Loading player In recent months there have been several striking cases of cyber attacks on networks that manage public and private infrastructures and structures in various countries, with significant impacts on large portions of the population. These attacks are called ransomware (from the name of the software used to implement them) and consist of stealing data from the victim with the aim of obtaining a ransom (ransom, in English). This type of attack has been around for a long time, but its number has been growing for years, and has affected national institutions, local governments, hospitals, universities, large private companies, small businesses, but also individuals, who are often less able. able to defend themselves.
Given their effectiveness and the difficulty of the authorities in finding and punishing their perpetrators, both their frequency and their scope are increasing, so much so that protection from these attacks has become a priority for governments around the world. Furthermore, their diffusion has given rise to two rich industries: that of computer blackmail and that of those who assist victims.
The most recent cases
The most discussed case in recent weeks is that of the attack on the Colonial Pipeline, the largest refined fuel pipeline in the United States. The attack, conducted on May 7 by hackers affiliated with a group called DarkSide and likely operating from Eastern Europe, caused fuel shortages in several locations and temporarily raised the price of oil and fuel in the United States, leading the government to adopt a declaration of emergency in 18 states. To get operations back to normal as quickly as possible, the Colonial Pipeline confirmed that it paid the hackers a $ 4.4 million ransom in bitcoin.
A few days later, two more attacks hit the Irish health system: the first, which took place on Thursday 13 May, forced the country's Department of Health to shut down all of its computer systems, including the platform through which patients book hospital visits. ; the second, arrived the following day, canceled many medical appointments scheduled for the following week.
Other cases that have affected large numbers of people in recent months have been the attack on Microsoft Exchange, a software of the same company used by companies and organizations around the world to manage emails and calendars, and the one known as SolarWinds, which has hit more than 17,000 between private companies and US government bodies.
Italian companies and institutions have also recently been hit by similar attacks. For example, the municipality of Brescia, whose site remained inaccessible for several days starting from March 30, or that of Rho, in the province of Milan, where on April 6 an attack interrupted the normal provision of services to citizens.
Also in April, many Italian schools were unable to access their electronic registers for several days due to an attack on the Axios company, which manages these registers for 40 percent of the country's schools.
How attacks work
Most of these cases are attributable to a specific type of cyber attack, conducted through a type of software called ransomware. A ransomware is a program which, once installed on a system, makes it inaccessible to its rightful owner via a cryptographic system. In order to access it again, the victim must pay the hackers a ransom, often requested in cryptocurrencies that guarantee the anonymity of the extortionists.
In the case of Colonial Pipeline, for example, the hackers had blocked access to some essential computers for the management of the pipeline, almost completely blocking the infrastructure.
Ransomware spreads in a number of ways, the most common of which is phishing via email: the attacker sends the intended victim an email from an address that often appears to be that of a trustworthy sender (for example, that of a colleague of work); the text of the email deceives the reader to open a link that installs the ransomware on the victim's system. This is by far the most common means used by hackers to attempt to access networks of companies with 100 employees or more.
When the target is smaller companies, a widely used method of installing ransomware on their systems is RDP compromise, which exploits security holes in the company's RDP. RDP (Remote Desktop Protocol) is a Microsoft protocol widely used in enterprises, which allows employees to access the company system remotely through a network connection.
In small companies with few resources, cyber security is often not the priority: this is why this method is the most used against these types of targets. In large companies, on the other hand, where there is a lot of investment in IT security and there are standard procedures to avoid leaving vulnerable nodes, often the easiest way to access is to try to exploit human error: the employee who carelessly clicks on a link arrived from an email with his boss's name.
How the cyber blackmail industry is structured
The cyber blackmail industry is a rather rich industry, which in 2020 alone generated at least 18 billion dollars in redemptions, according to cybersecurity firm Emsisoft. According to the same source, the average ransom is around $ 154,000 and has grown by more than 80 percent over the past year. This could be a sign of the fact that extortionists increasingly tend to blackmail large institutions and companies, for which the loss or dissemination of data would generate significant damage (including reputational damage), and who can afford to pay higher ransoms for restore normality.
Thanks in part to the pandemic, which accelerated the adoption of remote work by multiplying the vulnerabilities of corporate IT systems, last year the number of ransomware attacks increased by 60 percent, reaching 305 million worldwide (approximately 836K per day on average), estimates by SonicWall, another cybersecurity company.
As the Financial Times reports, the industry is dominated globally by just over twenty organizations. Some of these specialize in the first stage of the supply chain, dealing only with the development of ransomware and delegating the operations of infiltrating the victim's systems and extortion to others. In other words, they act as service providers for other criminals. This type of service is called Raas (Ransomware-as-a-service) and works in a similar way to any other subscription software service: the organizations that develop the software rent it to other criminals, called affiliates, who can thus use the rented ransomware to blackmail anyone who succeeds, giving a portion of their profits in exchange to the organization that developed the software.
In short, as noted by Joshua Motta, CEO of the insurance group specialized in information technology Coalition, heard by the Financial Times, a “division of labor” is taking place in the industry, for which various criminal groups are specializing in different phases of the supply chain. This phenomenon has lowered the barriers to entry (i.e. the necessary skills) to carry out this type of extortion, and is one of the reasons for the increase in the number of attacks.
