The Atlanta Journal-Constitution

Ransomware attacks soar

Such incidents have disrupted factories and basic infrastruc­ture and forced businesses to shut down.

- By Nathaniel Popper

SAN FRANCISCO — New Orleans’ city government crippled. A maritime cargo facility temporaril­y closed. Hospitals forced to turn away patients. Small businesses shuttered. The cause in each of these incidents: ransomware attacks. In recent years, hackers have taken to locking down entire computer networks and demanding payments to let users back into their systems. The frequency of ransomware attacks — among the scariest and most costly online assaults — has been hard to pinpoint because many victims quietly pay off their attackers without notifying the authoritie­s.

Now, an array of new data provides perhaps the best available picture of the problem. In 2019, 205,280 organizati­ons submitted files that had been hacked in a ransomware attack — a 41% increase from the year before, according to informatio­n provided to The New York Times by Emsisoft, a security firm that helps companies hit by ransomware.

The average payment to release files spiked to $84,116 in the last quarter of 2019, more than double what it was the previous quarter, according to data from Coveware, another security firm. In the last month of 2019, that jumped to $190,946, with several organizati­ons facing ransom demands in the millions of dollars.

Security experts say that even these numbers underestim­ate the true cost of ransomware attacks, which have disrupted factories and basic infrastruc­ture and forced businesses to shut down.

“Anything of value that is smart and connected can be compromise­d and held for ransom,” said Steve Grobman, the chief technology officer at McAfee. “If critical infrastruc­ture systems are held for ransom, what is our policy going to be for dealing with those?”

The data from the security companies and the number of recent ransomware incidents show a dramatic escalation for a type of attack that, just a few years ago, was mostly directed at individual­s, who had to pay only a few hundred dollars to get their files back.

The Coast Guard said in December that ransomware had forced a cargo transfer facility to shut for more than 30 hours after attackers took control of “the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.” The Coast Guard did not reveal the location of the facility.

The city of New Orleans, one of dozens of cities hit by ransomware over the last year, was attacked with similar ransomware late last year and is still conducting many operations on paper, with police officers recording incidents manually.

Cities appeared to be high on the target list because they are among the only victims that have to report the attacks. In reality, public sector organizati­ons represente­d only around 10% of all victims last year, Coveware

said.

Barclays and several other banks are still unable to make foreign currency conversion­s for customers more than a month after Travelex, the company that provides them with cash, was targeted by ransomware known as Sodinokibi, or REvil. The BBC reported that the hackers demanded $6 million.

Ransomware attacks have also caused a number of small and medium businesses to shut altogether, like Colorado Timberline, a printing company with a few hundred employees near Denver, and Brookside ENT and Hearing Services in Battle Creek, Michigan, a 10-person medical office.

“I was suddenly retired, and I didn’t want to be,” said Dr. William Scalf, one of two doctors at Brookside, which closed in April after failing to recover its medical files from hackers who demanded $6,500.

American authoritie­s have not released statistics on the broad changes in ransomware attacks, but the FBI noted in its latest warning that the attacks were becoming “more targeted, sophistica­ted, and costly.”

The agency said an online portal for reporting incidents received 1,493 reports in 2018. But officials think that number was likely “artificial­ly low” because it did not include reports from field offices or agents or any number of other sources.

“What we find most concerning is that it causes not just direct costs, but also indirect costs of lost operations,” said Herbert Stapleton, cybersecti­on chief at the FBI. “We certainly view it as one of the most serious cybercrimi­nal problems we face right now.”

Europol, the European Union’s law enforcemen­t agency, has gone further, calling ransomware the “most widespread and financiall­y damaging form of cyberattac­k.”

“We have had success stories, but to be honest, it is becoming more and more complicate­d,” said Fernando Ruiz, acting head of Europol’s European Cybercrime Center. “This is a garden for them, and we need to change that.”

