Ransomware rises as a national security threat as bigger targets fall

Governments around the world look for ways to fight back.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
4 min read

A ransomware attack shut down operations at JBS USA Holdings earlier this year, resulting in meat shortages in the US.

Getty Images

Cybercriminals are getting more sophisticated and brazen in ransomware attacks, freezing computer systems at school districts, major universities, police departments and hospitals. Now the US government is stepping up its approach to fighting computer crimes. 

Last week, the White House convened an international counter-ransomware event. Representatives from more than 30 countries, including big US allies like the UK, Canada and Japan, participated in the virtual gathering. Notably absent: Russia, which the US and other countries blame for harboring and possibly encouraging the groups behind the attacks.

The group pledged to share information and work together to track down and prosecute the cybercriminals behind ransomware attacks. "Governments recognize the need for urgent action, common priorities, and complementary efforts to reduce the risk of ransomware," the participants said in a joint statement released at the end of the meeting.

The high-level government attention to ransomware underscores its growing reach. Once nothing more than garbage malware locking up the hard drives of the tech unsavvy or of small businesses running dated versions of Windows, ransomware has become a global digital scourge.

It also shows no sign of letting up. Over the weekend, an apparent ransomware attack locked down servers and work stations at Sinclair Broadcast Group. Data also was stolen from the TV station operator, though it's currently unclear what information it contained. The company is investigating.

Earlier this year, a major oil pipeline and a huge meat processors were hit by cybercriminals who demanded millions of dollars in ransom.  The attacks on Colonial Pipeline and JBS USA Holdings made headlines for weeks. They also marked a rise in the ambitions of cybercriminals and caught the attention of government officials and cybersecurity experts. 

"It's really become a national security threat," Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told the Billington Cybersecurity Summit last week. "Everything is connected, everything is vulnerable, and the threat actors are just getting more sophisticated."

According to a report issued Oct. 15 by the Department of the Treasury, suspected ransomware payments reported by banks and other financial institutions totaled $590 million for the first six months of this year, easily surpassing the $416 million in suspicious payments reported for all of 2020.  

Colonial Pipeline and JBS both forked over millions in ransom payments during that six-month period. The FBI was able to recover about $2.3 million of the $4.4 million paid by Colonial. Both ransoms were paid in bitcoin, a popular cryptocurrency. 

Both attacks wreaked temporary havoc, pushing up the price of gasoline and meat as the companies lost control of their supplies.

"It's amusing to the outside world that America doesn't care until it's about oil and meat," says Chester Wisniewski, a principal research scientist for the global cybersecurity firm Sophos.

Wisniewski says earlier attacks would target a dozen or so different entities. They didn't grab the same kind of national headlines, however, because they were separate, smaller attacks.

By today's standards, cybercriminals also weren't as talented. They bought the malware online and sent it out without much research into their targets. Companies would often pay the ransom, try to keep things quiet and move on.

That started to change a few years ago. As malware became more sophisticated, cybercriminals began hacking into a company's financial records to determine exactly how much money the company would likely be able to pay. Now ransoms often reach millions of dollars.

And other attack-related costs far outweigh the actual ransom. Even if a company pays and has its data restored, it still has to bring in experts to rebuild its systems and confirm they're no longer compromised. 

On top of that, an attack usually prompts a company to upgrade its cybersecurity defenses, another cost. 

Sometimes it can be tough for an entity to know exactly how much cybersecurity it should install. Even though JBS is a big company, many experts wouldn't have previously considered it to be an obvious target for a cyberattack.

While acknowledging in a June statement that it did pay the equivalent of $11 million in ransom, JBS said it was able to "quickly resolve" the issues resulting from the attack, thanks to its "cybersecurity protocols, redundant systems and encrypted backup servers," adding that it spends $200 million annually on IT and employs more than 850 IT people around the world. The company didn't immediately return an email seeking further comment for this story.

Even small companies should follow best practices that'll lessen the chances of a cyberattack or the fallout from one, says David Cowen, managing director of US Cyber Security Services at professional-services company KPMG. And those practices can be as simple as making sure employees protect their access to systems with strong passwords and always use two-factor authentication

The government can help, too, he says.

"Look at what happened with Colonial Pipeline," Cowen said. "That group initially got paid but then they got tracked down and some of the money got returned. That's what happens when the government gets involved."

A recently introduced Senate bill would require critical infrastructure owners and operators, which would include companies like Colonial Pipeline, to report cyberattacks within three days.

In addition, nonprofits, businesses with more than 50 employees, and state and local governments would be required to notify the federal government within 24 hours if they make ransom payments.

Meanwhile, the Treasury Department says it'll sanction cryptocurrency exchanges, insurance companies and financial institutions that facilitate ransomware payments. It also said it was taking action against virtual currency exchange SUEX OTC for allegedly facilitating ransomware payments. Officials for SUEX couldn't be reached for comment.

Wisniewski, the cybersecurity researcher, says he likes the idea but questions how much good it'll do if the government doesn't take action against the countries behind the exchanges and financial institutions.

"Are we going to sanction China?" he asked. "I don't think so."