But, the extortionists said, âyou can restore everything by purchasing a special program from us â universal decryptor.â This program, the message said, âwill restore all your network.â
The price: $1.2 million.
They also had stolen 1 terabyte â the equivalent of 6.5 million document pages â of the companyâs sensitive data.If the firm did not pay to decrypt it, the data would be âautomatically publishedâ online, the hackers said, according to the note, which was shared with The Washington Post by the firm that helped the victim deal with the attack.
Story continues below advertisement On Wednesday, the company paid $850,000, according to Austin Berglas, the former head of the cyber branch in the FBIâs New York field office who is now global head of professional services for the cyber security firm BlueVoyant .
Advertisement âIn this case,â he said, âthey had no option.â If they didnât pay, he said, âthey would go out of business.â
The sudden fuel shortage isn’t the first time Americans have endured long lines and high gas prices.(The Washington Post) The firmâs dilemma is faced by thousands of companies, schools, governments, and other entities around the world every year.Most incidents go unreported.Anecdotally, according to companies that help victims hit by ransomware attacks, more than half pay some form of ransom â estimated last year to average about $312,000, according to Palo Alto Networks, another cybersecurity company that deals regularly with ransomware attacks.Some experts suspect that amount is low.
Story continues below advertisement The attack that led Colonial Pipeline to shut down its 5,500-mile pipeline, causing fuel shortages throughout the southeastern United States, underscored that the ballooning ransomware wave isnât just about money.Targeting the private businesses that run much of the economy also threatens national security.
Advertisement President Biden on Thursday announced that the U.S.
government had âstrong reason to believeâ the criminals behind the attack lived in Russia, though he said he did not believe the Russian government had directed the assault.Nonetheless, he warned Moscow about the need to âtake decisive actionâ against them.The Justice Department, he said, would step up prosecutions of ransomware hackers and the government will âpursue a measure to disrupt their ability to operate.â
Shortly after Bidenâs comments, DarkSide, the hacker ring behind the Colonial strike, told its criminal partners that it had lost control of its computer servers and was shutting down.
Some experts and U.S.officials warned this could be an âexit scam,â to pretend they were leaving the business only to reappear at a later date under a different name.In any case, it is unlikely to end the risk from ransomware attacks.
Story continues below advertisement One thing is certain.DarkSide had a profitable quarter.The ring collected $14 million in ransoms for all of 2020 and raked in $46 million in just the first three months of this year, according to an analysis by Chainalysis.
Colonial told U.S.
officials it was not planning to pay ransom, according to three people familiar with the matter, but one person later said the company changed course.The Washington Post previously reported that the company had no plan to pay a ransom.Industry analysts, based on circumstantial evidence in an online ledger that tracks cryptocurrency payments, say they believe Colonial made a $5 million payment.Colonial has declined to say.Both the FBI and Mandiant, the cybersecurity company assisting Colonial, also declined to comment.
Ransomware has been around for the last decade, but it really exploded in the last several years, with the rise of cryptocurrencies such as bitcoin that are difficult to trace and can be transferred electronically without the assistance of banks or other institutions that are regulated by governments.
Advertisement Story continues below advertisement Two devastatingstate-sponsored cyberattacks in 2017, WannaCry, which infected thousands of computers running Microsoft Windows, and NotPetya, which struck computers primarily in Ukraine, showed how worms and destructive malware can cripple major companies, experts said.
The pandemic only accentuated the trend as criminals targeted online systems that people relied on to continue to conduct business.
Here is what you need to know about ransomware: software that locks down your files and demands payment to release them.(Sarah Parnass, Dani Player, Daron Taylor/The Washington Post) Nearly 2,400 health care facilities, schools and governments in the United States were hit by ransomware last year, according to the Ransomware Task Force, a group of more than 60 experts from industry, government and academia that delivered an 81-page report to the Biden administration last month on how to combat the ransomware scourge.Chainalysis, a firm that tracks cryptocurrency payments, conservatively estimated that victims paid $400 million in ransom during 2020, more than four times the estimate for 2019.
The explosion of attacks also reflected a change in the way hackers handled the business of ransomware.DarkSide was just one of many groups that operated as a sort of service provider for other hackers, or âaffiliates,â who used its malware to extort targets in exchange for a cut of the profits.In recent years, these groups have expanded their repertoire beyond just encrypting data.
Now they threaten to release the data â a tactic known as âdouble extortion.â And some have moved to âtriple extortion,â threatening to launch so-called denial-of-service attacks on victims that donât pay, deluging their servers with traffic until they crash, some experts said.
