Ransomware Attacks Are On The Rise
But Most Never Get Real Attention & Are Being Handled Quietly
As the world moved into the Digital Age, it was no surprise that criminals immediately began looking for vulnerabilities they could exploit to steal and extort money and goods from others.
While those promoting the new digital frontier sold it as a bright new future where transactions and business could be conducted fast and easy and securely, the reality is that evil never sleeps. Criminal gangs devised clever ways to steal and extort from a distance, crimes committed completely remotely. The mob movie scene of two heavies showing up to threaten a business owner to cough up protection money has been replaced with shadowy hackers who issue their threats over the internet.
The biggest form that digital crime has taken is the ransomware attack, where hackers seize control of a particular computer or online network through inserted malware and demand payment in exchange for handing back control.
Most ransomware attacks happen quietly - the attack is only briefly, if ever publicized and then either the IT experts hired by the victim manage to crack the malware, or the ransom is paid. How many of the top ten malware attacks thus far this year had you heard about?
Colonial Pipeline Got Major Attention – But Most Ransomware Attacks Are Handled Quietly
It’s hard not to pay attention when almost 1,000 gas stations run out of gasoline – which is why the recent Colonial Pipeline ransomware attack stayed in the news for several weeks.
When a group of skilled hackers gained control of the crucial pipeline that supplies much of the gasoline to the East Coast, Colonial was forced to shut the pipeline down to prevent any damage. That quickly led to a brief shortage of gasoline across almost half the country.
After initially denying any payment was made, Colonial admitted it had paid an almost five million dollar ransom.
But because most ransomware attacks do not have such an immediate and visible impact on a country the way Colonial’s did, they pass under the radar.
Reports of ransomware attacks have increased dramatically in recent months, very likely because more companies – as Colonial did - seem to be opting for the easy way out by quietly paying the ransoms.
Targeting The HealthCare Industry in A Pandemic
The healthcare industry has been weathering a marked increase in hacking attacks in recent months, according to a report released by the noted cybersecurity firm VMWare Carbon Black on February 8 of this year.
According to its report:
VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019.
In a recent video posted on YouTube, the cybersecurity firm Check Point reported that ransomware hacks have increased by 102% so far this year compared t0 2020 and during the pandemic, state and national healthcare infrastructure is a prime target of hacking gangs.
In the very first example it discusses in its video, Check Point reports on how hackers recently shut down the entire public and private healthcare infrastructure of Ireland for several days with a single ransomware attack.
Access to healthcare becomes even more vital during a viral outbreak, which is why criminal gangs attempt to hold that access hostage in exchange for ransom payments. Public pressure to quickly restore medical services by taking the quick way out by paying the ransom works strongly in the hacker’s favor.
Turning Your Own Software Against You
It appears ransomware gangs have upped their game in the last year and cybersecurity firms are scrambling to respond to a series of new attacks that found vulnerabilities in their software.
We all saw an eye-opening example of this late last year.
Last December there was an explosive announcement by the Cybersecurity & Infrastructure Security Agency [CISA] that revealed a major software product used broadly across the spectrum of top cyber networks inside the U.S. government and vital industries as an IT management tool had been compromised by hostile foreign actors. And the compromise was still ongoing.
The CISA announcement of the breach came on December 13. The hackers had reportedly been running through the United States top cybernetworks via compromised software updates before the breach was discovered by the top cybersecurity firm FireEye.
The compromised SolarWinds IT management software package is called “Orion”, and far from being just another IT option, Orion had garnered a significant share of the available market.
In a report by Newsweek on December 18, 2020, a now-removed page on SolarWinds website boasted about their Orion software being used “by more than 425 firms on the Fortune 500, all branches of the U.S. military, the Centers for Disease Control & Prevention.”
SolarWinds said following disclosure of the breach that around 18,000 of its clients were affected by the cyber intrusion. In an SEC filing on December 14, the company stated:
"SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000."
To be clear: Orion isn’t cybersecurity software; it’s a product that allows you to monitor an entire IT system – which often includes the security software.
Why the SolarWinds Breach & Colonial Pipeline Attacks Are Potentially Catastrophic
To fully implement the Orion IT package, SolarWinds clients appear to have had to grant the company an unprecedented level of intimate access to all their networks. It’s unusual for a third-party contractor to be given this high a level of access across such a broad spectrum of the most important networking systems inside the U.S. government, it’s military and key private companies involved in vital national security infrastructure.
If such a third third-party contractor ends up being compromised, every single network into which it had been granted access becomes vulnerable to being compromised as well.
And this is exactly what happened with the SolarWinds attack.
Following the Orion hack, ransomware attacks have increased to the point hacking gangs can shut down a country’s key energy and health care infrastructure. Even the mighty United States isn’t immune.
When Did the Orion Attack Really Begin?
Early reports had stated the breach of Orion “possibly” began in the Spring of 2020. But then the CEO of SolarWinds told a room full of reporters at a major cybersecurity conference last week that the hackers appear to have made their initial forays into the Orion system far earlier than previously thought.
At the 2021 RSA Conference held in San Francisco, CA from May 17-20, SolarWinds CEO Sudhakar Ramakrishna revealed that the company now believes their system was breached a full eight months earlier than previously reported – January 2019.
PC Mag reports:
A continuing review of the SolarWinds systems, which Ramakrishna described as hundreds of gigabytes of information, currently shows that attackers "may have been in our environment as early as January 2019." He didn't go into detail about what they were doing at that point, except to characterize their actions as "very early recon activities."
From January 2019 to December 2020 is 24 months. That’s two entire years.
Two years is an awfully long time to have hostile foreign attackers traipsing around surreptitiously inside your country’s most sensitive cyber networks. What did they manage to steal? And how can we be sure the intruders have excised from all of the key systems?
It’s become more clear than ever due to these recent events that cybersecurity is becoming increasingly vital to our national security.
Let’s hope the people in charge of it don’t get caught napping again.