Ransomware Incidents Surging; Cybersecurity Experts Scramble to Respond
By John P. Desmond, AI Trends Editor Ransomware attacks are ramping up. A former US Attorney suggests that a “surge” in cybersecurity protection is needed to counter the increasing number of attacks from cyber criminals. Other experts say cybersecurity best practices should be applied to plug holes. The CBS news magazine 60 Minutes on June 6 included […]
By John P. Desmond, AI Trends Editor
Ransomware attacks are ramping up. A former US Attorney suggests that a “surge” in cybersecurity protection is needed to counter the increasing number of attacks from cyber criminals. Other experts say cybersecurity best practices should be applied to plug holes.
The CBS news magazine 60 Minutes on June 6 included a segment on ransomware, which outlined how the largest meat producer in America (JBS) was forced to close for several days, three weeks after a primary source of gasoline for the US East Coast (Colonial Pipeline), was held hostage, causing gas shortages over a weekend.
Then on Monday, June 7, US authorities announced the recovery of $2.3 million in ransom paid by Colonial Pipeline, by using a private cryptocurrency key the FBI had obtained that led to a bitcoin wallet.
The scale of ransomware attacks is enormous. “The losses are very significant and easily approach a hundred million dollars or more just in the United States,” stated Michael A. Christman, assistant director of the Criminal Justice Information Services Division of the FBI, on 60 Minutes.
Tom Pace, Cofounder and CEO of NetRise, a cybersecurity startup, demonstrated on the show a website where hackers can go to buy ransomware attacks. They set them up to scan vulnerable networks, potentially targeting thousands of sites automatically. Moreover, “They actually provide you with basically a chat room where you can ask questions to the people who maintain this architecture for you,” Pace stated. He then showed how easily he could encrypt a test site he set up, within minutes, by stepping through several screens, not having to write any code. Needless to say, his clients are reluctant to pay ransom, but many feel they have no choice. “We have lots of clients who are incredibly angry,” Pace stated.
For his clients, “We try to do a really good job of making sure we reduce all the vulnerabilities and entry points.” Pace stated. Still, no guarantee exists that the ransomware attackers will not try attacking the same sites again.
Over the weekend of June 5-6, ransomware attackers targeted the reservation system of the Steamship Authority in southeastern Massachusetts, serving Martha’s Vineyard and Nantucket with ferry service. Boats were still running, but customers could not make online reservations and had to pay cash.
“Since the beginning of April, we’ve seen an average of a thousand organizations impacted by ransomware every single week,” stated Mark Ostrowski, head of engineering for the eastern US for cybersecurity firm Check Point Software, quoted in The Boston Globe. That is twice the rate of attacks he saw last year for cases he knows about.
Former US Attorney Suggests A Cyber “Troop Surge” Response Mode
One former US attorney is suggesting the Justice Department go into a response mode akin to the post 9/11 terrorist attacks. “The department needs a ‘troop surge’ of cyber prosecutors and agents to conduct long-term, proactive investigations into ransomware and the organizations that enable them,” stated Kellen Dwyer in an account in Lawfare, a blog dedicated to national security issues. “A surge of resources for proactive investigations into organized cybercrime is the lowest-hanging fruit on the tree of possible policy responses to ransomware. It should be picked immediately,” he stated.
Hacking is no longer executive by lone wolf techies. Dwyer described “cybercrime-as-a-service” as “a massive business.”
Ransomware attackers need three things to be effective at what they try to do: access to compromised networks, preferably to an organization with deep pockets and a dependency on computers; malware that can remotely and securely encrypt the victim’s data; and a means to receive and launder the resulting ransom payments.
“The widespread availability of such services is the main reason for the recent explosion in ransomware attacks,” Dwyer stated.
The criminals usually demand ransom payments in cryptocurrency, usually Bitcoin or Ether, because it can be transferred without a third-party, such as a bank, that could assist law enforcement in conducting traces in an effort to identify the perpetrator. “It’s no coincidence that ransomware attacks have soared with the advent of cryptocurrency,” Dwyer stated.