The Raas is also the business model of DarkSide, the organization whose ransomware was used in the attack on the Colonial Pipeline oil pipeline. According to Emsisoft, DarkSide is organized almost like a company: in addition to renting its ransomware to its affiliates, it offers them real-time chat support and software updates. It also makes offers to attract new affiliates (to which it leaves between 75 and 90 percent of the profits) and even issues press releases.
The various ways used to extort money
Once inside a system and installed the ransomware, every blackmailer then has different ways to obtain money from the operation. First of all, it can demand a ransom from the victim to give them back access to the encrypted data. Then, since the blackmailer often copies the data to servers outside the company before encrypting it, he can threaten to spread it in exchange for more money. This is called double extortion in jargon, and is a practice that has become very common in 2020.
Obviously, even if the victim pays the ransom, he will never be sure that his data will be deleted from the server used by the blackmailer, who can actually earn more money by reselling it to someone else, regardless of whether the victim has paid the ransom. The same thing can be done with the access credentials to a system: the hacker who has acquired the system administrator's credentials can resell them to others once they are used for their own purposes.
This is one of the reasons why many institutions, starting with the FBI, advise not to pay the ransom: it often does not insure anything, while encouraging the increase of the phenomenon. And it seems that more and more victims are following the advice: data from Coveware, a company that helps blackmailed people to negotiate with extortionists, would indicate that in the last quarter of 2020, despite the increase in blackmail, the number of victims has also increased. who refused to pay once a cost-benefit analysis was done. In general, the victims who decide to pay are about 27 percent of the total according to Emsisoft.
In an effort to get the blackmailed companies to pay, some criminal organizations have even set up call centers that call the CEOs of the companies under attack to solicit them to pay. Not only that: having access to the data of the customers of these companies, they also call the latter, informing them that they are in possession of their data and urging them to put pressure on the company under attack to pay.
Finally, another method cited by the Washington Post for encouraging the blackmailed company to pay is to threaten it with a DOS (denial-of-service) attack against its servers, which consists in storming its servers with requests up to send them out of use, interrupting the services that the company provides to its customers and creating further economic and reputational damage.
The industry of helping victims
The growing phenomenon of ransomware attacks has meant that over time another industry has taken shape: that of companies specialized in assistance to the blackmailed. Firms such as Coveware help victims negotiate with extortionists and pay ransoms (which has a certain degree of complexity for those unfamiliar with cryptocurrency transactions), as well as providing tools and assistance in attempting to restore data.
This industry is not welcomed by several authorities, because there are those who argue that it does nothing but fuel the phenomenon, as well as the insurance policies on ransomware attacks. A thesis also supported by the insurance group AXA, which on May 7, shortly after he himself became the victim of such an attack, announced the suspension of its policies that reimburse the payment of ransomware ransomware in France. In 2020, France was the second largest country in the world for the amount of damage from ransomware attacks on businesses and institutions after the United States. If we also count individuals, the second country in the world was instead Italy, where the total cost of the attacks last year would have exceeded 1 billion and 387 million dollars, (1 billion and 136 million euros, at the exchange rate current) according to Emsisoft.
Moreover, the increase in extortion against large companies, in addition to increasing the average ransom over time, has also increased the damage from interruption of operations (the more a company invoices, the higher the lost revenue will be if it stops), in gender covered by insurance. That's why policy prices have risen in recent months and will rise between 20 and 50 percent over the course of 2021, AON estimates, a big g insurance group quoted by the Financial Times.
How to solve the problem?
In 2020, on a global level, cyber blackmail inflicted incalculable total damage, in the hundreds of billions of dollars according to Emsisoft .
To put an end to the problem, some believe that governments must prohibit the payment of ransoms by victims, so that the attacks stop being profitable for the extortionists. However, others point out that this could cause hackers to focus their attacks on targets they have no choice, such as hospitals, in which the life and health of patients also depends on the correct functioning of the computer system.
In an attempt to discourage the payment of ransoms, the US government has issued sanctions against certain criminal groups such as Evil Corp, a Russian-based hacking organization, which prohibit American individuals and companies from sending money to these groups or facilitating negotiations with them. The problem is that often the victim does not know who the attack came from (although they can try to find out through sites such as ID Ransomware), and if the problems generated by the ransomware require an immediate solution, many decide to pay without asking too many questions, ending up to violate sanctions and commit an offense. In short, these sanctions could not only be ineffective, but end up punishing the victims and not the blackmailers.
Given the gravity of the situation, in April, a task force composed of large technology companies such as Microsoft, Amazon and Cisco, as well as financial institutions, academics, members of the US Department of Justice and the FBI, published a report containing a series of measures to deal with the problem.
In the report, the task force encouraged governments to step up international cooperation and punish states that offer shelter to criminals, calling on the U.S. presidency to lead by example and begin a sustained, aggressive intelligence campaign. ”) Against ransomware, which was then actually launched on May 12 by the Biden government with an executive order on the matter. It also called on governments to set up compensation funds for victims and require them to report attacks, as well as to establish an international structure to help companies prepare for and manage attacks. Finally, he asked for more stringent regulation of cryptocurrency markets, a fundamental tool for the payment of ransoms.
