This content is not available in your region

Why is ransomware so dangerous and difficult to stop?

There have been a growing number of high-profile ransomware cases in recent months.
There have been a growing number of high-profile ransomware cases in recent months.   -   Copyright  Michael Geiger - Unsplash
By Euronews and AP

Recent high-profile "ransomware" attacks on the world's largest meat-packing company and Ireland's national health service have underscored how gangs of extortionist hackers can disrupt the economy and put lives and livelihoods at risk.

Last year alone in the United States, ransomware gangs hit more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.

In Europe, ransomware attacks have struck targets as diverse as Polish game developer CD Projekt and schools in Tunbridge Wells, England. But it is the disruptive hacks on the Colonial Pipeline in the US and Brazilian meat processor JBS in May that have drawn close attention from world leaders, along with heightened scrutiny of the foreign safe havens where cybercriminal mafias operate.

What is ransomware and how does it work?

Ransomware scrambles the target organisation's data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.

Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments. That can present problems even for companies that diligently back up their networks as a hedge against ransomware, since refusing to pay can incur costs far greater than the ransoms they might have negotiated.

How do ransomware gangs operate?

The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organise and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments - and their laundering - harder to track.

Some top ransomware criminals fancy themselves software service professionals. They take pride in their "customer service," providing "help desks" that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.

The business is now highly specialised. An affiliate will identify, map out and infect targets using ransomware that is typically "rented" from a ransomware-as-a-service provider. The provider gets a cut of the payout; the affiliate normally takes more than three-quarters.

Other subcontractors may also get a slice. Those can include the authors of the malware used to break into victim networks and the people running so-called "bulletproof domains" behind which the ransomware gangs hide their "command-and-control" servers. Those servers manage the remote sowing of malware and data extraction ahead of activation, a stealthy process that can take weeks.

How come the ransoms keep getting bigger?

Data from EU cybersecurity agency Enisa published in October showed that victims of ransomware paid out over €10 billion in 2019, up €3.3 billion on the year before.

Meat company JBS admitted in June it had paid the equivalent of €9 million to hackers after a ransomware attack halted production in Australia and America.

"This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, the CEO of JBS USA. "However, we felt this decision had to be made to prevent any potential risk for our customers".

The FBI discourages paying ransoms, but a public-private task force including tech companies and US, British and Canadian crime agencies says it would be wrong to try to ban ransom payments altogether. That's largely because "ransomware attackers continue to find sectors and elements of society that are woefully underprepared for this style of attack".

The task force recognises that paying up can be the only way for an afflicted business to avoid bankruptcy. Worse, the sophisticated cybercriminals often have done their research and know a victim's cybersecurity insurance coverage limit. They've been known to mention it in negotiations.

That degree of criminal savvy helped drive average ransom payments to more than $310,000 (€260,000) last year, up 171 per cent from 2019, according to Palo Alto Networks, a task force member.

What are leaders doing to tackle ransomware?

US President Joe Biden signed an executive order in May meant to strengthen American cybersecurity defences, mostly in response to Russia's hacking of federal agencies and interference in US politics.

White House principal deputy press secretary Karine Jean-Pierre said in June that the ransom demand of JBS meat came from a "criminal organisation likely based in Russia".

Ransomware and cybersecurity were key discussion points when President Biden met his Russian counterpart Vladimir Putin in Geneva in June.

"I talked about the proposition that certain critical infrastructure should be off-limits to attack. Period. By cyber or any other means. I gave them a list, 16 specific entities. 16 defined as critical infrastructure," Biden said after the summit.

Earlier, leaders at a G7 summit in the United Kingdom issued a joint statement that called on Russia to do more to tackle cybercrime.

"We call on Russia...to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes," the statement signed by the leaders of Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States said.

Named and shamed

The new industry task force set up to combat ransomware says it's important to have concerted diplomatic, legal, and law enforcement cooperation with key allies.

Ransomware developers and their affiliates should be named and shamed - though they're not always easy to identify - and regimes that enable them punished with sanctions, its report urges.

It calls for mandatory disclosure of ransom payments and a federal "response fund" to provide financial assistance to victims in hopes that, in many cases, it will prevent them from paying ransoms.

And it wants stricter regulation of cryptocurrency markets to make it more difficult for criminals to launder ransomware proceeds.

The task force also calls for something potentially controversial: amending the US Computer Fraud and Abuse Act to let private industry actively block or limit online criminal activity, including of botnets, the networks of hijacked zombie computers that ransomware criminals use to sow infections.