There was a time mere years ago when the cybersecurity community was apt to believe that ransomware was a fleeting tool amongst the criminals’ arsenal. Within a short timespan it came into fashion and was quickly relegated to “commodity” status according to many reports. While Trojan horses may be the longest held offensive within hackers’ lore, especially once average households contained computers, other schemes came and went. That’s how ransomware, which is a variation on the Trojan theme, was looking in 2018 or so. It had become commonplace. It didn’t require sophisticated users. There were so-called off-the-shelf ransomware packages to be found on the dark web.
To top off the reasons why it was becoming a commodity, the rewards gleaned from ransomware attacks were paltry, relatively speaking. One of the most widely reported ransomware attacks, WannaCry from circa 2017, sought a mere $300 to get the decryption key that would unlock the kidnapped data. Ransomware, you may know, works on computer data much like the more conventional kidnapping and ransom schemes of TV and film. Hopefully, those are your only references.
The ransomware hacker uses reconnaissance and investigatory skills to learn about their target. Rather than it being a senator’s daughter, going back to drama, it is some cache of information. Then, the hacker poses as a trusted emailer and sends a message to the target’s business staff. With quite basic skills they send an email that looks official and invites the recipient to click some link. Once someone bites the link actually unloads its true payload, which is a program that scrambles the victim’s computer data. Until the victim pays the ransom, the data is unreadable and unusable. After the victim pays the ransom, in many cases, they’re still left flailing because the anonymous hacker takes the money and runs. Go figure.
Since WannaCry there have been many other incidents that captured the nation’s and world’s attentions. The most recent one was the Colonial Pipeline debacle, shortly followed by the JBS meats processing takedown. Both of those appear to have been Russian attacks, though only connected to the Kremlin itself by way of a dotted line. At best, the Russian government has turned a blind eye to any notion of investigating the crimes. At worst, it facilitated the attacks or was somehow complicit.
From $300 commodity stylings to the state-sponsored attack on energy systems and food supplies, ransomware has earned its resurgence to a seriously viable offense tactic by the bad guys. Because the bad guys are no longer just Mountain Dew-slurping techies flouting their computer skills, the attention to ransomware is now on an entire new scale, accordingly.
The U.S. government last week announced that it sees ransomware investigations in the same vein as terroristic attacks. When certain ransomware incidents occur—think: infrastructure targets such as water systems, internet trunk lines, food supply chain, the power grid—the Justice Department will prioritize the ensuing investigation on a new scale and through a new process. For instance, in order to make certain that a ransomware incident can be understood by connecting all the relevant actors and online sources, despite its tendency to be cloaked in the mysteries of digital evidence and anonymous users, there is a D.C. based task force that serves as a hub for case information. No matter which U.S. Attorney’s office responds to an attack, the task force will have and then disseminate effective information toward stopping the attack and solving the case.
Triaging and prioritizing the more traditional terrorist attacks has been effective, and these digitally couched ploys deserve the same level of scrutiny and care. After the announcement, FBI Director Christopher Wray told The Wall Street Journal that the challenges currently faced in investigating ransomware attacks (around 100 current investigations!) are akin to those faced by the U.S. government in the wake of the 9/11 tragedy. The scale and complexity seemed daunting enough when the evidence was hard and the attackers were known. Now, we have ones and zeroes deployed by well-funded technologists who seem buried under countless layers of anonymity. The effects, too, are similar in severity and scope. Compromising one metropolitan area’s water supply could far outweigh the thousands of lives given on that Tuesday morning in September of 2001.
What’s more, just like terroristic attacks of the more brick-and-mortar variety, ransomware attacks need the attention and support of the public. Remember after 9/11 the “see something say something” campaign? Our collective awareness may be as effective in thwarting ransomware incidents, or in solving them, as any government task force or initiative. Was it patriotic for you to have kept vigilant eyes out for suspicious activity on the roads after 9/11? We all sure thought so. Now, too, it is incumbent on every computer user to be aware, and be wary.
The White House also published an open letter to U.S. businesses to be on guard. It’s not just us, the public individuals, but perhaps more importantly the business sector that not only serves as the more likely target of ransomware criminals, but also has some savvy about security in general. Offices employ contracted or internally supported security operations. They, according to law in many cases, already are defending against cyber-attacks. Their perimeters are secured, and other security functions are part and parcel to their operations. Now, it’s time to ramp up defenses against ransomware.
Russian sponsored ransomware, although glaring in the news, is only one tiny piece of the massive, perhaps not fully known, picture. Other political adversaries will surely copycat the Russian borne strategy. Organized crime brought in $350 million last year in ransoms. The targets are limitless with some—e.g., nuclear facilities—posing risks incomprehensible. Ransomware no longer can be considered some nuisance, commodity cyber threat. It’s a terroristic act, and should be treated as such. Know your senders.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.