They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.
In June, meat producer JBS, which supplies over a fifth of all the beef in the US, paid a £7.8m ransom to regain access to its computer systems. The same month, the US’s largest national fuel pipeline, Colonial Pipeline, paid £3.1m to ransomware hackers after they locked the company’s systems, causing days of fuel shortages and paralysing the east coast. “It was the hardest decision I’ve made in my 39 years in the energy industry,” said a deflated-looking Colonial CEO Joseph Blount in an evidence session before Congress. In July, hackers attacked software firm Kaseya, demanding £50m. As a result, hundreds of supermarkets had to close in Sweden, because their cash registers didn’t work.
The gangs – criminal enterprises that hack into internet-connected computer systems, lock access to them, and then sell a decryption key in exchange for payment in bitcoin – have targeted schools, hospitals, councils, airports, government bodies, oil pipelines, universities, nuclear contractors, insurance companies, chemical distributors and arms manufacturers. Hackers haven’t targeted air traffic controllers yet, but some believe that it’s only a matter of time.
All organisations are vulnerable, although a sweet spot is mid-size businesses that have enough revenue to make them a lucrative target, but aren’t large enough to have dedicated cybersecurity teams. “Everybody who uses internet-connected computer systems has vulnerabilities,” says Dr Herb Lin, a cybersecurity expert at Stanford University.
Russia is a major hotspot for ransomware attackers to headquarter themselves, as is Iran. Cyrillic – the Russian alphabet – is commonly used in ransomware forums or source codes. “It’s not that the Russian government is conducting these ransomware attacks,” Lin says, “but they have an arrangement in which the Russian-based cyber-mobs can do their activities outside Russia, and the country turns a blind eye to it. The tacit agreement is, if you hack a Russian system, you’re in trouble.” I ask Lin why the Russian authorities are so lenient. “My guess is that Putin gets a cut,” he says.
These hackers operate as organised gangs: some members specialise in identifying compromised systems and gaining access, while others handle the ransom negotiations. (Investigators tracing ransom payments will often see cryptocurrency transferred into many different cyberwallets after a transaction has been made, for this reason.)
And they are not shy of publicity – some have even given media interviews. “I know at the very least several affiliates have access to a ballistic missile launch system… It’s quite feasible to start a war,” said an unnamed REvil spokesperson airily in one interview. “But it’s not worth it – the consequences are not profitable.” Each group has a distinct character. “REvil has some flair, as does Pysa, who are quite snarky,” says Brett Callow of the cybersecurity firm Emsisoft. “At the other end of the spectrum, Ryuk are robotic in their approach.”
More recently, these gangs have pivoted into extorting individuals. If victims don’t pay, their stolen data is dumped online, or sold on the dark web to the highest bidder. (There is no way to know if the data is sold anyway, even if the victim does pay.) Some of these extortion demands take a vicious tenor: REvil recently threatened to publish damaging information about Invenergy CEO Michael Polsky after he refused to pay a ransom. “We know his secrets… we will share with you some disgusting photos, and many interesting facts from his life,” wrote the hackers on their dark web blog. And the pandemic has proved especially fecund for ransomware gangs. According to a report from cybersecurity software firm Bitdefender, attacks increased by 485% in 2020 alone. “It’s taken off since Covid because we have more people working from home,” says Sophia, a crisis communications expert who specialises in advising companies who have been targeted by ransomware hackers. Poorly secured remote access logins are a common route in. “More of a digital environment leads to more points of entry for the attackers,” she says. “The last year and a half has been a whole new ballgame.”
I ask how many cases she has personally worked on this year. Sophia sighs. “It’s probably upwards of 50 this year. And it’s only July.”
All the experts I speak with agree – many victims of ransomware do pay. “About half do,” says Sophia of her clients. “I did one job for an organisation in Australia,” says Nick Klein of Australian cybersecurity firm CyberCX, “where the CEO was literally walking around their office with a credit card, saying, ‘How can I convert money into bitcoin?’” Alastair MacGibbon of CyberCX always advises his clients not to pay, but he is not judgmental of those who do: “You can’t be a puritan in this space. You are dealing with the livelihoods of your staff, and trying to protect your suppliers. There are legitimate reasons to pay.”
