The Looming Threat of Ransomware AttacksJune 8, 2021
In mid-May 2021, the CEO of Colonial Pipeline, a major gas pipeline that services much of the Eastern Coast of the U.S., admitted that his company paid hackers an estimated $4.5 million in ransom in return for releasing their computer systems from their hostage takeover. Shortly after, in late May, JBS, one of the world’s largest meat processing companies, was targeted by a ransomware cyber-attack as well. This attack temporarily shut down some of its operations in Australia, Canada and the U.S. Both ransomware attacks reportedly originated from criminal groups based in Russia.
This is an ongoing series. Be sure to check back on our website and social media for future updates on this story from other industry experts at Capitol.
In ransomware attacks, crime syndicates use malicious software to infiltrate a victim's computer system, encrypt the contents, and post a screenshot note for a ransom to be paid, generally in untraceable cryptocurrency, for a code to unlock the encrypted data. Such ransomware attacks have become prevalent because if the ransom amount is not paid, the victim will be unable to access their crucial proprietary data or operations, including the added damage of having their IT systems further sabotaged or for their sensitive information to be publicly released.
With ransomware criminals holding many computer systems and data hostage on a daily basis around the world, demanding large sums of money from victims to restore order, what can be done to prevent and defeat these threats?
To answer these questions, we asked Dr. Joshua Sinai, Professor of Practice, Counterterrorism Studies, to explain how to manage these threats.
Q: In security breaches involving a ransom, does paying the money tend to deter the attacker from committing further attacks on the same target, or is it likely that it could happen again from either the same attacker OR different attackers who saw that the target paid the ransom and hope they can receive a ransom payment too?
A: Whether to pay ransoms to cyber criminals to release computers and their data from remaining hostage is a complex issue. This is due to the fact that many cyber breaches are difficult to trace and identify the perpetrators, who exploit social engineering techniques to install their ransomware, and with many of them operating from countries where their illicit activities are tolerated by their governments, which may even be complicit in sharing their illicitly gained profits.
In light of these complications, there are three basic ways to answer this question. The first is the law enforcement agency recommendation for those being targeted not to pay a ransom. Since ransomware is a profit-making crime, it is hoped that, just like the recommendation not to pay ransoms to terrorists and criminals for kidnapping an organization’s personnel, by denying the perpetrating criminals the opportunity to profit from the cyber attack, this would serve as a deterrent.
In a second answer, however, while organizations and companies that have strong cyber defense systems might succeed in foiling ransom attacks, those with weaker systems will still be vulnerable, with criminals shifting their attacks to those less capable of affording a “downtime” caused by a denial of service of their systems. This would constrain such victims from affording not to pay their attackers’ demands for ransom, even though they understand that it is preferable not to give in to their extortionists’ illicit demands.
In a third answer, paying ransoms is not illegal,1 with no government penalties for such coerced payments. There are also no penalties for paying ransom in secret,2 as they calculate that it is preferable to hide such attacks and their ransom payments than to have them publicized and incur damage to their reputations as supposedly cyber ‘safe’ companies.
To solve these dilemmas for the targeted victims, several solutions are available. First, at the micro-level, it is important to note that while no one can prevent 100 percent of cyber attacks, cybersecurity departments need to be well prepared to respond with the cycle of resilience for any potential incident in the form of awareness (of the threat), preparedness (in the form of a risk assessment of how a threat might impact on organizational vulnerability and consequence of an attack, implementation of appropriate protective measures, and training and exercises), response (with quick and proactive response measures already in place, including coordinating the response with the legal and financial departments and law enforcement), and recovery (in the form of protocols in place for continuity of operations), all of which will help to ensure organizational resilience.
These proactive measures need to be adopted at all levels of an organization, beginning with buy-in from the top leadership that a ransomware attack is inevitable, thus requiring a robust resourcing of the necessary protective measures.
Second, a possible long-term solution at the macro-level is a proposed initiative by the Ransomware Task Force (RTF), a global coalition of cyber-experts from leading organizations and companies around the world, which has formulated four goals and 50 recommendations to mitigate the threat of ransomware extortion through a public-private partnership.3 The four goals consist of deterring ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; disrupting the ransomware business model and decreasing criminal profits; helping organizations prepare for ransomware attacks; and responding to ransomware attacks more effectively.4
In the meantime, until the RTF’s recommendations are implemented, at the micro-level the question of whether or not to give in to a cyber criminal’s ransom extortion will need to be answered on a case-to-case basis, with the victimized organization coordinating their responses with law enforcement and homeland security agencies in their countries and internationally, who hopefully will be able to apply latest investigatory techniques to identify and apprehend the perpetrating attackers.
