Recent surge in ransomware attacks threatens national security

Ransomware attacks in 2021

Colonial Pipeline made headlines in May when a ransomware attack disrupted the gas supply on the U.S. East Coast, from Texas to New Jersey. The company shut down the pipeline when some of its digital systems were infected. The halt in operations caused panic-buying, gas shortages and higher prices at the pump. Colonial Pipeline paid a $4.4 million ransom before it was able to regain access to its system and restart operations.

Often, the public doesn't hear about ransomware attack outcomes because they're not always disclosed. Companies might not want to disclose that they caved to pressure, or law enforcement may ask them not to say anything so as not to embolden other gangs.

Other ransomware attack victims in 2021 include Acer, Quanta, JBS Foods, the National Basketball Association and CNA Financial, among others. And the year isn't over yet.

Why are ransomware attacks happening now?

There has been a surge in ransomware attacks for many reasons:

Bigger paydays

When ransomware attacks first began in the last decade, targeted individuals paid a few thousand dollars to regain access to their computers. Now, gangs have moved on to bigger targets -- and several corporations have paid tens of millions in ransom.

No one is stopping hackers

While the U.S is the most common ransomware attack victim, other nations are also being hit. It is believed that Russia is home to most of the gangs behind the attacks. But so far no one has been arrested or busted. Security researchers have examined the major ransomware and found that it does not work on Russian machines or members of the Russian commonwealth. This includes Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan and Uzbekistan.

Russia is not trying to stop hacker groups, and may even encourage it for the intelligence they may pick up, according to a story from The New York Times. And government systems are frequent targets.

Ineffective pushback

Both sides of the aisle have criticized President Joe Biden for not doing more than telling Russian President Vladimir Putin to do more. For now, Biden has not gone beyond considering sanctions on Russia.

Ransomware as a service

In the early days of malware, hackers had to create their own -- though there were some developer kits to help speed up the process. But with ransomware, gangs have set up a software as a service (SaaS) model. The ransomware as a service (RaaS) model involves developers selling or leasing the malware to "customers."

As part of its report, Group-IB found 64% of all ransomware attacks in 2020 were derived from operators using the RaaS model.

A threat to national security

The U.S. sees these attacks to be just as much a threat as terrorism. In 2020, ransomware attacks caused 18 days of downtime on average for affected companies, Group-IB said in its report. The average ransom amount also increased.

The ransom amount, while painful, is not as severe as 2 1/2 weeks of downtime, which is why government, finance and health care are being hit. Acer and Quanta have the in-house skills to fight and potentially undo ransomware. But a hospital likely does not have these skills and will simply pay the ransom to get its systems back -- because in this case it's a matter of life and death.

A study by Comparitech found more than 600 hospitals, clinics and other healthcare organizations were affected by 92 ransomware attacks in 2020, with more than $20 billion lost in revenue, lawsuits and ransom paid.

The Biden administration has identified ransomware as a threat to national and economic security because of its potential to disrupt critical infrastructure. The Colonial Pipeline attack made that abundantly clear, with gas shortages in more than a dozen states for several days.

But that doesn't mean organizations have to be sitting ducks. There are many steps that can be taken to prevent infection -- and ransomware infection is definitely preventable.

1. Educate employees. Employees remain the main reason for infection. Nobody should ever click on an email attachment from an unknown source, but many people still do this. In fact, people shouldn't even open attachments from someone they know unless they confirm that they have indeed sent an attachment.
2. Update software. This includes operating systems, applications and firmware on IT network assets. Antimalware software often updates multiple times a day, while Microsoft updates monthly. Some fixes need advanced testing before deployment, but most should be installed immediately.
3. Lock down individual computers. Organizations should place applications on an allowlist, so only approved apps can be run. Also limit end user and process accounts through account use policies, user account control and privileged account management. Windows Server has some very strict user access controls. Use them.
4. Require multifactor authentication. Multifactor authentication requires human input, making it harder for malware to breach systems.
5. Have a disaster recovery plan. There are both on-premises disaster recovery products and disaster recovery as a service (DRaaS) where systems can be backed up off-site. Organizations should use them and back up frequently. Done right, DR/DRaaS can mean simply restoring a prior day's backup and one day of lost work rather than giving in to the ransom.
6. Identify valuable data and segment the network. Organizations should avoid putting all data on one shared file accessible to everyone in the organization.
7. Perform penetration testing to find and patch vulnerabilities. In particular, organizations should focus on the Windows Server Remote Desktop Protocol, which is the primary target for ransomware. Organizations should ensure its ports can't be accessed by default credentials and maintain good security practices.
8. Don't just rely on endpoint security software. While top-tier endpoint security products can help, security belongs at all layers, from the firewall to the network.
9. Look into zero-trust networks. Zero-trust security is growing in popularity because it locks down the network completely. A fatal flaw of current network design is once a hacker gets in, there is little to nothing to stop them from moving around. Zero-trust requires a credential for every step inside a network and can lock out an intruder.
10. Get help. This kind of security requires real expertise, which many organizations likely don't have internally.