Specialist negotiators are often brought in to haggle the gangs down. “It’s a business deal,” says Klein, who is one such negotiator. “You need to make the attackers understand that you want to do a business transaction with them, and they need to be realistic and come to an agreement that works for both parties.” He’s successfully bartered down hackers from demands of tens of millions of dollars, to under $100,000. “Conversely,” Klein says, “I’ve done jobs where we’ve gone to criminals and said, the company can’t afford this, and they send back a copy of their financial statements.” He chuckles: “That’s a well-informed criminal.”
But despite the fact that many ransomware victims do pay up, a code of omertà prevails. No one will talk about it to me. Phone calls go unanswered; emails ignored. One CEO answers his mobile, garbles incoherently at break-neck speed, and hangs up. Everyone who works in this space tells me the same thing: they know dozens, if not hundreds, of executives who have paid ransoms, and not one will speak with me. “There’s a stigma attached,” MacGibbon says. “And there’s a fear of revictimisation.”
But eventually, I do track down someone who will talk…
Thursday, 11 January 2018 was a day like any other at Hancock Regional Hospital in the city of Greenfield, Indiana. Inclement weather was approaching and flu cases were on the rise. At 9.30pm, messages began appearing on computer screens, announcing that the system had been encrypted using SamSam ransomware. Hackers got in through a password belonging to a third-party vendor that had been breached and sold on the dark web. If the hospital wanted to regain access to its systems, it had to pay a ransom of four bitcoins, then the equivalent of about £40,000. Until then, every file was locked.
At home, in bed beside his wife, Steve Long received a phone call from an administrator around midnight. He drove to the hospital immediately, where he stared in puzzlement at row upon row of locked computer screens.
“They were targeting us specifically,” he says. “What kind of a person does that? It’s unconscionable to do that to a hospital.”
Long is that rarest of people – a man willing to admit to paying a ransom demand. The hospital CEO has the genial air of a headteacher and is remarkably candid about his decision to pay the hackers, who were based in Iran.
“It was a terrible decision,” he says, “and I agree with all the reasons for not paying ransoms. But when you’re in that situation you discover pretty quickly it’s about business continuity.” There was some blowback, of course. “People said, ‘You should never pay a ransom for any reason.’ But they were people who have never been in that situation.”
After staying up all Thursday night, Long made the decision to pay up around noon the following day – they were going into a holiday weekend and the bank would be closed until Tuesday. Just as he was preparing to make the transaction, he received the phone call: a reporter at the local paper had gotten wind of the story.
Long had three choices: lie, obfuscate, or tell the truth. He invited the reporter into the hospital and told him exactly what was going on. “We thought it was important to tell our story,” he says, “because no one ever talks about this and, because no one ever talks about it, no one ever learns.”
He hopes that sharing his experience will encourage other organisations to take the threats posed by ransomware hackers seriously.“As an individual,” Long says, “you think it won’t happen and you’ll never find yourself in the thick of it. And then you’re sitting in the administrator conference room and the only outside access you have to the world is your personal laptop, email address, and the hotspot on your phone.”
Early Saturday morning, the hospital paid the ransom. The hackers, good to their word, provided the decryption keys and by Monday morning most things were back to normal. Long threw a staff party with a cupcake van and drinks. He even had T-shirts made up. They read: “I survived the cyber apocalypse of 2018, and all I got was this silly T-shirt.”
In the world of ransomware, there are no pat moral absolutes. Long paid, protected patient safety, and got the hospital back up and running again, but he also put money into the pocket of criminals, and encouraged them to do it again, to another hospital. To not pay is a principled stance, but one fraught with risk. Oftentimes, not paying is damaging, disruptive, and actually costs organisations more than the ransom demand. When Atlanta refused to pay a £36,000 ransom in 2018, it cost the city more than £1.8m to rebuild.
