A significant gas pipeline. There are dozens of government agencies involved. The water supply of a Florida city. And now it’s one of the top meat producers on the planet.
Cyberattacks have increased dramatically in recent months, disrupting products and services that are essential to our daily lives. Ransomware, a set of tools that allows hackers to gain access to computer systems and disrupt or lock them until they are paid, has been used in many of these attacks.
Ransomware isn’t a new threat. However, hackers are increasingly targeting critical infrastructure and physical business operations, making attacks more profitable for criminals and more devastating for victims. And, with the rise of remote work during the pandemic, there’s a sign of things to come.
With the rise of remote work during the pandemic, significant vulnerabilities have surfaced, making such attacks even easier to carry out.
After declaring 2020 the “worst year ever” for extortion-related cyberattacks, the US Department of Justice formed a ransomware task force in April. The problem appears to be escalating: According to a report from cybersecurity firm Check Point Software, ransomware attacks have increased by 102 percent in the first half of 2021 compared to the same period last year. That doesn’t take into account recent events, such as a ferry operator in Martha’s Vineyard, Cape Cod, and Nantucket announcing on Wednesday that it had been hacked by ransomware.
The US government is stepping up its efforts to combat ransomware, but experts warn that without significant private sector cooperation and investment, these attacks will likely continue.
Many people believe that cyberattacks are simply attempts by hackers to steal sensitive data or money over the internet. However, hackers have discovered that targeting physical infrastructure is a lucrative business.
These attacks have the potential to cause havoc in people’s lives, resulting in product shortages, higher prices, and other negative consequences. The greater the disruption, the more likely it is that businesses will pay to mitigate it.
“If you’re a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you,” said Katell Thielemann, Gartner’s vice president analyst for security and risk management. “This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that’s where the most pain is felt because that’s where they make money.”
According to US officials, Russia is responsible for a number of recent ransomware attacks. The FBI said on Wednesday that the attack on JBS was carried out by the Russian cybercriminal group REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar to DarkSide, the group blamed by US officials for shutting down the Colonial Pipeline last month with a ransomware attack.
Both REvil and DarkSide, according to experts, operate “ransomware-as-a-service” businesses, employing large teams to develop tools that help others carry out ransomware attacks while taking a cut of the profits. They may also carry out their own attacks in some cases. According to cybersecurity experts, Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere because they bring money into the country.
JBS has not said whether it paid a ransom to the attackers, but Colonial Pipeline’s CEO admitted to paying a $4.4 million ransom to get the company back up and running.
Experts generally advise against paying ransoms in order to avoid funding the criminal organizations that demand them, but businesses sometimes have no choice but to reopen.
The list of possible targets is extensive. Energy, healthcare, financial services, water, transportation, food, and agriculture are among the 16 industries listed by the US government’s Cybersecurity and Infrastructure Agency (CISA) as “critical infrastructure sectors,” with a compromise having a “debilitating effect” on the US economy and security. However, experts say that much of this infrastructure is outdated, and that its cyber defenses haven’t kept up with the evolution of malicious actors.
To make matters worse, according to Mark Ostrowski, head of engineering at Check Point, many companies in those industries haven’t traditionally thought of themselves as tech companies, which means their systems may be less sophisticated and easier to compromise.
“So hospitals, their business is to save lives; meat and poultry is to produce goods and services; pipelines are to create gas exchange or oil exchange,” he said. “Those certain industries also may be targeted because maybe they’re behind in their [software] patching, maybe their cyber program is not quite what it needs to be.”
In recent years, this has become increasingly true. More physical infrastructure has been embedded with connected devices that link it to a company’s larger network as technology has advanced. Even if a hacker gains access to a company’s network via its email system, they may be able to cause havoc with the machines in its manufacturing facilities or other areas of the business.
“The world is becoming more connected” and we should expect the risks “to multiply across all of these industries,” Thielemann said.