- What exactly is ransomware?
- Why the recent surge in ransomware attacks?
- Catastrophic ransomware attacks in 2021
- How can ransomware infections be prevented?
Ransomware attacks are among the most common cybersecurity breaches, mainly because they are relatively easy to execute. During ransomware attacks, cybercriminals target individuals or businesses by locking them out of their computer systems and holding their data hostage, after which the victims are instructed to pay a ransom to have their access restored. Over the past year it became clear that many companies and organisations, large and small, are not adequately protected against this type of cybercrime, which can have disastrous consequences. The largest ransomware payout this year was made by American insurance company CNA Financial. To regain control of its network after a ransomware attack in March, the firm paid $40 million, setting a world record.
What exactly is ransomware?
You can become a victim of ransomware attacks when malware enters your computer via a website that has been hacked (or a legitimate website with malicious ads), when you download infected files, when you install apps or programmes from unknown sources, when you open a malicious attachment or link in an email, and various other ways. Ransomware locks you out of your computer and prevents access to your data until you pay a large payment in cryptocurrency. It’s very difficult to defend your systems against this type of malware, whereas the code behind it is easy to get hold of via online criminal marketplaces.
Ransomware often targets organisations with huge volumes of sensitive (consumer) data and cyber insurance policies, which makes them more likely to pay large sums of money, like medical institutions, government organisations, supermarket chains, media conglomerates, banks, universities, and so on. “Many high-profile ransomware attacks have occurred in hospitals or other medical organisations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to pay a ransom to make a problem go away,” according to cybersecurity blog CSO.
Why the recent surge in ransomware attacks?
In June 2021, approximately 1,210 companies per week were targeted in ransomware attacks around the world, with the transportation, retail, and education sectors experiencing the largest increases in attacks. These attacks have seen an upsurge because it’s becoming easier for cybercriminals to execute them. Hackers can easily learn what to do from sites like YouTube and effortlessly access ransomware software-as-a-service. The payment methods are becoming easier as well, thanks to anonymised cryptocurrency transfers that enable exorbitant extortion amounts. And because of our increasing reliance on digital infrastructure, victims are more willing to pay. This makes for a lucrative business, encouraging cybercriminals to increase their attempts.
“The ransomware business is booming. We’re seeing global surges in ransomware across every major geography, especially in the last two months. We believe the trend is driven by scores of new entrants into the ransomware business,” according to Lotem Finkelstein, head of threat intelligence at Check Point Software. Another reason why ransomware attacks are on the rise is the rapidly increasing use of the internet. As a result of the pandemic, millions of people around the world have been forced to work and learn online.
Noteworthy ransomware attacks in 2021
We’re a little over halfway through the year and we’ve already seen an incredible increase in the number and severity of ransomware attacks, including record-breaking ones. Not even organisations that offer security or insurance against these attacks have been left unaffected. As a result of the impact of the disruption, downtime, exposed data, and financial losses, many victims succumbed to the demands, even though not all of the attackers had guaranteed fully restored access to data. Here’s an overview of the most noteworthy ransomware attacks this year.
In February of this year, Kia Motors America, which is headquartered in California, fell victim to a ransomware attack by the DopplePaymer ransomware gang. Kia did not officially confirm the attack, although the company reported widespread IT, phone services, and payment systems outages, as well as dealer-specific applications disruptions that lasted for days. The attack impacted many significant systems, such as those needed for customers to take delivery of newly purchased vehicles, and affected Kia’s customer support, self-help portals, and mobile UVO Link apps, which resulted in customers being unable to access features like remote start on their cars. According to experts, the attack was accompanied by a ransomware note, claiming that a significant amount of company data had been exfiltrated, and demanding a $20 million payment in Bitcoin to get files unlocked and prevent the gang from releasing them to the public.
In March, CNA Financial, one of the world’s largest commercial insurance providers, was hit by a sophisticated ransomware attack, causing widespread network disruptions. Two weeks after hackers stole CNA’s data and locked its systems, the insurer paid a whopping $40 million ransom, Bloomberg reported. The attackers, who are reportedly connected to the Russian-backed Evil Corp cyber syndicate, used a new version of the Phoenix CryptoLocker malware, encrypting data on more than 15,000 computers in CNA’s network, as well as the computers of remote workers that were connected to the same network.
According to reputable sources, CNA initially ignored the hackers’ demands, and pursued options to recover their data without engaging with the cybercriminals. A week later, the company did enter into negotiations with the hackers, who initially demanded $60 million. According to a CNA official, the ransomware attack took approximately three weeks to resolve, after which systems were restored and no customer accounts were compromised.
