Ransomware is not new. But there is a growing trend of hackers targeting critical infrastructure and physical business operations, which makes the attacks more lucrative for bad actors and more devastating for victims. And with the rise of remote work during the pandemic, significant vulnerabilities have been revealed that only make it easier to carry out such attacks.
The US government is now ratcheting up efforts to address the threat of ransomware, but experts warn that without significant cooperation and investment from the private sector, these attacks are likely here to stay.
Bigger targets, better returns
Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money online. But now hackers have found a significant moneymaker in targeting physical infrastructure.
These attacks have potential to spark mayhem in people’s lives, leading to product shortages, higher prices and more. The greater the disruption, the greater the likelihood that companies will pay to alleviate it.
“If you’re a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you,” said Katell Thielemann, Gartner’s vice president analyst for security and risk management. “This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that’s where the most pain is felt because that’s where they make money.”
Experts say both REvil and DarkSide operate what are essentially “ransomware-as-a-service” businesses, often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut of the profits. In some cases, they also carry out their own attacks. Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere, because they bring money into the country, cybersecurity experts say.
To make matters worse, many companies in those industries haven’t historically thought of themselves as tech companies, meaning their systems may be less sophisticated and easier to compromise, according to Mark Ostrowski, head of engineering at Check Point.
“So hospitals, their business is to save lives; meat and poultry is to produce goods and services; pipelines are to create gas exchange or oil exchange,” he said. “Those certain industries also may be targeted because maybe they’re behind in their [software] patching, maybe their cyber program is not quite what it needs to be.”
This has become increasingly true in recent years. As technology has evolved, more physical infrastructure has been embedded with connected devices that link it with a company’s larger network. Even if a hacker enters a company’s network through its email system, for example, they could have the opportunity to wreak havoc on the machines in its production facilities or other areas of the business.
“The world is becoming more connected” and we should expect the risks “to multiply across all of these industries,” Thielemann said.
How the pandemic made things worse
It’s not a coincidence that ransomware has spiked during the pandemic.
“Critical infrastructure was always designed to have the control systems isolated and physically separate from the corporate network and the internet,” said Eric Cole, a former cybersecurity commissioner to the Obama administration and author of the new book “Cyber Crisis.”
“Initially for automation and accelerated by the pandemic, these systems are now connected to the internet. … The known vulnerabilities make them an easy target,” Cole added.
The pandemic also heightened certain targets, as hackers sought opportunities to profit by attacking crucial services.
What needs to be done
Companies, organizations and agencies will now need to work as quickly as possible to plug potential gaps in their systems, updating software and ensuring that their most critical functions are sufficiently insulated from cyberattacks.
“Every company needs to be able to heighten this and become preventative because these attacks are weapons-grade. They’re not just casual attacks,” Ostrowski said.
For companies, the easiest fix is to keep the most vital infrastructure functions off the web — and to keep any online systems up to date with software patches, Cole said.
And while systems-level upgrades or overhauls may sometimes be necessary, Ostrowski said the risk often comes down to individual behavior. Most ransomware is distributed through phishing attacks, where users are tricked into clicking a link on an email that gives the hackers broad access to their system.
“It’s actually very simple. As a cybersecurity community we’ve been trying to solve the email problem for decades,” he said. “It’s about solving and preventing phishing attacks, number one, and that will lead to anti-ransomware technologies.”
“I think the industries expect these number of attacks to continue to increase,” Ostrowski said. “If anything, what this has highlighted is how important our supply chains are.”