Unknown: This is probably the
most significant ransomware attack on one of our critical
infrastructures ever. Colonial Pipeline is the
operative largest pipeline Last month, hackers took our
gasoline hostage now they're carrying fuel from the Gulf
Coast to the northeast, it was hit with a ransomware attack. attacking our meat supply. JBS says units in Australia and
North America were hit over the weekend by what the company is
calling an organized cyber attack on its information
system. The US recently faced a series
of ransomware attacks and they aren't showing signs of slowing
down anytime soon. Although ransomware has really
been around since 2013, it is not yet been seriously taken in
terms of something that could impact critical infrastructures
such as the Pipeline. Ransomeware, a program that
hackers use to hold digital information hostage, has become
the top choice of malware for criminals. Mark Bleicher
negotiates these hostage situations for victims. We have a 911 line similar to
how you would have a 911 for the police if you need to call. So
we'll get an email from a client or an insurance carrier or a law
firm saying that they have someone who was just hit with
ransomware, and the next steps is for us to assemble and get on
a call. And lots of money is at stake.
In 2020, the total amount of ransome paid by the victims
reached nearly 350 million dollars worth of cryptocurrency.
A 311% increase compared to the previous year. Plus it takes a
serious emotional toll on the victims. Violated they have gotten into
our network and into places that we don't know where they've
gotten. We don't know what systems they have touched. It is
definitely a moment of realization that the things you
thought you were protected from the layers that you had in place
they wrote around them, they customize their attack and wrote
systems to infiltrate and destroy. So what led to the rise of
ransomware in the US and what makes it so difficult to fight
them. What makes ransomware so effective is its capability to
entirely disrupt an enterprise or infrastructure like the
Colonial Pipeline, it usually makes its way in via a phishing
email or network connection that isn't secured encrypting the
victims file to prevent access. The malicious actor then demands
a ransom in exchange for decrypting the files held
hostage Highest I've ever seen was about
70 million. This is Mark Bleicher, and he
has a job like no other as the managing director at Arete
Incident Response. He is on the front line in a battle against
ransomware. In the United States. In the beginning of 2020, we
start to see a new trend that is The negotiation then takes place
in a chat room on the dark web now prevalent throughout the
industry where not only did they encrypt your data, but they also
had stole that data and then they threatened to post or leak
that data if the ransom isn't paid. So that really has driven
up the ransom demand because from the victim's perspective,
you have to consider Well, we need to pay to get our data
unlocked, or we pay to have that not leaked. that can be located via a unique
identifier included in a digital ransom note. That's where
Bleicher speaks with the bad actors on behalf of the victims. These sites have a chat feature
much like you'd see on any retail site if you had a
question about a product. And that's how you get the
conversation going is you start a conversation within the chat
that's on their site. If the victim makes up their
mind to pay the ransom, and the amount is negotiated, the
payment is made via cryptocurrency. Bitcoin is the
most popular choice, accounting for 98% of ransomware payments
in the first quarter of 2019. That may change now that the US
officials were able to seize $2.3 million in Bitcoin paid to
hacker group Darkside following the Colonial Pipeline attack. Once the payments have been
made, the criminals send a decryption key. And the cycle
goes on to repeat itself with another vulnerable business or
infrastructure. I can tell you over the last two
years, and it's well into the millions, hundreds of millions
victims that we've come across. Ransomware has grown into a
multi billion dollar industry. And surprisingly, a majority of
the ransom paid is shared amongst a relatively small
number of criminals. A recent study found that 199 deposit
addresses received 80% of all the funds in 2020 and an even
smaller group of 25 addresses accounted for nearly half. The
hacking syndicate behind these attacks are often highly
organized with self given names like Evil Corp or Darkside. We have to all realize that the
cyber crime ecosystem is a business. It is a large
underground business. It has all elements similar to a legitimate
legal business. And so there are partnerships and there is
malware developers and there are distributors. First and foremost, you know,
I'm a security practitioner, most of us never thought that we
would get into a situation where we would be negotiating for
essentially the life of a company. These groups have become
increasingly bold, showing off bundles of cash and fancy sports
cars. That's because tracking, arresting and bringing these
hackers to justice is incredibly difficult. It's notoriously difficult to
attribute cyber attacks. It's an ongoing challenge for
governments. And so from an organization's perspective,
whether it's a criminal group, or whether it's a nation backed
group, it often has little A lot of these organizations are
allowed to essentially operate consequence. freely within Russia or other
former Soviet states, as long as they don't hit anybody within
that country or former Soviet state. So unless there's a
cooperation at the political level there, I don't see this
going away anytime soon. Look how much money has been shelled
out over the last five years, let alone the last two, it's
mind blowing. So it's a booming industry. Ransomware attacks impact almost
every sector of the American economy. Unfortunately, it's become a bit
of the sort of classic modus operandi for many hackers and
criminals. And what you're seeing also is that it's pretty
indiscriminate in terms of the industry sectors that it
targets. In 2020. Professional and public
service and manufacturing were the three industries that were
hit the hardest, followed closely by healthcare,
technology and finance. In 2020, a ransomware attack may have
also claimed its first life after taking a hospital offline
in Germany. It has a real cost. There was a
study done by Barron's early in January that said that the
estimated cost of ransomware in 2019, was about 11 point 5
billion in 2020. It is 20 billion. It didn't exactly
double but it got close enough to doubling. So there's a real
