The News Herald (Willoughby, OH)
Stop paying the cyberthieves
Running a business or a government agency is difficult enough during the pandemic. Imagine being broadsided by a ransomware attack.
All at once, computer screens freeze. A cybergang pops up to explain the methodology for paying the ransom in cryptocurrency, and what happens if the requisite bitcoins never show up.
Encryption will entomb gigabytes of data. Social Security numbers, driver’s license numbers, medical information and other personal data will get spilled out online for identity thieves and other criminals to devour. Businesses could go bankrupt, government operations could halt.
Some companies and government bodies have succumbed to cyber thieves’ demands. Illinois Attorney General Kwame Raoul opted not to pay. His office was hit on April 10 with a ransomware attack that, according to the hackers, amounted to a theft of about 200 gigabytes of data. The gang, which called itself DoppelPaymer, threatened to release the data, some of which contained personal identity information.
“Yes, it angers me. Yes, it frustrates me, and most certainly, it’s embarrassing to have it happen to your agency,” Raoul told the Chicago Tribune and the Better Government Association. He wouldn’t divulge the ransom sought, but he said that “whatever the amount was, it’s our philosophy as a state head law enforcement agency that paying criminals is not something we do and not something we contemplate doing.”
That’s heartening to hear. Paying ransom to cyber thieves is tantamount to throwing chum in the water. As more hacked entities capitulate, a growing number of hackers and criminal outfits will be dazzled by the ease of the crime and will want in on the action. As its own enterprise, ransomware has evolved to the point that cybercriminals who developed the ransomware are now renting or selling it to less tech-savvy bad guys who unleash the attacks and collect the money.
Defeating the scourge of ransomware will require more than just saying no to payouts. Governments at every level, along with the corporate world, must waste no time beefing up their lines of defense. Three months before the ransomware attack on Raoul’s team, Illinois Auditor General Frank Mautino released a report that put the attorney general’s office on a list of state agencies and universities hampered by cybersecurity weaknesses. Raoul’s office said it had created a new job in the office, security analyst, and stressed that they were maintaining “a highly secure computer environment.”
Then the April 10 hack happened.
The attack crippled much of the office’s functionality, forcing it to do much of its work through telephone and mail. Raoul’s team has spent $2.5 million to rebuild its computer systems, get the office back online and reach out to people whose personal data may be at risk because of the breach. Lawmakers added an extra $8 million to Raoul’s budget to help the office bounce back from the attack, and to fortify cybersecurity.
Raoul can take solace in knowing he’s not alone. Other victims in Illinois include the Rockford Public School District, LaSalle County government, and Southern Illinois University in Edwardsville, which paid a $472,000 ransom after the hack shut down the campus computer system.
Recent high-profile hacks, including attacks on a major East Coast fuel pipeline and Brazilian meat processor JBS SA — which supplies over a fifth of the beef in the U.S. — have reinforced the need for the Biden administration to treat ransomware as an urgent priority. The Justice Department is sharpening its focus on ransomware prosecutions. President Joe Biden brought up America’s deep concerns about ransomware during his summit with Russian President Vladimir Putin in June. Much of the ransomware activity directed at governments and companies in the U.S. is engineered by Russia-based hackers, who operate in Russia with impunity.
The Biden administration’s heightened sense of urgency about ransomware is welcome, but there are limits to what the federal government can do. Companies and government bodies — both large and small — must take a hard look at their cybersecurity strategies and beef up what needs to be beefed up. That can include ramping up encryption of data, and mandating two-factor authentication for all computer system users, and more.
Finally, businesses and governments must do everything possible to avoid paying out ransoms to cyber gangs. In 2020, hackers raked in $350 million from ransomware victims — a 300% increase from the previous year. As the ransom pot grows, so will the universe of cybercriminals who view the venture through a maximum gain, minimum risk prism. Eventually they’ll seek more than illicit profit — they’ll strive for bigger, bolder attacks on critical infrastructure. Too much is at stake to see cybersecurity, at all levels of the public and private sectors of this nation, as anything less than a glaring vulnerability.