In April, the Harris network of London schools was held to ransom by hackers. ‘The first thing I did was panic,’ said Sir Dan Moynihan, the chief executive. It wasn’t simply that their computers didn’t work; many of the 50 schools couldn’t function. Some couldn’t open because their internet-controlled doors were jammed shut.
A demand for £3 million arrived. Moynihan pointed out this was a ‘completely insane’ amount for an educational charity to pay — but his pleas through an intermediary were ignored. The hackers insisted that unless Harris paid up, the schools would continue to be locked out of their networks, and sensitive data would be leaked online too.
Harris had fallen victim to ‘ransom-ware’ criminals, today’s version of highway robbers. Schools and charities, businesses, individuals and government — anyone with a computer network is vulnerable. It has become a pressing issue throughout the West.
Ransomware attacks were discussed at the G7 summit in June and a call to action was included in the summit’s communiqué. President Joe Biden recently spoke about the growing crisis to staff at the Office of the Director of National Intelligence. His remark that ‘if we end up in…a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence’ betrays a lack of understanding of how cyber escalation happens. But his administration is clearly very worried about the consequences of ransomware.
Most attacks happen in roughly the same way. First the hacker gets into a network, often through ‘phishing’: sending an email that someone opens. Sometimes the technique is more sophisticated, with a cleverly targeted message appearing to come from a colleague. Malicious software is then implanted, designed to lock the users out of the system, and perhaps to steal data.
The next step is the ransom note, often in Google translation-quality English, demanding payment in cryptocurrency. A victim might be sent data to show what the hackers could publish if they choose. More sophisticated hackers will have researched what they think a company can afford. They might even have hacked into their insurance policy. Then a victim will be ‘invited’ to ‘buy’ a ‘decrypter key’ to unlock their data.
Cyber attacks can cause chaos. Last month, criminals hacked into a remote software maintenance company in Miami called Kaseya which allowed them to blackmail 1,000 organisations worldwide. As a result, several schools in New Zealand shut down and 500 stores in the Swedish grocery chain Coop had to give away fresh food because their tills stopped working.
In May, the pipeline that provides nearly half of the fuel supply to America’s east coast was taken offline by a ransomware attack. (Biden invoked emergency powers to ensure supply.) At one point, nearly two thirds of petrol stations in North Carolina ran out, causing queues of panic buyers. Shortly afterwards, Ireland suffered the first ever targeted attack on an entire healthcare system. Operations were cancelled and cancer treatments postponed. The one bit of the Irish network that escaped was the vaccination database; but as if to prove even Covid immunisation isn’t off limits, this week has seen an apparent ransomware attack on Italy’s booking system for its citizens’ jabs.
Who is behind ransomware attacks? Organised criminals from Russia or thereabouts. Mostly male and relatively young, they only attack the West. And they buy and sell services from each other. Some operate below the radar; others enjoy their notoriety.
And that’s the root of the problem: ransomware pays. There are three reasons. First, the Russian state provides a safe environment. REvil and DarkSide wouldn’t survive in the West, but providing hackers leave Russians alone, and cooperate with the state when asked, they can act with impunity. Russia won’t extradite them, so there’s nothing we can do. Second, the hackers exploit long-standing weaknesses in the cyber security of western organisations — too many don’t back up properly or have poor data protection practices. Third, it’s easy to pay, so people often do. Sometimes insurance covers it, and because the payments are in crypto-currency, they’re very hard to track.
But paying doesn’t solve all the victim’s problems. Ransomware batters computers, so those hit still have to spend time and money fixing their networks. Moreover, very few decrypter keys work perfectly, and about 5 per cent of them don’t work at all.
A fightback is possibly under way. The G7 showed that the problem is being recognised. The UK is improving cyber defences and working with allies on further improvements. Backups in most British organisations are in better shape than they were five years ago, making it harder for criminals to lock people out of networks. And the UK has undertaken work in cleaning up its digital environment: the share of malicious websites hosted here, something used to lure people into downloading malware, has fallen from over 5 per cent in 2016 to around 2 per cent now.
But what really matters is what America does. The Biden administration seems to understand the scale of the problem. A ransomware task force was launched last week, with $10 billion of funding for cyber securityimprovements. Clearly, America is counten-ancing direct disruption, via cyber attack, of the criminal groups’ digital infrastructure. Putin’s regime is concerned enough to have concocted a bizarre plan to try to disconnect Russia from the internet in the event of a cyber crisis.
Biden’s task force will also look at how to restrict the flow of money to the criminals. Good. We need the same financial crackdown on cyber criminals we had on terrorists after 9/11. Nothing should be off the table, including banning ransom payments and tighter regulation of cryptocurrencies. More government support for victims is needed: there is an incongruity between the rhetoric of ransomware as a national security threat and the fact that vulnerable companies are left to make decisions on their own.
There are also signs that Biden’s pressure on Putin could be working. Since the Geneva US-Russia summit in June, the REvil gang have mysteriously gone offline. That could be because they’ve become a problem for Putin, or it could just be that they’ve shut up shop for summer (not unknown for ransomware groups). Only time will tell.
But as we wait for governments to catch up and crack down, this year teaches us one definitive lesson about cyber blackmailers: don’t pay up. Colonial Pipeline gave $4.4 million to their attackers. They then discovered the decrypter key hadn’t worked and faced massive recovery costs. JBS, a global Brazilian meat seller, made the bizarre decision to pay $11million to REvil, even though their systems had not been badly affected.
By contrast, Sir Dan Moynihan and his team held firm and focused on recovering their systems and their data themselves. It was costly: half a million pounds, but well below what the criminals demanded. The Irish government held firm too. Neither suffered serious data leaks. And crucially, they hadn’t, in the words of the former American cyber security chief Chris Krebs, ‘invested in a criminal enterprise’. They deserve credit, because the only thing paying a ransom guarantees is more ransomware.