The hacker ring’s ransom note appeared on the company’s computer screens this past Monday. “Your computers and servers are encrypted, backups are deleted,” it said. “We use strong encryption algorithms, so you cannot decrypt your data.”
The price: $1.2 million.
They also had stolen 1 terabyte — the equivalent of 6.5 million document pages — of the company’s sensitive data. If the firm did not pay to decrypt it, the data would be “automatically published” online, the hackers said, according to the note, which was shared with The Washington Post by the firm that helped the victim deal with the attack.
On Wednesday, the company paid $850,000, according to Austin Berglas, the former head of the cyber branch in the FBI’s New York field office who is now global head of professional services for the cyber security firm BlueVoyant.
“In this case,” he said, “they had no option.” If they didn’t pay, he said, “they would go out of business.”
The firm’s dilemma is faced by thousands of companies, schools, governments, and other entities around the world every year. Most incidents go unreported. Anecdotally, according to companies that help victims hit by ransomware attacks, more than half pay some form of ransom — estimated last year to average about $312,000, according to Palo Alto Networks, another cybersecurity company that deals regularly with ransomware attacks. Some experts suspect that amount is low.
The attack that led Colonial Pipeline to shut down its 5,500-mile pipeline, causing fuel shortages throughout the southeastern United States, underscored that the ballooning ransomware wave isn’t just about money. Targeting the private businesses that run much of the economy also threatens national security.
President Biden on Thursday announced that the U.S. government had “strong reason to believe” the criminals behind the attack lived in Russia, though he said he did not believe the Russian government had directed the assault. Nonetheless, he warned Moscow about the need to “take decisive action” against them. The Justice Department, he said, would step up prosecutions of ransomware hackers and the government will “pursue a measure to disrupt their ability to operate.”
Shortly after Biden’s comments, DarkSide, the hacker ring behind the Colonial strike, told its criminal partners that it had lost control of its computer servers and was shutting down. Some experts and U.S. officials warned this could be an “exit scam,” to pretend they were leaving the business only to reappear at a later date under a different name. In any case, it is unlikely to end the risk from ransomware attacks.
One thing is certain. DarkSide had a profitable quarter. The ring collected $14 million in ransoms for all of 2020 and raked in $46 million in just the first three months of this year, according to an analysis by Chainalysis.
Colonial told U.S. officials it was not planning to pay ransom, according to three people familiar with the matter, but one person later said the company changed course. The Washington Post previously reported that the company had no plan to pay a ransom. Industry analysts, based on circumstantial evidence in an online ledger that tracks cryptocurrency payments, say they believe Colonial made a $5 million payment. Colonial has declined to say. Both the FBI and Mandiant, the cybersecurity company assisting Colonial, also declined to comment.
Ransomware has been around for the last decade, but it really exploded in the last several years, with the rise of cryptocurrencies such as bitcoin that are difficult to trace and can be transferred electronically without the assistance of banks or other institutions that are regulated by governments.
Two devastating state-sponsored cyberattacks in 2017, WannaCry, which infected thousands of computers running Microsoft Windows, and NotPetya, which struck computers primarily in Ukraine, showed how worms and destructive malware can cripple major companies, experts said. The pandemic only accentuated the trend as criminals targeted online systems that people relied on to continue to conduct business.
Nearly 2,400 health care facilities, schools and governments in the United States were hit by ransomware last year, according to the Ransomware Task Force, a group of more than 60 experts from industry, government and academia that delivered an 81-page report to the Biden administration last month on how to combat the ransomware scourge. Chainalysis, a firm that tracks cryptocurrency payments, conservatively estimated that victims paid $400 million in ransom during 2020, more than four times the estimate for 2019.
The explosion of attacks also reflected a change in the way hackers handled the business of ransomware. DarkSide was just one of many groups that operated as a sort of service provider for other hackers, or “affiliates,” who used its malware to extort targets in exchange for a cut of the profits. In recent years, these groups have expanded their repertoire beyond just encrypting data. Now they threaten to release the data — a tactic known as “double extortion.” And some have moved to “triple extortion,” threatening to launch so-called denial-of-service attacks on victims that don’t pay, deluging their servers with traffic until they crash, some experts said.
“Ransomware has evolved from an economic nuisance to a national security threat, and to a public health and safety threat,” said Michael Daniel, president and CEO of Cyber Threat Alliance, an information-sharing nonprofit.
“If you roll the clock back to 2013, ransomware affected primarily individual computers, and ransoms were a hundred bucks. Now ransomware affects whole companies, school systems, local governments,” said Daniel, who was the White House cyber coordinator in the Obama administration. “The average ransom is several hundred thousand, and with high-profile companies, into the millions of dollars.”