Ireland’s Health Service Executive (HSE)
On 14 May, in the wake of a catastrophic ransomware attack by the Conti ransomware group, Ireland’s Health Service Executive (HSE), the government organisation that runs all public health services in Ireland, shut down its IT systems as a precautionary measure, rendering computer records inaccessible. Access to many health services was disrupted, leading to delays and cancellations for patients. At many healthcare centres, patients were asked to bring in paper documents. During the attack, some patient and staff data was accessed and leaked, including medical information, names, (email) addresses and telephone numbers.
In a statement on its website, the HSE stated: “A small amount of HSE data has appeared on the dark web. Action is being taken to assist the people affected by this.” On 5 July, healthcare services were still severely disrupted following the ransomware attack. Despite this, neither the HSE nor the government were prepared to pay the $20 million ransom. In an unexpected turn of events, the Conti ransomware group handed over the decryption tool to restore the network. On its website on the darknet, Conti told the HSE that “we are providing the decryption tool for your network for free. But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation.”
On 7 May, the Colonial Pipeline Company, which operates the largest petroleum pipeline in the US and provides nearly half of the East Coast’s fuel supply, reported that it had fallen victim to a ransomware attack. The attack, which was linked to the Russia-based hacker group Darkside and was reportedly the largest ever cyberattack on an American energy system, forced the company to disable the pipeline and shut down several of its systems. The shutdown lasted for several days and caused panic buying, price spikes, and fuel shortages. Colonial Pipeline CEO Joseph Blount said that he authorised the $5 million ransom payment because executives were unsure how badly the company’s systems were breached and it was uncertain how long it would take to bring the pipeline back. “I didn’t take it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.” $2.3 million was later recovered from the hacker group by US law enforcement officials.
Shortly after the Colonial Pipeline Company attack, global meat packer JBS USA was next to be hit by a ransomware attack, which forced the company to shut down operations in Canada, Australia, and the US, threatening food supplies and risking higher food prices for consumers. According to a JBS-issued statement, the company’s global facilities were back in operation after the cyber attack had been resolved, crediting its own “swift response, robust IT systems and encrypted backup servers.”
A while later however, the company confirmed that it had paid $11 million to Russia-linked hacking group REvil (also known as Sodinokibi) to ensure that no data was exfiltrated, to avoid further disruption to production, and limit the impact on farmers, grocery stores, and restaurants. A large part of JBS’s facilities, however, were operational at the time of payment. “Preliminary investigation results confirm that no company, customer or employee data was compromised”, according to the beef manufacturer. While paying ransoms is discouraged by the FBI, JBS said it had consulted with third-party cybersecurity experts “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
Coop supermarkets in Sweden
On 3 July, as a result of a catastrophic ransomware attack, hundreds of Coop supermarkets in Sweden had to close their doors as their point-of-sale tills and self-service checkouts had become inoperable, preventing Coop employees from processing payments. Only five of Coop’s more than 800 stores had not been affected. The attack wasn’t aimed directly at Coop but was part of a worldwide attack in which Miami-based software company Kaseya, a provider of remote management app solutions, was the main target.
By exploiting software security gaps, the cybercriminals managed to infect another 1,000 companies worldwide that use Kaseya customer systems with the REvil encryption Trojan disguised as a software update. The ransomware locked data in encrypted files, after which hackers demanded $70 million to restore the data. Besides the Coop chain of stores, many other companies around the world were affected by this attack. Ciaran Martin, cybersecurity professor at Oxford University, said this was “probably the biggest ransomware attack of all time.” The criminals claiming responsibility for the attack said they had infected more than a million systems.
How can ransomware infections be prevented?
Due to their ease of use and profitability, ransomware attacks are becoming increasingly rampant. Andrei Mochola, head of consumer business at Kaspersky Lab, says: “We urge all ransomware victims, whether large organisations or single individuals, not to pay the ransom demanded by criminals. If you do, you will be supporting the cybercriminals’ businesses. And, as our study shows, there is no guarantee that paying the ransom will actually give you access to your encrypted data.” Prevention is the best cure, and there’s quite a bit you can do to make sure you don’t become the next ransomware attack victim.
Firstly, it’s important to get the best security system you can afford. Staying alert is another way to stave off ransomware infection. If you notice your systems are slowing down, disconnect from the internet, switch your systems off, and get help from your network security provider. It’s also important to train staff members on the dangers of cybercrime and make them aware of the importance of cybersecurity. Use data encryption to protect personal information, emails, and file exchanges. Make regular backups of your data. Prevent and fix vulnerabilities by upgrading applications regularly, and instruct employees to use different passwords for the various applications they use.