financial cost to businesses around ransomware. Ransomware has also grown
sophisticated enough to target government entities and critical
infrastructure in recent years, resulting in costly shutdowns. It's disturbing that there are
people out there that would take down systems for you know,
things like health care, things like government, we provide
water for our city as well as many other cities, they have no
concern or care for their fellow human, it's disturbing. In May of 2021, the city of
Tulsa experienced several technical difficulties following
a ransomware attack. You may try to open up Microsoft
Word, for example, and it won't open part of its system was
actually encrypted. Or you may try to open up a document that
you created, that document is encrypted, and so it can't read
it. Besides the inconvenience, being
a victim of ransomware can be a harrowing experience. There's a range of emotions, you
know, some clients are extremely angry. One of the questions is
why can't they know our government go after these
organizations, a lot of these victims are also in shock, you
know, how could this happen to us. Violated they have gotten into
our network and into places that we don't know where they've
gotten, we don't know what systems they have touched. It is
definitely a moment of realization that the things you
thought you were protected from the layers that you had in place
that they wrote around them, they customize their attack, and
wrote systems to infiltrate and destroy. In order to stop the money
flowing into the industry. The US government has historically
discouraged individuals and businesses from paying their
hackers. In fact, according to the Department of Treasury,
paying the ransom to criminals is illegal if the hackers
demanding the ransom, were subject to US sanctions. But
this leaves many businesses in a tricky situation. If you're an organization that's
been struck by ransomware, it's a tough situation to be in. It's
not ideal to be paying these ransoms. These are criminal
organizations. And of course, there is a whole effort, law
enforcement at government level to stave that activity and
clearly paying ransom fuels the industry. And even if the business chooses
not to pay the ransom, there is the cost of recovery to consider
the average cost of recovery from ransomware attacks
ballooned to 1.8 5 million in 2021, more than doubling from
the previous year. That makes the average cost of recovery 10
times bigger than the size of the actual ransom payments. We don't know the total cost at
this point, because we're in the middle of recovery. would it
cost more than the ransom? Quite potentially, yes. The shutdowns are incredibly
costly. They're labor intensive. They require experts of which
often we don't have enough. The challenge for us is that
they encrypted partial systems. And so basically, we have to go
through and check every single system and verify that A it's
not damaged B it's not got something on it from the actual
attacker and then see that it can still be used for
production. It's a long and arduous process to do that
damage assessment. And the larger your network is, the
larger your application base is, the more disruptive it can be. The 2021 Colonial Pipeline
incident sent shockwaves across the oil industry and the US
government, alerting them on the severity of cybersecurity
concerns. Shortly after President Biden signed an
executive order to strengthen US cybersecurity defenses. When
nearly half of the congressional districts across America hit by
some sort of ransomware attack from 2013 to 2020, voices in
support for more regulations are growing. These are criminals that hit us
in our communities, they lock up our schools our hospitals our
government agencies, and we need to put an end to it. There are a
number of things I think the administration can do. But it's
going to take a collective defense effort, it's going to
take industry, government, and international partnerships. Federal law doesn't directly
address ransomware attacks, it's instead covered under a broad
umbrella of cybercrime laws like the Electronic Communications
Privacy Act and the Computer Fraud and Abuse Act. Congress
has instead focused more on providing state and local
governments with enough resources to fight against cyber
attacks. In 2018, President Trump established the
Cybersecurity and Infrastructure Security Agency or CISA, to
improve cybersecurity across all levels of government. Meanwhile,
house lawmakers rolled out a bill to invest 500 million in
state and local cybersecurity in May 2021. At both the state and local
government, I don't think we have enough guidance on this
from a legal perspective. And yeah, I don't think it's clear
enough. I think the law needs to address these situations where
companies are forced to either go out of business or they pay
the ransom, what are we doing for companies that are in that
position? additionally, how are we incenting companies to do the
right thing and be prepared relative to ransomware. Some states like Michigan,
California and Wyoming have taken matters into their own
hands passing laws that make it illegal to even possess any sort
of ransomware. But there's still a lot of work that needs to be
done, especially when it comes to critical infrastructure.
Roughly 85% of America's critical infrastructure is
privately owned, and private sectors aren't required to
follow the strict cybersecurity guidelines set by the
government. From a critical infrastructure
standpoint, there's an awful lot we need to do to make this a
better security system. But we've got electrical grids in
this country, we have water systems, we have pipelines, we
have a lot of critical infrastructure that is really
open to some of these ransomware attacks and cyber attacks. An
we need to do a much However, the US might prepare
against future threats. One thing is for certain, the recent
series of attacks on American businesses and the government
isn't the end. But the start of many future ransomware attacks
to come. We have to be prepared that it
will happen again, we've dealt with smaller incidents of
ransomware where a single person's files were affected and
we just restored from backup moved on. But I think the
reality is right now, it's something we have to be
prepared for. At any time, the amount of impact it's going to
continue to have will grow and I think the amount of money to be
made will continue to grow. I don't know where that will peak
out. And I don't know if it's just gonna morph into something
even more dangerous and scary. It's hard to say. But I don't
think we're at the peak yet.
