! Could it get worse? Well… the third most-common problem to victim organisations being able to rely on their backups is that the cyberattackers managed to corrupt the backups as well!

So there you go – backups all done and stored but basically useless in the above, quite common scenarios. The only other options is to pay the ransom which basically boils down to either they didn’t have properly configured backups, or they haven’t tested their resiliency or the ability to recover their backups against the ransomware scenario.

There are various scenarios similar to the above three but basically they have backups, the data is there, but the application to actually do the restoration is encrypted or there are all these little things that can trip you up, that prevent you from doing a restore when you don’t practice.

In many cases, companies don’t even know their various network dependencies, and so they don’t know in which order they should restore systems,

That’s why cybersecurity and IT experts will recommend that it’s essential that organisations practice their cyber incident responses in periodic tabletop exercises, just as you conduct regular fire drills, and that is in these exercises that companies can start to refine their plans. For example if the organisation has physical access to their remote backup data center, it might make more sense to develop processes for physically shipping the backups to the restoration location.

Now you have some idea why ransomware has become a huge problem in the last couple of years, even being classified as a national security threat in the U.S especially when critical infrastructure is targeted. ‘War on ransomware’ is not quite catchy enough!

Ransomware cyberattacks still require payments in cyrptocurrencies like Bitcoin and this is the other way in which governments and organisations are trying to contain ransomware. Hit the payment pipeline – not Bitcoin itself but the cryptocurrency exchanges. This was how the US law enforcement was able to seize about 85 per cent of the $US4 million ($F8.3b) ransom that was paid out by Colonial Pipeline last month. This is a good start but one wonders how this will work out in the long term like the ‘war on terror’, or the ‘war on drugs’.

As the pandemic continues to spread uncontrollably and wreak havoc in our nation, please stay safe and get yourself and those eligible in your family fully vaccinated.

Like ransomware victims don’t end up paying the price due to lack of preparation and more importantly not following protocols.

As some happy wise person once said – ‘Life is not about waiting for the storm to pass but learning to dance in the rain.’ As always, God bless you all and stay safe in both digital and physical worlds this weekend.

  • ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com

More Stories