The dilemma for affected companies and organizations can be acute. Last fall, ransomware launched by Russian criminals hit U.S. hospitals, forcing some to disrupt patient care and cancel noncritical surgeries, and raising the concern that a prolonged disruption could result in deaths. Also last year, hackers struck a South Carolina cloud software provider, Blackbaud, stealing the data of thousands of users across the United States and Canada. Though Blackbaud paid the ransom, data breach laws required the firm to notify its clients, which included schools and hospitals, in dozens of states. The company was hit with almost two-dozen class-action lawsuits.
On Thursday, a criminal group known as Babuk, which is thought to operate out of Russia, posted online a trove of documents hacked from the Washington D.C. police department, including raw intelligence on threats following the Jan. 6 attack on the U.S. Capitol. The data dump apparently came after negotiations with District officials over a fee to prevent the release broke down, according to posts by Babuk.
With such high stakes, it is no surprise that victims feel they have no option but to negotiate with their attackers. The vast majority of victims do not have cyber insurance and try to handle the situation on their own, experts said.
A mini-industry also has arisen in companies that help victims of ransomware attacks. Firms such as Coveware, Kivu and Arete, specialize in negotiating with ransomware criminals. Often these specialists are called in by the insurer, said Michael Phillips, chief claims officer of the insurer Resilience, who noted that policies that cover ransomware became commonly available only about five or six years ago.
Most insurers require that the bargaining with ransomware extortionists be conducted by experienced negotiators, said Phillips, who co-chaired the Ransomware Task Force. They have strategies for bringing ransom prices down. They know how to obtain proof, for instance, of stolen files and of a functioning decryption key, which might involve a limited exchange of encrypted files, he said.
“As perverse as it is, the ransomware market is based on trust,” he said. “That is a routine part of ransomware negotiations.”
The negotiations typically happen through email or an encrypted chat room on the “dark web,” a portion of the Internet where sites are not accessible through search engines and typically require the use of an anonymizing browser, like Tor. The chat rooms often include the group’s logo or the hacker’s avatar, Phillips said.
In the case of the firm that paid the ransom last week, BlueVoyant negotiated a lower amount, Berglas said. “You obviously don’t want to piss them off and have them say, ‘we’re raising it another million dollars,’” he said. “But you want to try to get them to lower the price as much as possible.”
Some companies choose to do the bargaining on their own. “The craziest thing we saw was a company where the CEO started having communications with the ransomware actor, got frustrated and threatened the actor, who promptly disappeared and refused to negotiate any more,” Berglas recalled. “And the organization wound up having to pay the initial ask without any negotiation.”
With data extortion becoming more prevalent, some criminal groups are setting up “call centers” and dialing up CEOs to urge them to pay up or see their data — or their clients’ data — spilled online, said John Bennett, a managing director in the cyber risk practice of Kroll, a risk management firm. “They’re getting the company’s client list, going to the client and saying, ‘I now have your data. You might want to call XYZ company and tell them to pay up,’ ” said Bennett, who led the FBI’s San Francisco and Los Angeles field offices and retired from the bureau in November.
Some companies are able to avoid paying, but that generally involves advance preparation. Grant Schneider, senior director for cybersecurity services at Venable, a law firm, recalled one client in the Mid-Atlantic that was able to avoid paying a ransom demand of $250,000 because the company had stored backups of its data in the cloud. “The calculus on whether or not to pay was more one of, ‘How long is it going to take us to get back up and operational?’ ” he said. “Thinking they would be able to get back up sooner rather than later, they chose not to pay.”
They never shut down and were back to normal operations within two weeks, he said.
But most firms aren’t in that position. The task force report said that companies hit by a ransomware attack took on average 287 days to fully recover.
The surge in ransomware has rocked the insurance industry. Carriers are finding increasingly that premiums don’t cover the cost of ransomware attacks, said Joshua Motta, CEO and co-founder of Coalition, a cyber insurance firm. “Everyone was making money and doing well in the cyber insurance market until ransomware became the dominant criminal business model,” he said.
Premium costs have risen by up to 50 percent since the beginning of the year, said Adam Lantrip, leader of the cyber practice at insurance broker CAC Specialty, and ransomware claims just keep pouring in. The trend is so vexing that France’s largest general insurer, AXA France, announced this month that it will no longer cover ransomware payments for customers within the country, though a French resident could purchase a global policy that would cover such payments.
The U.S. government has long held the position that victims should not pay ransoms so as not to encourage and finance criminals. The FBI routinely advises against paying ransoms, a position political leaders also have endorsed. “We don’t want people to think there’s money in it to threaten the security of a critical infrastructure in our country,” House Speaker Nancy Pelosi told reporters at her weekly news conference on Thursday.
