BOSTON (AP) — Political hand-wringing in Washington over Russia’s hacking of federal agencies and interference in U.S. politics has mostly overshadowed a worsening digital scourge with a far broader wallop: crippling and dispiriting extortionary ransomware attacks by cybercriminal mafias that mostly operate in foreign safe havens out of the reach of Western law enforcement.
Stricken in the United States alone last year were more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.
All the while, ransomware gangsters have become more brazen and cocky as they put more and more lives and livelihoods at risk. This week, one syndicate threatened to make available to local criminal gangs data they say they stole from the Washington, D.C., metro police on informants. Another recently offered to share data purloined from corporate victims with Wall Street inside traders. Cybercriminals have even reached out directly to people whose personal info was harvested from third parties to pressure victims to pay up.
“In general, the ransomware actors have gotten more bold and more ruthless,” said Allan Liska, an analyst with the cybersecurity firm Recorded Future.
The U.S. government now deems ransomware a national security threat. The Department of Justice has just created a task force to tackle it.
On Thursday, a public-private task force including Microsoft, Amazon, the National Governors Association, the FBI, Secret Service and Britain and Canada’s elite crime agencies delivered to the White House an 81-page urgent action plan for an aggressive and comprehensive whole-of-government assault on ransomware, with Homeland Security Secretary Alejandro Mayorkas set to accompany them for a formal online launch at 1 p.m. EDT.
WHERE DID RANSOMWARE COME FROM? HOW DOES IT WORK?
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. They are a continuation and refinement — ransomware was barely a blip three years ago — of more than two decades of cyber-thieving that spammed, stole credit cards and identities and emptied bank accounts. The syndicates have grown in sophistication and skill, leveraging dark web forums to organize and recruit while hiding their identities and movements with tools like the Tor browser and cryptocurrencies that make payments — and their laundering — harder to track.
Ransomware scrambles a victim organization’s data with encryption. The criminals leave instructions on infected computers for how to negotiate ransom payments and, once paid, provide software decryption keys.
Last year, ransomware crooks expanded into data-theft blackmail. Before triggering encryption, they quietly exfiltrate sensitive files and threaten to expose them publicly unless ransoms are paid. Victims who diligently backed up their networks as a hedge against ransomware now had to think twice about refusing to pay. At the end of 2019, only one ransomware group had an extortion site online that would publish such files. Now more than two dozen do.
Victims who refuse to pay can incur costs that far exceed the ransoms they might have negotiated. It happened recently to the University of Vermont Health Network. It suffered an estimated $1.5 million a day in losses in the two months it took to recover. More than 5,000 hospital computers, their data scrambled into gibberish, had to be wiped clean and reconstituted from backed-up data.
The University of California-San Francisco, heavily involved in Covid-19 research, barely hesitated before paying. It gave the criminals $1.1 million last June. Manufacturers have been especially hard-hit this year, with ransoms of $50 million demanded of computer makers Acer and Quanta, a major supplier of Apple laptops.