In March this year I was joined by Sir Mike Rake, chair of Great Ormond Street Hospital, former chair of BT and president of the CBI, and Richard Horne, cyber security chair for PwC UK, for an Adeptis Group webinar on ransomware. Since then ransomware has barely been out of the headlines. Now seems like a good time to look at developments since our event in March.
Probably the most high-profile recent ransomware attack hit the Colonial Pipeline in the USA in early May. The pipeline carries 45% of the east coast’s supply of diesel, petrol and jet fuel. DarkSide, a ransomware as a service gang probably based in Russia, hit Colonial with a ransomware attack that led to the pipeline being shut down for days, causing fuel shortages and queues at pumps. This is probably one of the most impactful criminal ransomware attacks ever, striking at a key part of critical national infrastructure in the USA.
It’s important to be clear what the Colonial attack was and what it was not. It appeared at first to be a ransomware attack that disabled operational technology in critical infrastructure – the kind of tech that sits at the heart of the operations at installations like power stations or oil refineries. But in fact it looks like a straightforward attack on administrative IT. It’s been suggested that Colonial shut down their pipeline operations because the attack had disabled their billing system and they were worried they wouldn’t be able to charge customers accurately for fuel.
Nonetheless, the scenes of chaos that followed were a powerful reminder that even the indirect effects of a cyber attack can hit right at the heart of what keeps a nation functioning. Later in May we saw another example with a criminal ransomware attack on the Irish health care system.
According to the head of the Irish Health Service Executive, the attack wiped out more than 2000 systems and will cost at least €100 million. The attackers claimed to have stolen more than 700 GB of files, including patient data, and demanded a $20 million ransom. According to various reports, amongst other things the attack led to up to 80% of medical appointments being cancelled, left clinicians with limited or no access to patient records, took down software used for sharing X-rays and CT scans, and prevented doctors from reviewing previous scans.
These high-profile attacks with dramatic real-world consequences come against a backdrop of a rapid growth in ransomware attacks. In 2020 the UK’s National Cyber Security Centre (which tends only to get involved in the most significant cyber attacks) said it had handled three times as many ransomware incidents as in the previous year. The FBI reported that around 2400 US companies, local government organisations, healthcare facilities and schools were victims of ransomware in the last year. One estimate has put the global cost of ransomware in 2020 at perhaps as much as $170 billion.
Governments now seem to be getting the message and putting ransomware at the top of the agenda. The Biden administration has made cyber security a top priority, and is appointing a number of highly experienced cyber experts to key senior cyber leadership posts, many left vacant during the previous administration. Biden is asking Congress to commit $10 billion to US government cyber security, around a 14% increase. A wide ranging Executive Order has introduced a series of tough new measures to strengthen cyber security in the federal government. The Justice Department has launched a new ransomware task force and signalled its intent to treat ransomware with an approach similar to that used for counter-terrorism.
Meanwhile, G7 leaders at their recent meeting in Cornwall committed to work together urgently to address the escalating ransomware threat. And UK Foreign Secretary Dominic Raab recently said of ransomware that ‘The UK will take the fight to cyber criminals’.
These words seem to be being backed up by some action. The FBI have announced their successful seizure of the majority of the ransom paid to the DarkSide group by Colonial, in an operation that accessed the criminals’ bitcoin wallet. There have also been multiple reports of disruption to the infrastructure used by DarkSide for its operations. DarkSide now claims to have closed its ransomware as a service programme, though it is entirely possible this is simply a blind and the group will reconstitute itself. Meanwhile, reports continue of other countries taking co-ordinated law enforcement action against ransomware groups.
Discussions continue around the potential for governments to ban the payment of ransoms. But this remains a challenging issue, potentially punishing victims rather than the perpetrators of the crime. And there is the risk that any dispensation for organisations like hospitals to pay ransoms to restore life-saving services will simply herd criminals towards those very targets.
So even the short period since our webinar has seen significant developments on ransomware, with some major attacks. But it’s possible that we are now seeing serious, concerted action by governments to take the fight to the criminals, possibly with some early positive results. How long lasting an effect this will have remains to be seen, and ransomware is likely to be a big issue for some time to come.
To watch the full Palling & Co. Webinar 'The Ransomware Threat' click here