June 18, 2021

IntelBrief: Virtually Held Hostage: Ransomware Attacks are a Strategic Challenge

(AP Photo/Patrick Semansky)

Bottom Line Up Front

  • In the recent summit between U.S. President Joseph Biden and Russian President Vladimir Putin, cyberattacks and ransomware were high on the agenda.
  • According to Director of the Federal Bureau of Investigation (FBI) Christopher Wray, cyberattacks from U.S. adversaries are reaching a crisis point.
  • U.S. officials suspect these groups operate with tacit Russian state approval, if not outright support, provided they eschew attacking Russian targets. 
  • Biden made it clear to Putin that attacks against critical infrastructure are “off limits” and would be met with a devastating U.S. cyber response.

During their recent summit in Geneva, Switzerland, U.S. President Joseph Biden and Russian President Vladimir Putin discussed, among many contentious issues, the ransomware attacks emanating from Russia directed at the United States. According to Director of the Federal Bureau of Investigation (FBI) Christopher Wray, cyberattacks from U.S. adversaries are reaching a crisis point. He likened the challenge to the al-Qaeda terrorist attacks of September 11, 2001, and noted that the Bureau is currently investigating more than 100 separate variants of ransomware. In 2020, the U.S. suffered more than 65,000 ransomware attacks—more than seven per hour. Western countries in general, as evidenced by the recent catastrophic attack on Ireland’s national health service, and the U.S. in particular, have long been prime targets for cyber espionage and cybercrime, including ransomware attacks. But the attack on U.S. company Colonial Pipeline several weeks ago was of an order and magnitude considered beyond the pale. Deterring and mitigating crippling ransomware attacks must be a priority for all multinational corporations and governments, and public-private partnerships will form a key element of the response.

A ransomware attack involves criminal actors accessing a target’s network, usually by obtaining credentials, administrator permissions, and/or logins, and then accessing files and data. So-called “phishing” scams are common and growing more sophisticated. After accessing the data, criminals move to encrypt it, rendering it inaccessible to the company. This datacan be anything the target is willing to pay a ransom to decrypt, from trade secrets to systems that impact pipeline operations to personally identifiable information or health-related data. In the past, companies paid the ransom and moved on, sometimes without even bothering to notify law enforcement to avoid making news of the attack public. The ransom often varies depending on the target, but usually is an affordable amount and, given the disruption and costs of the attack on the target’s operations, one the target is willing to pay in order to resume operations.

In one of the most recent high-profile cases, U.S. company Colonial Pipeline paid hackers a $4.4 million ransom, but also notified the FBI. Though Colonial Pipeline decided to pay the ransom the same day of the attack, it took six days to restart pipeline operations. This caused a brief shortage of gasoline and other fuel products along the East Coast of the U.S., leading to a bout of panic buying by consumers from Virginia to Florida. This in turn led to spikes in the price of gasoline and actual localized shortages. The entire saga was a stark reminder of the increasing vulnerability of U.S. critical infrastructure. The FBI believes the group responsible for the Colonial Pipeline attack, and an additional ninety attacks since August 2020, operates from Russian soil, which has served as a sanctuary for hackers whose actions benefit the Kremlin. Just weeks after the Colonial Pipeline attack created a fuel emergency, the massive meat processing firm JBS was attacked by another Russian cybercriminal gang known as REvil. That ransomware attack caused a brief but serious disruption in JBS’s operations, which led to shortages in meat products to wholesalers, with cascading effects reverberating throughout the supply chain.

In what appears to be an unprecedented response, at least publicly, the FBI was able to recover several million dollars of the ransom paid in the Colonial Pipeline attack. Those funds were in Bitcoin, a cryptocurrency that bills itself as untraceable and unbreakable. Yet, it appears that the FBI was able to both trace and seize those funds. This made the attack less profitable, but it also publicly disclosed specific capabilities that criminals will undoubtedly adapt to in the near future. Moreover, the lion’s share of victims suffering ransomware attacks will not have the luxury of having the FBI available to help recoup funds paid in a ransom. FBI Director Wray is correct to sound the alarm and call attention to the issue, but the U.S. government more broadly needs to craft a robust strategy to deal with the threat, and the response must include a whole-of-government approach that also reaches out to elements of the private sector, utility industries, hospitals and healthcare systems, and any other entity at risk of similar attacks. This week’s summit between Presidents Biden and Putin was an opportunity for the U.S. to make clear, in a public forum with worldwide media attention, that attacks on U.S. critical infrastructure will be met with an overwhelming cyber response.