But, officials note, the decision is ultimately the victim’s to make. “Are you going to tell a hospital you can’t pay, and patients die?” Kroll’s Bennett said.
Complicating the decision to pay are federal laws that bar transactions with people or groups that have been sanctioned by the Treasury Department. In guidance issued in October, the department warned that victims making ransom payments to a sanctioned person or group could be fined. “Ransomware payments made to sanctioned persons … could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” the guidance said.
Currently, only a handful of ransomware groups are on the sanctions list, and experts say Treasury has not been known to impose a penalty on anyone for paying a sanctioned entity. Figuring out if a hacker who’s extorted you is related to a group that’s been sanctioned is not easy, experts said. Hackers use pseudonyms, proxy Internet addresses and generally live in the shadows. Affiliates of operations like DarkSide may have links to a sanctioned group. That puts companies in a difficult spot.
“Ransomware attackers are by definition liars, thieves, extortionists and members of a global criminal enterprise, and they take extreme technological measures to conceal any trace of their identity and location,” said John Reed Stark, a cybersecurity consultant and a former chief of the Securities and Exchange Commission Office of Internet Enforcement. “Determining the bona fides of a ransomware attacker is like trying to confirm the height and weight of a poltergeist. Yet that is exactly what the government expects the company to do.”
The guidance also leaves unclear whether ransom negotiators or insurance companies that make payments might also be held liable. Berglas said last year a client wanted to pay a ransom to unlock its data, but the attacker, the Russia-based Evil Corp, was on the sanctions list, so BlueVoyant refused. The client went to another firm, which paid it, he said.
Treasury’s guidance indicates that reporting an attack to law enforcement will be considered a “significant mitigating factor” in determining whether to fine someone for violating the rule.
The international nature of ransomware crime is also an impediment to bringing it under control. The Justice Department and FBI are working with allies and partners overseas to investigate criminal rings, disrupt their operations and online infrastructure, and prosecute hackers, officials said. In January, the department joined Canada, France, Germany, the Netherlands and Britain in dismantling the botnet known as Emotet, which had infected hundreds of thousands of computers in the United States and caused millions of dollars in damage worldwide. The botnet, an army of hijacked computers, could also be used to spread ransomware.
But many of the actors are in countries outside the reach of U.S. and allied authorities. DarkSide, for example, is believed to be based in Russia and many of its communications are in Russian.
“They’ve become the 21st century equivalent of countries that sheltered pirates,” said Daniel, the Obama White House cyber coordinator. “We have to impose diplomatic and economic consequences so they don’t see it as in their interest to harbor those criminals.”
Companies and organizations need to be encouraged to strengthen their defenses, experts say. Many are failing to deploy even basic best practices, such as requiring multifactor authentication for employees logging onto systems, patching vulnerabilities promptly, segmenting networks, keeping backups off line and testing them periodically to ensure they work.
One way companies and law enforcement can team up to thwart extortionists is by quickly identifying midpoint servers used by the hackers to “stage” or store data after it’s siphoned from a company but before it’s sent to the hackers’ server. That happened in the case of Colonial Pipeline, when a cloud provider in New York shut down a server containing data stolen from the firm. The provider had been notified by Mandiant, the company helping Colonial investigate the attack. The move prevented the hackers from collecting the data, which could have been used as part of the extortion effort.
Regulating cryptocurrency is another step experts recommend, especially by enforcing requirements that exchange houses that facilitate cryptocurrency transactions abide by anti-money laundering laws. Even if an exchange is overseas, if it has “substantive” business with a U.S. person, Treasury can regulate it, experts say.
“These operators are required to know their customers, and if Treasury enforced the law, it would arm the Justice Department with the tools they need to identify and prosecute these criminals,” said Phillips.
“A ransomware attacker is not going to use PayPal,” said Allan Liska, senior intelligence analyst at the cyber firm Recorded Future, and a task force member.
The task force also urged Congress to mandate that ransomware victims report attacks to the federal government and, if a payment is made, reveal all of the financial details, including the address of the electronic wallet to which a payment was made. “The ransomware data gap is real and it is an extraordinary obstacle to national and international disruption of these cyber criminals,” Phillips said.
Berglas said it’s unlikely that the problem can be solved by simply hoping businesses won’t make payments. BlueVoyant’s client, he noted, was down all week, its corporate networks frozen by ransomware. By the weekend, with the payment made, the firm was gradually restoring services.
“In the grand scheme of things,” said Berglas, “being down for a few days is better than shutting your doors and going out of business.’’