2021-05 Lab Notes Header—Digital Pandemi

Ransomware, malware: 
The new digital pandemics

By now most people know that the 5,500-mile Colonial Pipeline, which runs from Texas to New Jersey and supplies nearly half the fuel used on the East Coast, was forced to shut down after being hit by a ransomware attack, becoming one of the most visible recent victims of a new digital pandemic.

A ransomware attack, yet another of the many ubiquitous malware scourges, consists of locking a user out of his/her own device, and then demanding a payment to restore access. A malware program is delivered to the device—the delivery mechanism can be a sophisticated hack or a simple phishing email—and either implements a screen locker, or encrypts the device’s content (either specific documents or an entire hard drive), rendering it inaccessible without a decryption key. The demand is simple: pay the ransom to (hopefully) get the decryption key to regain access to the files or device. Payment may be with purchase of a gift card or prepaid debit card or, more recently, with bitcoin or another untraceable cryptocurrency. Importantly, these attacks are not restricted to personal devices, but can threaten servers and entire company infrastructures. 

According to information technology (IT) managers worldwide, the ransom paid to cybercriminals ends up accounting for roughly only half of the cost of a successful ransomware attack. After obtaining their decryption key, companies and organizations also inevitably need to pay for all the working hours required to restore their systems, clean up any collateral damage caused by the encryption process, and strengthen their cybersecurity. 

 

Continued from the emailed newsletter

For context, according to industry estimates based on FBI ransomware statistics, the cost of cybercrime could reach more than $5 trillion for the period between 2019 and 2023. As a result of these ongoing online threats, every type of organization will have to invest more in cybersecurity products and services, to the tune of over $1 trillion worldwide by 2025.

Chillingly, cybercriminals have not hesitated to focus on truly dangerous targets like healthcare institutions as among those most likely to quickly pay ransom in order to get their data restored. Medical records have been made inaccessible or even lost, urgent surgical procedures halted, patient referrals not made, and many lives put in jeopardy.

In a surprising turn of events, DarkSide, the criminal hacking group responsible for the Colonial Pipeline attack, turned out to be an exception to typical malicious hackers. It claimed to only target those who have the means to pay or who are known to have cybersecurity insurance, and then expressed contrition for the Colonial Pipeline attack. “We are apolitical,” the hackers wrote. “We do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money, and not create problems for society.” 

These statements highlight what sets apart ransomware from other classic viruses and worms like Stuxxnet and MyDoom. Whereas those older forms of malware could cause great harm, they arguably did not directly benefit their creators and perpetrators. Ransomware, on the other hand, is a very effective way to make money, an incentive that means there are likely many more perpetrators focused on this than previous types of malware which did not have a consistent monetization strategy.

Hackers holding one of America’s most important energy pipelines hostage for a payout should be a stunning wakeup call. It also served as yet another big warning to arguably an even bigger potential target: the finance sector. Malware disrupting the flow of money, including financial and brokerage transactions and the workings of ATMs, certainly would rattle confidence in the nation’s entire financial system. Federal Reserve Chairman Jerome Powell recently warned that cyberattacks are the No. 1 threat to the global financial system—much more so than the kinds of lending and liquidity risks that sparked the 2008 financial crisis. Hackers that manage to shut down a major payment processor, he said, could cause important parts of the financial system to come to a screeching halt. 

Thankfully, this nightmare scenario has already been a hot topic in the finance and cybersecurity sectors. In fact, banks and stock exchanges overseas have already been hit by damaging cyberattacks in recent years, but the good news is that, no doubt partly as a result, they also have been diligently creating robust cyber defenses. Nevertheless, the main cybersecurity threat and potential weakness for banks’ cyberdefenses is third-parties with lax security practices, including consultants, law firms, contractors and other vendors. As with most types of malware, the weakest point in any organization’s defense structure is often its human employees and partners. Time and again, the vulnerability exploited had less to do with a failed firewall or exposed server and more with a human being opening an email attachment or reusing the same password on multiple accounts. In other words, the issues often lie in training and policy enforcement rather than technology investment.

Experts have predicted that a ransomware attack will occur in the U.S. every 11 seconds in 2021—a significant increase in frequency from one attack every 40 seconds in 2016. These attacks have also become more detrimental as cybercriminals are able to gain control of even large organizations like Colonial Pipeline, which reportedly shelled out $5 million. This may partly explain why the average ransom has gone up from $41,000 in the third quarter of 2019 to a little over $230,000 in 2020—a 500% year-over-year increase.

Yet responses from cybersecurity experts to the Colonial Pipeline hack have been surprisingly mixed. Several experts have dismissed its broader significance and said there was no cause for panic. DarkSide’s ransomware attack was rated by some as a bungled extortion plot that “happens all the time.” It seems DarkSide’s strangely apologetic explanation that it was not trying to compromise America or its supply of gas has been taken as a sign that the attack was not no serious after all. Others chalked up the success of the attack to sloppy corporate security practices—not a sign of risk of widespread infrastructure shutdowns. We at St James Faith Lab remain concerned about the damage that would have been caused had the attackers been less remorseful.

Indeed, U.S. lawmakers were warned long before about ransomware and other threats on U.S. infrastructure. In fact, some of these dire warnings even said that malware called ransomware would become the next form of “pandemic”—a digital pandemic, as it were. The Colonial Pipeline hack may have been the largest one to hit the U.S. energy infrastructure, but that in no way means the incident could not be dwarfed in the future. Warnings about the national security-level threat could not have been clearer for the President, Congress and the rest of the nation, including its businesses of every size.

As mentioned above, one of the surest ways to mitigate this threat and protect our devices and companies is for each of us to individually inform ourselves of security best practices—use long and varied passphrases, question every email you receive, verify whatever page it is you are about to type a password into, etc. St. James Faith Lab will continue to provide and update these best practices for our readers and community.

The Rev. Canon Cindy Evans Voorhees

Executive Director

St. James Faith Lab

Click here to read the rest of this month’s newsletter.