Schools, hospitals, companies are targeted by ‘cyber weapons of mass destruction’

By: Robert McMillanDustin Volz and Tawnell D. Hobbs | The Wall Street Journal [link]

The cyberattack that knocked offline an essential U.S. gasoline pipeline shows how the dangerous, professional-scale hack-for-ransom threat is spreading rapidly, targeting companies, schools, hospitals and other institutions.

While ransomware has been a challenge for small businesses for years, a confluence of factors have emboldened attackers in the past year, culminating in the shutdown Friday of a critical gasoline pipeline to the U.S. East Coast. The pipeline’s operator, Colonial Pipeline Co., now says service could be offline until week’s end, threatening to raise prices at the pump for millions of Americans.

Attacks are growing in number and scale as millions of people across the country work or attend school remotely, in some cases opening back doors to networks without corporate or institutional security protections, security researchers say.

Hackers have grown adept at communicating about vulnerabilities on the so-called Dark Web, a network of computers that can share information anonymously. The ability to demand payment in cryptocurrency limits law-enforcement tracking capabilities. And the growth in insurance policies that cover ransomware payments has helped seed an increasingly professionalized ransomware industry.

Senior officials in the Biden administration have said ransomware is likely the most serious cybersecurity threat to the U.S. and that on its current trajectory, the problem will only get worse in the years ahead. A senior Justice Department official likened the phenomenon to “cyber weapons of mass destruction.”

There is no official U.S. clearinghouse to track ransomware cases, but nearly 2,500 were reported to the Federal Bureau of Investigation last year, an increase of 66% from 2019.

While precise data on attacks are often difficult to come by, partly due to the desire for secrecy among both perpetrators and victims, ransomware victims paid hackers at least $350 million in cryptocurrency payments in 2020, a fourfold increase from the previous year, according to the blockchain analysis firm Chainalysis Inc. Other security experts and cybersecurity officials have estimated the overall toll on the U.S. economy registers in the billions annually.

“The reason why ransomware is exploding is because it’s scalable, predictable and lucrative,” said Antony P. Kim, a partner with the law firm Orrick Herrington & Sutcliffe LLP’s cyber, privacy and data innovation practice. “If that isn’t a business model, I don’t know what is.”

The Federal Bureau of Investigation has for years told companies that they shouldn’t pay ransoms when victimized by hackers, but the cybersecurity firm Bitdefender says that at least half of all victims end up paying.

The companies least vulnerable are those that back up systems so they don’t feel pressure to pay, but doing so can be costly up front.

Ransomware encrypts the contents of the victim’s computers, making them unusable until a payment is made, at which point the hackers promise to give the victims a decryption key—a complex series of letters and numbers that will unlock their systems. Often victims pay ransom because they have no backup copies of the infected systems or because the effort required to restore hundreds of computers is prohibitive.

“We are on the cusp of a global digital pandemic, driven by greed, a vulnerable digital ecosystem, and an ever-widening criminal enterprise,” Chris Krebs, the former top cybersecurity official in the Department of Homeland Security under President Trump, said in congressional testimony about ransomware last week.

Schools, law firms, local governments, airports and law-enforcement agencies have been hit.

September hack cost hospital chain United Health Services Inc. $67 million last year before taxes, and a month later ransomware groups knocked dozens of hospitals offline during a widespread campaign.

The 10,000-student Sheldon Independent School District in Houston paid a ransom of $206,931, negotiated down from about $350,000, after a ransomware attack last year rendered it inoperable and threatened a coming paycheck distribution.

“We could not function,” said Sheldon Superintendent King R. Davis. “It was very important to us to keep moving forward.”

The University of California, San Francisco, paid a $1.14 million ransom to a hacker in June. The university has said that it made the decision to pay because the hacker encrypted data for important academic work, including research. The university said in a statement that it was a “difficult decision” to pay the ransom.

DarkSide, the ransomware linked by the FBI to the Colonial pipeline incident, uses the Tor anonymizing software to keep its server’s location hidden from law enforcement. The group that makes the ransomware uses the digital currency bitcoin for payments that can be made anonymously. It uses online hacking forums to recruit “affiliate” partners who can break into victims’ networks, and it is thought to operate out of Eastern Europe, according to security researchers.

The DarkSide developers didn’t respond to a request for comment. On the “press” section for the ransomware gang’s website, they appeared to distance themselves from the Colonial attack and blame an affiliate. They said that they would exert more control over the companies that their affiliates wanted to attack “to avoid social consequences in the future.”

While ransomware groups have traditionally shut down critical operations and demanded payment to provide keys to restore them, in recent years, ransomware groups began threatening to publish documents taken from victims.

This shift has given hackers a new line of business—allowing them to collect payments even when victims were able to restore encrypted systems through a backup, said Charles Carmakal, a senior vice president with the cybersecurity firm Mandiant. “A lot of times, these victims feel compelled to pay,” he said.

Ransomware gangs now notify company employees and even partners when they have infiltrated a victim to maximize the pressure to pay, said Sherri Davidoff, chief executive of the security consulting firm LMG Security LLC. On its website, DarkSide says it is willing to sell information stolen from victims to short sellers, if the victim refuses to pay.

Layered together, all of these online services make it easy for a growing pool of hackers to get involved in ransomware with a minimum of effort, Ms. Davidoff said. “It’s very point and click,” she said.

Reflecting the scale of the threat, last month the Justice Department formed a task force intended to curtail the popular extortion schemes by making them less lucrative through efforts to target the entire digital ecosystem that supports them, including how criminals rely on digital currency to extract victim payments.

In an interview last month, John Carlin, a senior official at the Justice Department, likened ransomware to “cyber weapons of mass destruction” that, like nuclear weapons, were growing more powerful and devastating over time. The success of ransomware operations has allowed criminal hackers to demand ever greater sums of money into the tens of millions of dollars from victims and reinvest those profits in new tools and services that enable more and better attacks, Mr. Carlin said.

“We have to figure out a way to break the unvirtuous cycle we’re in right now, where the more money they make the more is being funneled back into the tools they are using,” Mr. Carlin said.

Speaking during a White House press briefing on Monday, Anne Neuberger, President Biden’s deputy national security adviser, said that many companies are “often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.”

Ms. Neuberger also said there was a “troubling trend” developing of hackers targeting companies that have insurance and are richer, and therefore more likely to pay a ransom. “We need to look thoughtfully at this area, including with our international partners, to determine what we do in addition to actively disrupting infrastructure and holding perpetrators accountable to ensure that we’re not encouraging the rise of ransomware,” she said.