Government authoritie­s and security experts say the problem will get worse before it gets any better. In the last month, two security firms have identified a new form of ransomware, known as Snake or Ekans, that appears to be focused on freezing the software responsibl­e for industrial processes at big oil and petroleum companies.

The assailants carrying out ransomware attacks have proved hard to identify because the technology they use, like Bitcoin and anonymous messaging platforms, allows them to communicat­e and transact with victims without being easily tracked. Many of the criminals operate from countries outside the reach of American law. The Justice Department has indicted hackers in Iran, North Korea and Russia, but none appear to face any threat of extraditio­n. American authoritie­s have suggested that several of these attackers have operated with the protection of their government­s and have helped their government­s by passing along hacked files.

Security experts said ransomware has evolved into an industry, with hundreds of gangs vying for the most lucrative victims. Some hackers have specialize­d in “ransomware as a service,” writing the victim-facing software and selling it to others through the so-called dark web. They have even built out customer-service centers to deal with victims and their payments.

In recent attacks, the hackers often spent months quietly scouting out the innards of the computer networks of potential victims to ensure they have every important file tied up.

They are often eager to prove to victims that they will return the files when they are paid,

to ensure a prompt transactio­n. When victims don’t pay, some gangs have begun publicly releasing private files to ratchet up the pressure — as was the case with Southwire, one of the world’s largest electrical wire and cable manufactur­ers and which operates out of Carrollton. Southwire filed a lawsuit against its attackers, unknown hackers, asking for the site where the company’s files had been published to be taken down. But the hackers soon moved their operations to a new site and released even more files.

Some businesses and city government­s are taking out insurance to be ready for ransomware demands. Bryan Sartin, head of global security services at Verizon, said he encourages clients to create a slush fund with Bitcoin.

“Almost everyone says we will never pay the ransomware, but when push comes to shove, probably two out of three will,” Sartin said.

Law enforcemen­t officials have warned against giving attackers more confidence that they will get paid. But the attacks have become widespread enough — and the ransom payments frequent enough — that cybersecur­ity insurance rates are rising.

Ransom costs aside, the worst outcomes can come when dealing with gangs that wipe the files they locked down.

The medical practice that Dr. Shayla Kasel built over 20 years in Simi Valley, California, was hit last August by ransomware. After her malpractic­e insurance connected her with a ransom negotiator and a forensic expert, she was told that even if she paid $50,000 for each of the digital keys that could unlock her different servers, there was only a 15% chance she would get her files back.

Kasel said she limped along for a few weeks, seeing the patients who happened to come through her door and recording everything on paper. But she ultimately decided it wasn’t worth trying to rebuild her files and business from scratch and risk facing lawsuits and fines. She shuttered her practice in December after incurring around $55,000 in expenses.

“The hardest part after 20 years was to suddenly tell patients, ‘Yep, I’m quitting,’” Kasel said. “It was an agonizing decision.”

?? EVE EDELHEIT / NEW YORK TIMES ?? Audrey Sikes, city clerk for Lake City, Florida, sits last July in the vault where municipal records are kept. Officials in Lake City paid $460,000 — or 42 bitcoins — after the city’s computer systems were paralyzed for several days in a ransomware attack.
EVE EDELHEIT / NEW YORK TIMES Audrey Sikes, city clerk for Lake City, Florida, sits last July in the vault where municipal records are kept. Officials in Lake City paid $460,000 — or 42 bitcoins — after the city’s computer systems were paralyzed for several days in a ransomware attack.
?? SUDHIN THANAWALA / ASSOCIATED PRESS 2019 ?? Jackson County Sheriff Janis Mangum, seen at the jail in Jefferson, northeast of Atlanta, was a victim of a ransomware attack last March that hit the office’s computers.
SUDHIN THANAWALA / ASSOCIATED PRESS 2019 Jackson County Sheriff Janis Mangum, seen at the jail in Jefferson, northeast of Atlanta, was a victim of a ransomware attack last March that hit the office’s computers.

Newspapers in English

Newspapers from United States