However, cryptocurrencies do have a security vulnerability, in that they rely on public ledgers, which can enable law enforcement to conduct traces from one crypto wallet to the next. The Treasury Department’s Office of Foreign Assets Control (OFAC) has begun freezing cryptocurrency by publishing digital currency addresses that are associated with ransomware, Dwyer indicated. This puts pressure on ransomware gangs to convert ransom payments from cryptocurrency to flat currency, using exchanges or “mixers.” Dwyer stated, “These services are essential to the ransomware business model.”
Cracking this ecosystem that allows ransomware and cybercrime to flourish, will be an increasing focus of law enforcement. Some prosecutions have been successful. “A relatively small number of sophisticated and well-connected cybercriminals play an outsized role in this ecosystem,” stated Dwyer.
The effort to catch more ransomware criminals needs to be funded. “They can be investigated and prosecuted and the organizations that support them can be dismantled, if we are willing to pay the modest price,” Dwyer stated.
The recovery of ransom paid by Colonial Pipeline is an example of how law enforcement plans to follow the money after a ransomware attack. A judge in San Francisco approved the seizure of funds from the “cryptocurrency address” uncovered by the FBI, which was located in the Northern District of California, according to an account from Reuters.
The hack was attributed by the FBI to a gang called DarkSide, described as a cybercrime group based in Russia.
Colonial Chief Executive Joseph Blount stated that the company had worked closely with the FBI from the beginning. “Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks,” Blount stated.
Commerce Secretary Gina Raimondo stated on Sunday the Biden administration was looking at all options to defend against ransomware attacks and that the topic would be on the agenda when President Joe Biden meets Russian President Vladimir Putin this month.
Tom Robinson, co-founder of crypto tracking firm Elliptic, stated that most of the recovered bitcoins had gone to a DarkSide “affiliate” (or customer) who had initially hacked into Colonial. DarkSide is essentially offering cybercrime-as-a-service, investigators stated in the Reuters report.
An FBI affidavit filed on June 7 said that the bureau had tracked the bitcoin through multiple wallets, using the public blockchain and tools. Small amounts were shaved off the initial 75 bitcoin payment along the way, according to the Reuters report.
Cybersecurity Best Practices Still a Good Idea
Meanwhile, best practices for cybersecurity include these five pillars, according to an account on GoogleCloud:
Identify. Know the cybersecurity risks you need to protect against.
Protect. Create safeguards to ensure delivery of critical services and business processes to limit or contain the impact of a potential cybersecurity incident or attack.
Detect. Define continuous ways to monitor your organization and identify potential cybersecurity events or incidents.
Respond. Activate an incident response program within your organization that can help contain the impact of a security event, including a ransomware attack.
Recover. Build a cyber resilience program and back-up strategy to prepare for how you can restore core systems or assets affected by a security incident, including a ransomware attack.
Role of AI in Cybersecurity, Ransomware Defense
AI can be incorporated into the cybersecurity profile as well. Identifying continuously evolving threats is easier with AI, suggests a recent account in Geekflare. Ideally, the AI system is training to detect ransomware and malware attacks before they enter the system, using predictive analytics to help. Once discovered can be isolated from the system.
Benefits of using machine learning in cybersecurity include the ability to:
- Monitor and analyze multiple endpoints for cyber threats;
- Detect malicious activity before it manifests into a full-fledged attack;
- Automate routine security tasks;
- Do better with zero-day vulnerabilities.
A 2019 survey by Capgemini Research Institute found that 69% of organizations acknowledge that they will not be able to respond to critical threats without AI. Some 56% of executives reported their cybersecurity analysts are overwhelmed by the vast array of data points they need to monitor to detect and prevent intrusion.
AI cybersecurity applications are currently in use, including:
- Spam filter applications
- Network intrusion detection and prevention
- Fraud detection
- Botnet detection
- Secure user authentication, and
- Hacking incident forecasting