Ransomware is on a roll — and that’s more than a financial problem
Ransomware qualifies as the digital version of a pandemic. It can spread exponentially. Anybody is a potential victim. It evolves — getting “inoculated” from one version won’t protect you from another. And while it won’t kill you directly, it could put your health and safety at risk when it’s aimed at common targets like home security systems, healthcare organizations, or other critical infrastructure.
But even though ransomware has been around for decades, we’re not doing very well at rooting it out or stamping it out. Ransomware, more malignant and aggressive than ever, is on a roll.
“We’re definitely not winning the fight against ransomware right now,” Allan Liska, threat intelligence analyst at Recorded Future, told Wired magazine.
Wired also reported that “According to a recent report by security firm Mandiant, a Google subsidiary, 2023 was a record-breaking year for ransomware. Reporting indicates that victims paid more than $1 billion to gangs — and those are just the payments that we know about.”
Practically every week a stream of headlines confirms it. Just a small sampling
- A recent “breach of the week” that made mainstream international headlines, was the attack that took down the North American operations of auto dealership management system vendor CDK Global. The attack forced thousands of dealerships in the U.S. and Canada (the company has about 15,000 customers) to resort to pen and paper for sales, financing, insurance and other functions. Bloomberg News reported that the BlackSuit ransomware gang, based in eastern Europe, had demanded tens of millions of dollars in ransom.
- The NHS [National Health Service] in England reported in early June that multiple London hospitals impacted by a ransomware attack were forced to cancel or reschedule hundreds of planned operations and appointments. They also had to cancel testing of 20,000 blood samples from 13,500 patients done since June 16, because the samples had degraded. The attack, reportedly by the Russian group Qilin, was against hospitals operating under the brand name Synnovis. The company said last week that it would take months to fully restore its systems, and that Qilin had posted almost 400GB of stolen data, including patient names, dates of birth and descriptions of blood tests, on their darknet site and Telegram channel.
- The city of Cleveland announced on June 10 that it would take its systems offline for several days to contain a cyberattack that affected some city services but not emergency services, utilities, public works, the airport, and online payments. City officials did not identify an attacker or specific demands.
- The restaurant chain Panera Bread notified some employees in mid-June that their personal information had been stolen by unknown hackers in a March ransomware attack. The information included names and Social Security numbers and possibly other employment information. Security and technology news publication BleepingComputer reported in April that Panera had suffered an attack that took down its “internal IT systems, phones, point-of-sales systems, website, and mobile apps,” adding that “employees could not access their shift details and had to contact their managers to learn work schedules.”
- The AP reported in late June that Change Healthcare, a subsidiary of healthcare giant UnitedHealth Group that provides technology used to submit and process billions of insurance claims a year, had started to notify hospitals, insurers and other customers that they may have had patient information exposed from a major cyberattack. The company also said it expects to begin notifying individuals or patients in late July.
Wake-up call of the month
The list could go on — and on. And one of the more alarming things about it is that every time a catastrophic attack produces some mainstream media coverage, it’s labeled a “wake-up call,” as if this sort of thing had never happened before.
The CDK Global attack was no exception. Automotive News quoted Erik Nachbahr, president of cybersecurity services provider Helion Technologies, who called it “a terrible wake-up call for the industry. This is only the beginning … It remains clear that determined cybercriminals have the upper hand and their dominance is growing.”
So is the danger of damages that go well beyond financial. In a post on the UK’s Royal United Services Institute (RUSI) website, the authors noted that the attack on Synnovis illustrates “how ransomware causes cascading harms that may begin with a technical system or service, but ultimately affect individual patients, staff, and even national healthcare provision. The reality of the current ransomware epidemic means that this attack is merely the latest example of its pernicious impact on healthcare services.”
All of which prompt the obvious question: Given decades of awareness about ransomware, available major improvements in software security testing, and regular messages about how to spot phishing and other social engineering attacks, why do ransomware gangs maintain the upper hand?
One reason is the ongoing reality noted by Thomas Richards, principal security consultant with the Synopsys Software Integrity Group, that all it takes is one vulnerable human. “Ransomware groups only need one person to click the link that contains the malicious executable to be successful,” he said.
Another is that “many organizations are burdened with outdated technology and insufficient cybersecurity budgets,” according to John Waller, cloud security practice lead with the Synopsys Software Integrity Group. That, combined with the “increasing sophistication of ransomware attacks makes it challenging to stay ahead of threats. With the healthcare sector’s focus on patient care and the auto industry’s on safety, this often means cybersecurity isn’t prioritized until an incident occurs,” he said.
A third is that ransomware is global. Criminal gangs can attack from anywhere, and don’t have to do it in person. No guns, no car chases, no picking of locks. It’s all done with a keyboard and an internet connection, frequently in nation states that are hostile to the U.S. and other western nations, and therefore beyond the reach of law enforcement.
To pay or not to pay
And then there is the ongoing, decades-long debate over whether victims should pay the ransom. Those who argue against paying have what sounds like a simple, common-sense case: If you don’t pay, the criminals don’t make any profit. If they don’t make any profit, they’ll eventually shut down.
But it’s not that simple, of course. A successful ransomware attack means the criminals have something the victim desperately wants and needs. Losing data could mean losing the ability to function, as noted in the RUSI post about “cascading harms.” Having intellectual property or the personal information of customers made public, which has become a common threat from ransomware gangs, could mean the loss of a competitive edge or expose an organization to massive liability.
For years, the official position of the FBI has been “don’t pay ransoms.” But the agency has also acknowledged that is not always feasible.
Finally, the dream that governments around the world will somehow look past their disagreements and hostilities on other fronts and agree to cooperate on wiping out ransomware remains a dream.
“I don’t see global cooperation to combat ransomware as a real possibility, primarily due to geopolitical rivalries. Adversaries of the West may perceive benefits in allowing cybercriminals to operate freely, seeing it as a means to undermine Western security and economic stability,” Waller said, adding that “varying cybersecurity laws and enforcement mechanisms across countries make it difficult to form a united front against ransomware gangs. While cooperation on certain levels is possible, a comprehensive global effort is unlikely.”
Which means the best defense against ransomware gangs remains what it has been all along — better defense. That means doing the security basics that experts have been preaching for decades. And that starts with awareness. If it wasn’t clear before, it should be clear now — anybody and everybody is a target.
“Organizations often make the mistake of believing it won’t happen to them, thinking they have nothing of value. This is obviously false,” Richards said, “as anyone with money and computing infrastructure — every business — is a target.”
“Organizations should perform regular phishing exercises and require mandatory security awareness training on how to spot phishing attempts and not click links.”
Beyond better resistance to phishing, Waller notes that “ransomware gangs often exploit common vulnerabilities such as unpatched software, weak passwords, and inadequate network segmentation that a mature cybersecurity program can address.”
Do the basics — all of them
That means doing security basics like “regular system updates, adopting advanced threat detection technologies, and developing rapid response plans,” he said.
To that, Richards adds that organizations should have “endpoint protection software installed throughout the organization to detect and prevent the ransomware tools from executing.”
Doing all this won’t make you bulletproof. Nothing will. But it will make your organization a much more difficult target. And attackers are human like everybody else. If they confront a difficult target, they’ll look for an easier one.
That means it will be somebody else, not you, in the headlines.
