Ransomware is tough to police, thanks to its global nature and use of cryptocurrency. Some experts are calling for stronger rules on cybersecurity
Two or three times a week, cybersecurity expert Jason Hart takes calls from businesses hit by ransomware attacks.
The lucrative crime sees hackers break into a firm’s computer system, encrypting the data, which they will only release for a fee. It’s hard to police, with ransoms paid in anonymous and unregulated cryptocurrency. Public services are frequently targeted: one of Hart’s recent requests for help came from a school.
The crooks can be anywhere in the world, operating across borders, says Hart, a former ethical hacker who’s the co-founder and CEO of cybersecurity firm Fresh Security.
“They can be in El Salvador, hacked into a company in America, using a proxy back into Peru then across to Spain via Korea. They could be anywhere.”
Ransomware made global headlines in May 2021, when the hacker group DarkSide forced the shutdown of Colonial Pipeline’s network, which supplies fuel to much of the east coast of the US. However, many ransomware attacks target low-profile small and medium-sized businesses and often go unreported.
The crime is seizing attention at the highest levels. “Ransomware is quickly becoming a national emergency,” according to Brandon Wales, acting head of the US Cybersecurity and Infrastructure Security Agency (CISA), who was speaking before a senate hearing in late 2020. An EU report from the same year found that ransomware attacks grew 365% in 2019, inflicting about £8.7 billion of losses on businesses.
To complicate matters further, cybercriminals in countries like North Korea, Iran and Russia sometimes operate with their government’s blessing and even encouragement, implementing attacks which can cause huge problems for other nations. The Wannacry 2.0 ransomware attack in 2017 – which has been blamed on North Korea – seriously disrupted the UK National Health Service and Germany’s state railway. Tellingly, DarkSide’s code automatically avoids encrypting a computer system which uses Russian as its language.
“There are non-democratic states which invest a lot of money into these types of cyberattacks,” says Dr Lena Yuryna Connolly, assistant professor in cybersecurity at Zayed University. “They are very sophisticated, and you can imagine the resources they have to hand. But if there is no evidence and no admission, how can another government respond?”
There have been some governmental responses, though not many. In February 2021, French and Ukrainian prosecutors arrested a gang who rented out powerful ransomware for other cybercriminals, and in April the US government sanctioned several Russian entities, citing “disruptive ransomware attacks and phishing campaigns” on Ukraine, Georgia, the US and France.
China recently blocked several crypto-related accounts on Weibo as part of a broader crackdown on cryptocurrency and its links to criminality. So is banning cryptocurrency the answer to ransomware? Connolly doesn’t think so.
“Before cryptocurrency, criminals had other means to commit crime,” she says. “Cryptocurrency is a wonderful technology, it can open up so many opportunities for businesses and individuals. It feels narrow-minded to ban it. The internet is also a facilitator, but we don’t talk about banning that.”
However, cryptocurrencies could be regulated, she says, as is beginning to occur in Switzerland.
For Connolly, ransomware is prevalent because it’s relatively low risk for criminals and extremely profitable. Research by the cybersecurity firm Kaspersky found that over half of ransomware victims paid the ransom, but only just over a quarter got their full data back.
“Victims are paying,” says Connolly. “Law enforcement agencies advise them not to, but situations are difficult sometimes. Ransomware doesn’t just encrypt, it steals data, so you have the fear of incrimination, embarrassment, loss of intellectual property. We’re human beings with emotions and that affects how we make decisions.”
Shoring up cybersecurity
One promising government initiative is the new Ransomware Task Force, a US-led coalition between government agencies like the National Cyber Security Centre in the UK and software firms, cybersecurity vendors, academics and nonprofits. It aims to find policy solutions, like incentivising victims not to pay ransoms by covering the costs of their system recovery needs and subsidising real-time backups.
The most important step that governments like the UK could take would be to force companies to protect their data through regulation, Hart says. If a company holds certain sensitive data, there might be mandatory security protocols in place, he says.
For Hart, who doesn’t advise victims to pay hackers, there’s a lot of noise and attention around ransomware, but he sees it as a symptom of a far bigger problem. “If the basics of cybersecurity were actually dealt with, ransomware wouldn’t be so prolific,” he says.
He’s worked with some of the world’s largest organisations, as well as smaller companies; only about 1% have conducted a proper risk assessment of their data.
“The first thing I say is, ‘what are you trying to protect?’ And they don’t know.”
Companies might think they are safe because they have a firewall, a secure VPN and anti-virus software. However, this can result in a “vanilla blanket of security across the whole organisation”, says Hart, when there could be specific data that is at greater risk. He encourages clients to “think like a hacker” and look at all the types of data they have in their organisation, providing extra protection to the data that needs it, including limits to access within the business.
For example, a school might hold sensitive student data that could be damaging to a child and their family if released to the outside world. A ransom attack could also compromise the integrity of certain academic data, he noted, if it aimed to change a student’s grade.
“A hacker can change people’s lives without them even realising.”