Note to Reader: In 2018, Dr. Megan Reiss and I wrote an article for The Weekly Standard, warning of the growing risk of ransomware. I’ve referenced this article several times in this newsletter, but I’m now reproducing it here in the wake of the Colonial Pipeline ransomware attack.
Imagine that in a few days, or maybe a few years, the United States suffers an unprecedented ransomware attack.
Maybe it begins 30 days after tax day because millions of Americans unknowingly download malicious software hidden on a popular tax preparation website. Maybe the “TurboHax” ransomware uses the “forever red” vulnerability made public by a group of suspected Russian government hackers. The virus then automatically multiplies and spreads itself using victims’ compromised credentials and stored contacts. Within hours, it has spread across the globe. But that’s only the beginning.
Using a polymorphic attack algorithm, TurboHax not only infects and locks users out of files on their desktop or laptop computers, it spreads to their mobile phones and other connected devices. When infected users connect to their home wifi networks, their televisions, internet-enabled speakers, and online home security systems become compromised, too. When the virus’s delayed detonation finally goes off, people are simultaneously locked out of every device they own.
And then it gets worse.
TurboHax doesn’t just ransom your information, it executes hostages. When the attack begins, victims are shown a message saying, “We have your information. This program will begin deleting files in one hour and will continue to do so every hour without payment. You have 24 hours before everything is gone.” Below the message is a link to a popular bitcoin trading website where victims are required to pay the attackers the equivalent of $500 to receive a password that unlocks their data.
Most victims pay the ransom, but not everyone who does has their information restored. Those who do not pay lose everything that was not previously backed up. Information, intellectual property, and physical assets worth tens of billions of dollars are lost.
It’s the largest, most-costly cyberattack in history. And one of the most mysterious. The attackers never claim the paid ransoms, and they are never identified.
This scenario might sound like science-fiction, but the truth is that all of the essential elements are already in place. Such an attack would be difficult, but not impossible, to execute and many cybersecurity experts fear something like it is more-or-less inevitable. Cybersecurity Ventures projects that cybercrime, including ransomware attacks, will cost the global economy more than $6 trillion a year by 2021. That’s more than 7.5 percent of the current total value of the global economy.
How did we get here? How could we be so exposed?
Ransomware is any malicious software that limits or prevents someone from using their computer or accessing their files. It’s not a particularly new phenomenon—the first serious case of ransomware was spread in 1989 using infected floppy disks—but these attacks are becoming more frequent and more destructive.
Beginning around 2005, new versions of these programs, called crypto or encryption ransomware, started using advanced algorithms to encrypt infected files, requiring victims to purchase a decryption key from the attackers. Later, in 2011, there was a rise in so-called “locker ransomware,” where a victim's computer was locked on a startup screen until the ransom was paid. Sometimes these attacks took on an almost psychological element; they’d claim to be antivirus software that would need to be enacted to clear out “found” viruses, or would show a screen with an FBI or Department of Justice symbol declaring that the user needed to pay a fine as a result of illegal activity, all in an attempt to scare the victim into paying.
Between 2011 and 2016 the number of ransomware attacks grew steadily, with incremental evolutions in sophistication and scale. That all changed in 2017.
Last year the volume of ransomware exploded. There were 4.3 times more ransomware variants in 2017 than in 2016. Ransomware infected at least 15 percent of businesses in the top 10 industry sectors; 75 percent of those infected went at least two days without access to their systems; nearly a third went five days or more without access. Even the average ransom got bigger in 2017, growing to more than $1,000 from just $294 in 2015.
But it was three specific attacks that decisively changed the cybersecurity landscape.
In mid-2017, the WannaCry ransomware attack spread around the world in just four days, encrypting computers everywhere from the National Health Service in the United Kingdom to a Honda plant in Japan. The scale of the attack was enormous. Experts estimate that it caused upwards of $4 billion in damage, even though the actual ransom paid totaled only about $140,000 in Bitcoin.
Unlike previous ransomware attacks, which were thought to be perpetrated by criminals and thieves, the U.S. and U.K. attributed WannaCry to a state actor, North Korea. With that attribution, we know that new ransomware is being developed not just by entrepreneurial groups of hackers, but with the full scope of resources and talent available to a state.
First, it was more sophisticated than WannaCry. It was designed to gain administrator access to a system, which allowed the malware to move freely, encrypting systems as it went.