“We won’t entertain the idea of paying ransoms,” says Rob Miller of Hackney council, which was hit in October 2020. “It places other organisations and councils at risk, because it creates a precedent that we will pay. And it funds nasty criminality, including child exploitation.” An ethical decision, certainly, although Hackney’s residents may not agree because, 10 months on, the council still does not have access to many of its core systems. The council tax system is not fully operational, nor is the system to record business rates. It could be another nine months before the benefits office is back to normal.
As a result of the chaos, people’s house sales fell through and many have not been able to access the benefits they are entitled to. Perhaps worst of all, hackers posted personal information about Hackney residents, including passport data, on the dark web, for criminals to exploit. “Obviously,” says Miller, “that feels terrible.” But he robustly rejects the notion that it would have been better to pay, or that Hackney Council should be held culpable for not protecting their residents better. “We’re really clear that the people who should feel guilty are the criminals that caused this,” Miller says.
Perhaps. But the truth is that criminals were able to access Hackney’s systems through a security weakness and as a result, residents have suffered. Miller tells me council officers have been working around the clock to minimise service disruption, and identify people who may have been affected by the breach, and offer support. But is that enough?
“It’s my personal view that organisations should be held liable for cybersecurity breaches they could have fixed, but didn’t,” Lin says. Under existing UK and US law, organisations have to notify individuals whose data has been compromised by cybercriminals, but they don’t usually have to pay fines. “Let’s pretend they had to pay $20 every time they wrote to someone notifying them of a data breach,” says Lin. “They would start to pay attention [to their cybersecurity] then.” I ask him whether it’s right to re-victimise victims of crime – after all, we wouldn’t fine burglary victims for leaving a window open. “I’m also the victim of a crime,” Lin says. “Who compensates me? Why should they get off for having inadequate security precautions that caused me to suffer this harm?”
It’s a punchy proposition, albeit one unlikely to see the light of day, because hundreds, if not thousands, of businesses would probably go bankrupt. Some of the organisations targeted by criminals have been sloppy, certainly. The hackers who got into Colonial Pipeline did so because there wasn’t dual-factor authentication set up on a VPN account – a basic security measure. But a talented and conscientious hacker can gain access to most internet-connected computer systems.
“What we have right now is a feeding frenzy which is the result of companies paying increasingly ridiculous amounts of money,” Callow says, “and criminals being able to operate with almost complete impunity.” He believes the solution is for governments to make paying ransoms to cybercriminals illegal. In the US and UK it is not currently illegal and insurers will often cover ransom payments, which are sometimes tax-deductible. “Ransomware attacks happen for one reason,” Callow says. “Because they are profitable. So organisations have to stop paying ransoms. That’s the only way to stop attacks.”
Governments are finally waking up to the terrible threat posed by ransomware hackers. In the UK, GCHQ’s cybersecurity lead recently warned that ransomware poses a bigger threat to online security than hostile states. In the US, President Biden has established a multi-agency anti-ransomware government taskforce. The FBI recently succeeded in recovering £1.6m of the Colonial Pipeline ransom, suggesting that bitcoin is either not as untraceable as previously thought, or that investigators had intelligence on the group behind the attack. This month, REvil – the most high-profile of all the ransomware groups – went offline. No one is sure why, but the crackdown may have played a role.
While legislators try to find solutions, the savvier organisations are doing all they can to inoculate themselves against attacks. “I tell my clients to prepare for their worst nightmare cyber incident,” Sophia says. Miller and Long urge organisations to increase their cybersecurity spend: Hackney council has accelerated its move to cloud-based services, which are less vulnerable to hackers, while Hancock Regional Hospital pays an external security firm to watch their network 24/7, monitoring for potential breaches. “It’s a bit like after the Great Fire of London,” says Miller of the council’s security efforts post-hack, “they built stone buildings with wider streets. It didn’t stop all fires from happening, but it reduced the likelihood.”
And of course, there’s going back to basics. “The backup is always paper,” Long says. “We have other safeguards electronically. But the hospital has a paper backup we always go to.” Because in a digital world, sometimes the only way to protect oneself from the cybercriminals of the future is to seek sanctuary in an analogue past.
Some names have been changed