Finally, with the nuclear industry sector, in particular, mandated to maintain high cyber safety standards, especially in the United States, which makes them less vulnerable to cyber ransom attacks, governments need to enforce minimum cybersecurity safety standard on companies in the other critical infrastructure sectors (including the non-nuclear energy sector, which is ranked as #3 in the top attacked sectors after finance and manufacturing). These would include measures to prevent computer intrusions, or to maintain secured backups of their data and systems, and ensure operating systems, software, and applications are up to date, with anti-virus and anti-malware solutions set to automatically update and run regular scans.5
Q: Is it common for ransom payment to be used to track down the attackers? If so, is it usually easy to get the money back eventually?
A: The cyber criminals operate anonymously, covertly, and in countries that tolerate their illicit activities, as well as utilize complex combinations of Bitcoin crypto-currency, with instructions on TOR (“The Onion Routing”) dark websites providing the victims with payment instructions and the specific bitcoin “wallets” to pay into.6 This enables them to hide their identity, which makes it difficult to trace the payments they receive and the geographical locations of the attackers.
It is possible, nevertheless, to employ certain techniques to track down the attackers. The first step is to identify the bitcoin exchange the victims are instructed to transfer the funds into the criminals’ “wallet” accounts and the origins of the receipts of the decryption keys they are provided to recover their breached files. The second step is to identify the bitcoin wallets associated with each ransomware “family.”7 In the third step, the transfer of the ransom payments needs to be tracked through the bitcoin chain in order to uncover the instruments used by the cybercriminals to cash out their illicit gains at the exchange points.8
Q: If a ransom is not paid and the situation escalates, how likely would it be for a cyber attacker to bring the crime into the physical realm? For example, if the pipeline CEO hadn’t paid the money, do you think the attacker could have taken further action by physically hurting somebody, compromising the infrastructure by blowing it up, or something of that nature?
A: While it is possible for a cyber attacker to escalate the attack if the victim refuses to pay the ransom, especially if the attacker has planted additional malicious codes into the IT network since it is likely that the attacker is operating from another country, it would be constrained to combine it with a physical attack, since a local presence would be necessary to reach the target.
Nevertheless, in what is termed a “cyber-physical attack,” a cyber-attack can inflict physical damage by taking control of the computing-related components of critical infrastructure sectors such as water pumps, transportation, pipeline valves, and by causing them to fail cause property damage as well as human fatalities. Examples might be causing a failure of a centrifuge, or any ICS component, which might lead to gas leaking, or attacking a transportation system’s communication nodes, with the chaos caused by routing breakdowns damaging trains and injuries passengers, with such attacks moving from “cyber to physical and human” and endangering the safety of the affected populations.
Q: Building off of question 3, do you think that using cyber-crime to compromise critical infrastructure such as the pipeline could be the first step to something larger? How likely is it that the attacker breached the pipeline’s security to intentionally weaken the population through gas shortages so that they couldn’t go very far, and therefore could be easier targets for a physical attack? (Is that a crazy theory, or has something like that ever happened before?)
A: The Colonial Pipeline ransomware attack was allegedly carried out by a criminal group, but with a massive attack in early 2020 in which alleged Russian government’s backed hackers penetrated the Texas-based SolarWind’s technology information systems by inserting malicious code into the company's software system, which set off a massive spillover attack into its’ clients’ own information systems, this represented a new scale of nation-state aggression in cyber warfare. In a new and concerning trend, nation-state attacks against their adversaries might start with a cyber-attack and continue with other types of physical attacks. Already, it is reported that certain countries are recruiting cyber-criminal groups to attack their adversaries, as a way to deny their own responsibility for such attacks (which may have been the case with the SolarWind attacks).
In response to the need to significantly upgrade the United States’ early warning and detection systems to identify such cyber vulnerabilities and be ahead of adversary state-backed cyber-criminal groups. On May 12, 2021, the White House issued a new “Executive Order on Improving the Nation’s Cybersecurity,”9 overhauling and modernizing cybersecurity defenses to protect U.S. critical infrastructure, through measures such as public-private sector partnerships in enhancing detection capabilities, greater information sharing and timeliness of breach notifications, and upgrading the response and remediation process for cyber incidents. In another deterrent measures, the Administration also announced that any adversary country cyber-attacks against the U.S. would be met with vigorous response measures, ranging from various forms of sanctions and other proactive retaliatory measures
Dr. Joshua Sinai is Professor of Practice, Counterterrorism Studies, at Capitol Technology University. He greatly appreciates the peer review suggestions by Tony El Haiby, a Doctoral student in counterterrorism studies at Capitol Technology University, who is an expert on cybersecurity.