Second, while hackers demanded Bitcoin as a ransom, the program turned out to be a “wiper” virus masquerading as ransomware. The victims who ponied up didn’t get their files decrypted. Instead, all encrypted files were destroyed.
Finally, NotPetya’s scale was enormous. The White House called it “the most destructive and costly cyberattack in history.” NotPetya’s indiscriminate destructiveness was visited upon businesses and individuals, as well as governments.
Lastly, while it did not have the reach of the NotPetya attack, there was a SamSam attack in March 2018 on Atlanta which revealed the vulnerability of communities that may not see themselves as targets. The SamSam hackers are notorious for choosing targets that will pay large ransoms, in this case $51,000 in Bitcoin. Worst of all, the hackers relied on guessing weak passwords to get into a system.
The Atlanta attack also showed how insecure systems and poor cyber hygiene at the state and local level can create tension regarding national security objectives. The Atlanta government wanted its data back, but the federal government had a good reason for wanting Atlanta not to pay the ransom: paying would teach hackers that targeting local governments works.
Ultimately Atlanta did not pay, but that decision required a great deal of fortitude. For weeks, its citizens couldn’t access online services. Paying for decryption almost surely would have been less costly than the days of lost work and the effort required to restore the city’s systems. Yet choosing not to pay probably reduced potential future costs of ransomware for local, state, and federal governments.
When all is said and done, global ransomware attacks cost individuals and businesses $5 billion last year an increase of 400 percent from 2016. There is every reason to suspect this growth trend will continue.
What Can Be Done?
One of the most difficult realities of ransomware is that it exploits the weakest link in the cybersecurity chain: people. The danger posed by malware can be mitigated simply by regularly updating your software and backing up your information. Software updates close the digital holes that allow ransomware in and backups enable users to recover information without being extorted. Nevertheless, many users are still slow to adopt these basic practices.
For example, the software vulnerability that allowed the NotPetya attack to spread was the same vulnerability that the WannaCry attack relied on a month earlier. And Microsoft had patched that vulnerability several months before WannaCry was launched. The effects of two of the world’s largest ransomware attacks could have been significantly mitigated if users had simply updated their software in a timely manner.
And if a user isn’t updating system software, they probably aren’t regularly backing up their data, either. According to one survey, 63 percent of the Americans polled backup their data, at most, once a year. And if you think that these habits are likely to change over time, think again. The entire age of the VCR came and went with large swaths of the populace never figuring out how to set the clock or schedule a recording. If your parents (or grandparents) couldn’t figure that out, they’re probably never going to be diligent about updates and backups, either.
But even businesses can be slow to update their systems. Many companies build custom software on top of base operating systems to help them with tasks peculiar to their business—e.g., human resources, logistics tracking, or accounting. It is not always clear, though, what will happen to these custom applications when the base operating system is updated with a software patch. Consequently, corporate IT departments have to test updates in a controlled environment before they roll out an update to the entire enterprise.
This is referred to as “entanglement” and, even if a company is quick to test an update, the process is often still slow and the adoption of patched software is delayed, leaving them vulnerable for swaths of time.
What Can You Do to Protect Yourself?
Meanwhile, here are three things individual users can do to significantly improve their defenses against ransomware.
First, move to the cloud and automate updates. Amazon, Google, Microsoft, and other cloud storage providers spend hundreds of millions of dollars every year to protect their users from cybercriminals. Take advantage of their efforts by moving your most important information to cloud storage (and don’t forget to backup, backup, backup). Microsoft, Apple, and others also have settings that will allow you to automatically apply software updates as they are released. If you use devices provided by your employer, check with IT to see if there’s anything you can do to get updates installed as soon as possible.
Second, clean up your online life. Adjust your browser’s security and privacy settings for increased protection. You can find out how to do this in Google Chrome, Apple Safari, and Mozilla Firefox by clicking here, here, and here. Also, never open suspicious emails, download attachments from suspicious emails, or click links in suspicious emails. Ever.
Third, bring in the experts. Use a reliable, paid antivirus product that offers automatic updates. BitDefender, F-Secure, and ESET all offer great products, as do many others. Find the one that best fits your needs and budget and start using it.
This can be costly and, to be honest, kind of a pain. But the growing scale and quickening pace of ransomware attacks suggest that we are actually living in the “good ol’ days” of ransomware. Far worse days are likely coming, and soon.