By Adam Bromwich, CTO & Head of R&D of Symantec Enterprise Division
When it comes to choosing their victims, ransomware attackers have become brutally adept at finding pain points.
Their targets range from hospitals, schools, and local government to key infrastructure — such as water treatment and fuel pipelines — and they’re succeeding. Ransomware gangs have aggressively honed their tactics over time while ransomware creators franchise their tools to affiliates in exchange for a cut of the loot. Hardly a day goes by without news of another organization being hit by one of these groups.
The May 2021 Conti ransomware attack against Ireland’s National Health Service (HSE) starkly illustrates the gravity of the threats we now face. In the middle of a global pandemic, attackers crippled its network, causing massive disruption to vital services and forcing it to cancel medical appointments. While the attackers subsequently released a decryption key, they are still attempting to hold the HSE to ransom by threatening to release sensitive patient records stolen during the attack.
Attacks such as these can require a high degree of interaction from malware operators — both to successfully deploy the ransomware across the victim’s network and, at the same time, to profile the victim to better estimate the amount of ransom they’re likely to pay based on the success of the attacker’s activity and the quality of the data available for exfiltration. The group behind the HSE attack proceeded because they knew the disruption it would cause at this key point in the Irish response to the COVID-19 pandemic could lead to a major payoff. The criminals behind targeted ransomware are now among the most technically proficient and well-resourced threat groups operating today. Blockchain analysis company, Chainalysis, estimated ransomware gangs netted just under $350 million in 2020, a massive 311% increase over 2019.
The scale of ransom payouts now means the most successful groups will have a bigger operating budget than the victim’s network defenders in all but the largest of organizations. This allows them to operate both at a massive scale and also to persist in their attacks until they’re successful.
The Irish government is to be commended for not bowing to pressure and paying a ransom. This is a stance that may be put under increasing pressure in the weeks and months ahead, particularly if the restoration of services proves slow or if sensitive medical data is leaked online. Nevertheless, it is the right decision.
It is an unfortunate fact that there will be occasions when some victims will find themselves with no choice other than to pay the ransom. However, we are deeply concerned about how regularly the response to a ransomware attack has begun to resemble a professional transaction — a simple business cost. All too often, ransoms appear to be paid because it is calculated as being lower than the short-term cost of restoring the victim’s IT systems from backups, or because the ransom payment is covered by cyber insurance. These decisions are based on a short-term calculus, ignoring the long-term consequences of continuing to invest in an unhealthy ecosystem where ransomware attackers thrive and multiply.
The threat of cyber criminals selling or publicizing stolen data is also forcing organizations to pay ransoms. This is increasingly as potent a tool in extorting a ransom as the outright crippling of IT systems, especially for public bodies that have a legal obligation regarding the protection of customer or user data. More can be done to reduce the impact of this type of crime.
We can’t pretend fixing the toxic dynamic around ransomware is going to be easy. It is also clear things are continuing to get worse and will only get better by combining effective detection and defense against ransomware with an increased focus on reducing the financial attraction of this activity to cyber criminals. As we saw with the addition of stolen data blackmail being added to ransoming IT systems, ransomware gangs have shown themselves adept at finding new techniques to pressure their victims and will certainly redouble their efforts if they encounter resistance.
We can put the odds back in our favor by making it harder for ransomware attackers to get away with it. That means more effective detection and defense. At the same time, equal effort needs to be made to reduce – or remove entirely – the money that feeds the criminals at the center of the global ransomware ecosystem.
Learn how to navigate ransomware with Broadcom Software
About the Author:
Adam leads a global team of engineers and analysts who develop the game-changing security technologies, attack intelligence, and security content that protects Symantec Security customers.