A cybersecurity expert warned U.S. lawmakers last week that the world was on the cusp of a “pandemic of a different variety.”

Christopher Krebs, who formerly headed the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, testified last Wednesday before the House Committee on Homeland Security that a form of malware called ransomware has become more prevalent than ever. Given an ever-widening criminal enterprise and vulnerable digital landscape, he said, critical infrastructure is at risk of debilitating attacks.

Two days later, Colonial Pipeline, a major fuel pipeline connecting the East Coast, was hit in the largest-known hack on U.S. energy infrastructure.

The incident, which instigated a shutdown of the pipeline, panic buying of gas and a price jump at the pump over the weekend, is one of the latest in crippling ransomware attacks orchestrated by extortionary criminal organizations that mostly operate in foreign safe havens outside the grasp of America’s criminal justice system.

Experts say continued ransomware threats are inevitable, calling on businesses and governments to ramp up efforts to secure their online networks.

“Cybercriminals have been allowed to run amok while governments have mainly watched from the sidelines, unclear on whether cybercrime is a national security-level threat,” Krebs told lawmakers. “If there was any remaining doubt on that front, let’s dispense with it now: Too many lives are at stake.”

Frequently Asked Questions

  • What’s a ransomware attack?
  • Why is our infrastructure vulnerable to attacks?
  • How much could ransomware attacks cost?
  • What can be done about ransomware attacks?

What’s a ransomware attack?

Ransomware, a malicious computer code that hackers deploy to block an organization’s access to its own computer network to extort a ransom, is one of the most common forms of malware, experts say.

Hackers may barrage employees with phishing emails, persuading the user to download a file or visit an infected website, unleashing the hostile malware.

Once they have seized control of the network, the criminals provide a deadline to make a payment, and if it is not met, they can lock the network from their target or publicly share sensitive data.

Here is what you need to know about ransomware: software that locks down your files and demands payment to release them. (Sarah Parnass, Dani Player, Daron Taylor/The Washington Post)

Such attacks have reached a record high recently, with nearly 400 assaults on critical infrastructure in 2020, according to data compiled by Temple University. In the past week, hackers published personnel files of D.C. police officers, caused city services in Tulsa to shut down, and paralyzed a California hospital system.

On Friday, Colonial Pipeline announced it had shut down its 5,500 miles of pipeline, which it said carried almost half of the East Coast’s fuel supplies. The company later said it was hit by a ransomware attack but has shared little about how cybercriminals broke into its network.

The FBI confirmed Monday that the group responsible is known as DarkSide, an Eastern European-based criminal gang.

Why is our infrastructure vulnerable to attacks?

Much of America’s aging infrastructure was built long before online networks used today came into existence, resulting in vulnerabilities as existing organizations go digital.

“The underlying enabling factors for this cybercrime explosion are rooted in the digital dumpster fire of our seemingly pathological need to connect everything to the Internet combined with how hard it is to actually secure what we have connected,” Krebs said in his testimony.

In addition, local governments, school districts, small businesses and others have limited responses to shore up cybersecurity in the face of a threat.

With the advent of cryptocurrency and expanding networks of criminal groups like DarkSide, ransomware is a burgeoning enterprise, outpacing the development of protective measures.

Cryptocurrency, a form of digital cash, is unregulated or underregulated in some jurisdictions, making it more difficult to track. Hackers have even developed customer hotlines for their targets, streamlining the nefarious process.

“Ransomware-as-a-Service is big business and we are not surprised groups like DarkSide are capitalizing on extortion techniques that are quickly becoming a hallmark for many eCrime actors,” Matt Trushinski, technical director of cybersecurity firm Arctic Wolf, wrote in an email.

When it comes to critical industries like energy, experts say the government needs to take a closer look at what steps companies take to secure themselves.

“We need to have open and candid conversations with oil & gas companies about what measures they’re taking to protect the nation’s critical infrastructure,” oil and gas cybersecurity expert Damon Small said in a statement. “In many ways, oil & gas is self-regulated.”

How much could ransomware attacks cost?

Given the far-reaching consequences of the onslaughts, it is difficult to fully grasp the economic toll ransomware attacks take, although one firm calculated that the cost exceeds billions of dollars.

Victims can be anyone, including entire cities. In 2020, 113 federal, state and local governments and agencies reported they were struck, costing about $915 million, according to one estimate by Emsisoft, a cybersecurity company.

Hacker gangs can demand any sum of money they believe a company or government will pay to get back online.

FBI Special Agent Jonathan Holmes said at a CISA cybersecurity summit last year that ransomware attacks began to pop up almost a decade ago.

“Back in 2013, only your one computer would be affected by ransomware. Fast forward to 2015 — we began to see ransomware actors targeting enterprise computer networks,” Holmes said.

Early on, he said, law enforcement saw demands in the hundreds of dollars. But by 2015, demands were in the tens of thousands — and they’ve steadily increased since, Holmes added.

“Most recently, we’ve seen ransom demands in the order of the millions of dollars range,” Holmes said at the summit.

What can be done about ransomware attacks?

The best strategy against ransomware is to stay ahead of the competition when updating security measures, Forrester analyst Allie Mellen said in an interview. A firm with less-stringent cybersecurity is likely to be targeted.

Put simply: “Outrun the guy next to you,” she said.

Among the list of “quick wins,” Mellen advises strengthening passwords, testing the response plan in case of an emergency, and implementing multifactor authentication, which requires two or more levels of verification before a user can sign on to the company’s network.

“Make sure you’re following the basics, and that’s what you can do right now in order to make sure that this attack doesn’t happen to you in the next week or two weeks,” Mellen said. “From there, it’s obviously very critical to take further steps.”

In April, a task force of experts from businesses, governments and academia released an 81-page report detailing a framework to combat ransomware. The sweeping recommendations highlighted the need for a coordinated international law-enforcement effort to halt countries from providing safe harbor to criminal enterprises.

Following the alleged Russian and Chinese hacking operations targeting U.S. federal contractor SolarWinds and Microsoft, the Justice Department announced earlier this month it would launch a wide-ranging, four-month review into its approach to fighting malicious cyber activity, including ransomware attacks.

On Wednesday, President Biden signed an executive order mandating minimum cybersecurity requirements for federal contractors and requiring service providers to tell the government about cybersecurity breaches that could affect U.S. networks.

Taylor Telford contributed to this report.