FBI’s seizure of $2.3 million worth of bitcoin Colonial Pipeline paid a ransomware gang to unlock its data was just the latest in a series of actions the US government has been taking in recent months to combat ransomware and other cybercrime.
But cybersecurity experts say that while individual enterprises should be more diligent about “cyber hygiene,” the government needs to do a lot more about the growing problem than it has done to date.
"Until the Biden administration drafts US Big Tech to join forces and aggressively turn the table on cybercriminals, it is very much every company for itself," William Moran, an attorney at Otterbourg, who leads the New York City-based law firm’s crisis management and investigations group, told DCK.
Because ransomware attacks are usually conducted by financially motivated criminal gangs, they aren’t as sophisticated as attacks by nation states, and following basic security best practices by individual enterprises can go a long way in reducing risk. But asking everyone to step up alone is insufficient, said Peter Klimek, director of technology at the cybersecurity firm Imperva.
"It's the equivalent of trying to get everyone in the US to wear masks," he told us. "It's nice to say it, but it's not going to happen."
Attackers are increasingly going after non-technology companies, including critical infrastructure like oil pipelines, which typically aren’t the most technologically advanced enterprises. Government-mandated cybersecurity requirements can help raise the cybersecurity baseline in such industries.
What the Government Has Done So Far
Colonial paid a ransom of 75 bitcoin in May to DarkSide attackers, an amount then valued at $4.4 million. The FBI recovered 63.7 bitcoin, or 53 percent in US dollar value since the cryptocurrency’s price had fallen in value by that time.
According to security research firm Elliptic, DarkSide, a Russian ransomware-as-a-service criminal gang, has collected more than $90 million worth of bitcoin ransomware payments since last October, with an average payment of $1.9 million per victim.
"Today, we turned the tables on DarkSide by going after the entire ecosystem that fuels ransomware and digital extortion attacks," said Lisa Monaco, deputy attorney general of the Justice Department, at a press conference Monday.
The Justice Department now considers ransomware investigations as high a priority as terrorism investigations.
The DarkSide action is the first takedown by the Ransomware and Digital Extortion Task Force, formed in April, which includes officials from the Justice Department's National Security Division, Criminal Division, Civil Division, Executive Office of US Attorneys, and FBI.
There were more than 90 victims in critical US infrastructure sectors, FBI Deputy Director Paul Abbate said at the press conference, including manufacturing, legal, insurance, health care, and energy.
The DarkSide takedown is just the tip of the iceberg.
"This is just the latest disruption that the FBI and DOJ have taken to impose risk and consequences on cyber adversaries," Abbate said, listing other accomplishments in the fight against cybercrime since last year:
- Dismantling of the Emotet criminal botnet infrastructure
- Exposing a cyber tool developed by the Russian GRU
- Removing malicious backdoors on the networks of Microsoft Exchange Server customers
- Seizure of two command-and-control domains used by perpetrators of a wide-reaching spear phishing campaign
White House, TSA, Other Groups Call for More Action
A month ago, President Joe Biden signed an executive order to improve the nation's cybersecurity.
It calls for things like establishment of baseline cybersecurity standards for vendors providing software to the federal government, creating a public-private process, and an Energy Star-style label for software security.
"Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit," Biden said in the executive order. "This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.
In late May, the Department of Homeland Security’s Transportation Security Administration issued a cybersecurity directive requiring critical pipeline owners and operators to report confirmed and potential cybersecurity incidents, review cybersecurity practices, identify gaps, and report remediation measures within the following 30 days.
Authorities have also stepped up international cooperation. In January, for example, the Department of Justice worked with agencies of other countries, including Bulgaria, to disrupt the NetWalker ransomware that had been targeting the health care sector. At that time, authorities seized nearly $500,000 in cryptocurrency.
Business leaders want to see even more government action. The US Chamber of Commerce has called for establishment of an international coalition to combat ransomware and disrupt ransomware payment infrastructure.
The government seems to be paying attention.
Last week, the National Security Council's top cyber official and deputy assistant to the president, Anne Neuberger, sent out a rare open letter to companies, promising that the federal government is working with partners around the world to fight ransomware.
That includes developing cohesive policies towards ransom payments, she said, disrupting networks, and "enabling rapid tracing and interdiction of virtual currency proceeds."
The Colonial bitcoin ransom seizure by the DoJ is “obviously what the Biden administration meant by ‘rapid tracing and interdiction of virtual currency proceeds,'" Otterbourg’s Moran said.
Enterprises Need to Do Their Part
Neuberger also called on companies to step up their own security efforts.
She recommended five best practices in her letter, including creating backups, patching promptly, practicing emergency responses, using third-party security testers, and segmenting networks to prevent attacks from spreading and doing more damage.
She also urged companies to implement multi-factor authentication, endpoint detection and response technologies, and encryption.
Cyber Insurance Is Making Matters Worse
One of the problems working against progress in the fight against ransomware is the proliferation of cyber insurance.
"There's been a general consensus in the cybersecurity industry that insurance has actually exacerbated the problem," Imperva’s Klimek said.
Companies with cyber insurance coverage are more likely to pay ransoms, which puts more money in criminals’ pockets, encouraging them to do more attacks and providing funding for better ransomware tech and infrastructure.
According to Klimek, there have been initial signs of positive change. For example, in early May, global insurer AXA said it would stop reimbursing French companies for ransomware payments.
"That's a positive first step," said Klimek.
Paying the Ransom Rarely Solves the Problem
According to a ransomware survey report released by security firm Sophos in April, 37 percent of organizations surveyed were hit by ransomware attacks – down from 51 percent in last year's report. But the percentage of organizations that paid ransoms went up, from 26 percent of those attacked in 2020 to 32 percent.
Paying a ransom hardly guarantees that you’ll get your data back. According to the survey, only 8 percent of organizations were able to get all their data back after paying a ransom, and 29 percent got back less than half of their data.
The average ransom size was $170,404, with some organizations paying millions. But the total cost of remediation was much higher – ten times higher – coming in at $1.85 million on average, up from $761,106 last year.
Plus, even after companies pay ransoms, get decryption keys, and manage to restore their systems, they aren’t in the clear, said Klimek.
First, ransomware gangs now routinely exfiltrate data before encrypting it, for extra leverage. Paying a ransom doesn't mean that they won't release the data to the public.
"There's nothing you can do to prevent the threat of them potentially releasing the data," he said. "Once it's out, it's out."
And there's also nothing keeping criminals from coming back and running another ransomware attack. Now they know that the organization is vulnerable and willing to pay up.
The best response to a ransomware attack is to have systems in place to limit the attack’s damage radius, good backups, a response plan in place, and the ability to restore affected systems from backups.
Klimek recommends that organizations look to NIST SP 800-53 Rev. 5 for a set of best practices on security and privacy controls.
Putting those controls in place will also help organizations stay ahead of cybersecurity mandates that may come down the line.
"It's an exceptionally well-written and well-researched standard," he said.