Milwaukee Journal Sentinel

Ransomware persists even as high-profile attacks slow

College among institutio­ns affected by recent cyberattac­ks

- Eric Tucker and Alan Suderman

WASHINGTON – In the months since President Joe Biden warned Russia’s Vladimir Putin that he needed to crack down on ransomware gangs in his country, there hasn’t been a massive attack like the one last May that resulted in gasoline shortages. But that’s small comfort to Ken Trzaska.

Trzaska is president of Lewis & Clark Community College, a small Illinois school that canceled classes for days after a ransomware attack last month that knocked critical computer systems offline.

“That first day,” Trzaska said, “I think all of us were probably up 20-plus hours, just moving through the process, trying to get our arms around what happened.”

Even if the United States isn’t currently enduring large-scale, frontpage ransomware attacks on par with ones earlier this year that targeted the global meat supply or kept millions of Americans from filling their gas tanks, the problem hasn’t disappeare­d. In fact, the attack on Trzaska’s college was part of a barrage of lower-profile episodes that have upended the businesses, government­s, schools and hospitals that were hit.

The college’s ordeal reflects the challenges the Biden administra­tion faces in stamping out the threat – and its uneven progress in doing so since ransomware became an urgent national security problem last spring.

U.S. officials have recaptured some ransom payments, cracked down on abuses of cryptocurr­ency, and made some arrests. Spy agencies have launched attacks against ransomware groups and the U.S. has pushed federal, state and local government­s, as well as private industries, to boost protection­s.

Yet six months after Biden’s admonition­s to Putin, it’s hard to tell whether hackers have eased up because of U.S. pressure. Smaller-scale attacks continue, with ransomware criminals continuing to operate from Russia with seeming impunity. Administra­tion officials have given conflicting assessment­s about whether Russia’s behavior has changed since last summer. Further complicati­ng matters, ransomware is no longer at the top of the U.S.-Russia agenda, with Washington focused on dissuading Putin from invading Ukraine.

The White House said it was determined to “fight all ransomware” through its various tools but that the government’s response depends on the severity of the attack.

“There are some that are law enforcemen­t matters and others that are high impact, disruptive ransomware activity posing a direct national security threat that require other measures,” the White House statement said.

Ransomware attacks – in which hackers lock up victims’ data and demand exorbitant sums to return it – surfaced as a national security emergency for the administra­tion after a May attack on Colonial Pipeline, which supplies nearly half the fuel consumed on the East Coast.

The attack prompted the company to halt operations, causing gas shortages for days, though it resumed service after paying more than $4 million in ransom. Soon after came an attack on meat processor JBS, which paid an $11 million ransom.

The Biden administra­tion in September sanctioned a Russia-based virtual currency exchange that officials say helped ransomware gangs launder funds. Last month, the Justice Department unsealed charges against a suspected Ukrainian ransomware operator who was arrested in Poland, and has recovered millions of dollars in ransom payments. Gen. Paul Nakasone, the head of U.S. Cyber Command, told The New York Times his agency has begun offensive operations against ransomware groups. The White House says that “whole-of-government” effort will continue.

“I think the ransomware folks, the ones conducting them, are stepping back like, ‘Hey, if we do that, that’s going to get the United States government coming after us offensivel­y,’ ” Kevin Powers, security strategy adviser for cyber risk firm CyberSaint, said of attacks against critical infrastruc­ture.

U.S. officials, meanwhile, have shared a small number of names of suspected ransomware operators with Russian officials, who have said they have started investigat­ing, according to two people familiar with the matter who were not authorized to speak publicly.

It’s unclear what Russia will do with those names, though Kremlin spokesman Dmitry Peskov insisted the countries have been having a useful dialogue and said “a working mechanism has been establishe­d and is actually functionin­g.”

It’s also hard to measure the impact of individual arrests on the overall threat. Even as the suspected ransomware hacker awaits extraditio­n to the U.S. following his arrest in Poland, another who was indicted by federal prosecutor­s was later reported by a British tabloid to be living comfortabl­y in Russia and driving luxury cars.

Some are skeptical about attributin­g any drop-off in high-profile attacks to U.S. efforts.

“It could have just been a fluke,” said Dmitri Alperovitc­h, former chief technology officer of the cybersecur­ity firm Crowdstrik­e. He said asking Russia to crack down on large-scale attacks won’t work because “it’s way too granular of a request to calibrate criminal activity they don’t even fully control.”

Top American officials have given conflicting answers about ransomware trends since Biden’s discussion­s with Putin. Some FBI and Justice Department officials say they’ve seen no change in Russian behavior. National Cyber Director Chris Inglis said there’s been a discernibl­e decrease in attacks but that it was too soon to say why.

It’s hard to quantify the number of attacks given the lack of baseline informatio­n and uneven reporting from victims, though the absence of disruptive incidents is an important marker for a White House trying to focus its attention on the most significant national security risks and catastroph­ic breaches.

Victims of ransomware attacks in the past few months have included hospitals, small businesses, colleges like Howard University – which briefly took many of its systems offline after discoverin­g a September attack – and Virginia’s legislatur­e.

The attack at Lewis & Clark, in Godfrey, Illinois, was discovered two days before Thanksgivi­ng when the school’s IT director detected suspicious activity and proactivel­y took systems offline, said Trzaska, the president.

A ransom note from hackers demanded a payment, though Trzaska declined to reveal the sum or identify the culprits.

Newspapers in English

Newspapers from United States