Advertisement Story continues below advertisement âRansomware has evolved from an economic nuisance to a national security threat, and to a public health and safety threat,â said Michael Daniel, president and CEO of Cyber Threat Alliance , an information-sharing nonprofit.
âIf you roll the clock back to 2013, ransomware affected primarily individual computers, and ransoms were a hundred bucks.Now ransomware affects whole companies, school systems, local governments,â said Daniel, who was the White House cyber coordinator in the Obama administration.âThe average ransom is several hundred thousand, and with high-profile companies, into the millions of dollars.â
The dilemma for affected companies and organizations can be acute.Last fall, ransomware launched by Russian criminals hit U.S.hospitals, forcing some to disrupt patient care and cancel noncritical surgeries, and raising the concern that a prolonged disruption could result in deaths.
Also last year, hackers struck a South Carolina cloud software provider, Blackbaud, stealing the data of thousands of users across the United States and Canada.Though Blackbaud paid the ransom, data breach laws required the firm to notify its clients, which included schools and hospitals, in dozens of states.The company was hit with almost two-dozen class-action lawsuits.
On Thursday, a criminal group known as Babuk, which is thought to operate out of Russia, posted online a trove of documents hacked from the Washington D.C.police department , including raw intelligence on threats following the Jan.6 attack on the U.S.
Capitol.The data dump apparently came after negotiations with District officials over a fee to prevent the release broke down, according to posts by Babuk.
With such high stakes, it is no surprise that victims feel they have no option but to negotiate with their attackers.The vast majority of victims do not have cyber insurance and try to handle the situation on their own, experts said.
Advertisement Story continues below advertisement A mini-industry also has arisen in companies that help victims of ransomware attacks.Firms such as Coveware , Kivu and Arete , specialize in negotiating with ransomware criminals.Often these specialists are called in by the insurer, said Michael Phillips, chief claims officer of the insurer Resilience, who noted that policies that cover ransomware became commonly available only about five or six years ago.
Most insurers require that the bargaining with ransomware extortionists be conducted by experienced negotiators, said Phillips, who co-chaired the Ransomware Task Force.
They have strategies for bringing ransom prices down.They know how to obtain proof, for instance, of stolen files and of a functioning decryption key, which might involve a limited exchange of encrypted files, he said.
âAs perverse as it is, the ransomware market is based on trust,â he said.âThat is a routine part of ransomware negotiations.â
Advertisement Story continues below advertisement The negotiations typically happen through email or an encrypted chat room on the âdark web,â a portion of the Internet where sites are not accessible through search engines and typically require the use of an anonymizing browser, like Tor.The chat rooms often include the groupâs logo or the hackerâs avatar, Phillips said.
In the case of the firm that paid the ransom last week, BlueVoyant negotiated a lower amount, Berglas said.
âYou obviously donât want to piss them off and have them say, âweâre raising it another million dollars,ââ he said.âBut you want to try to get them to lower the price as much as possible.â
Some companies choose to do the bargaining on their own.âThe craziest thing we saw was a company where the CEO started having communications with the ransomware actor, got frustrated and threatened the actor, who promptly disappeared and refused to negotiate any more,â Berglas recalled.âAnd the organization wound up having to pay the initial ask without any negotiation.â
With data extortion becoming more prevalent, some criminal groups are setting up âcall centersâ and dialing up CEOs to urge them to pay up or see their data â or their clientsâ data â spilled online, said John Bennett, a managing director in the cyber risk practice of Kroll, a risk management firm.
âTheyâre getting the companyâs client list, going to the client and saying, âI now have your data.You might want to call XYZ company and tell them to pay up,â â said Bennett, who led the FBIâs San Francisco and Los Angeles field offices and retired from the bureau in November.
Advertisement Story continues below advertisement Some companies are able to avoid paying, but that generally involves advance preparation.Grant Schneider, senior director for cybersecurity services at Venable, a law firm, recalled one client in the Mid-Atlantic that was able to avoid paying a ransom demand of $250,000 because the company had stored backups of its data in the cloud.âThe calculus on whether or not to pay was more one of, âHow long is it going to take us to get back up and operational?â â he said.âThinking they would be able to get back up sooner rather than later, they chose not to pay.â
They never shut down and were back to normal operations within two weeks, he said.
But most firms arenât in that position.The task force report said that companies hit by a ransomware attack took on average 287 days to fully recover.
The surge in ransomware has rocked the insurance industry.
Carriers are finding increasingly that premiums donât cover the cost of ransomware attacks, said Joshua Motta, CEO and co-founder of Coalition, a cyber insurance firm.âEveryone was making money and doing well in the cyber insurance market until ransomware became the dominant criminal business model,â he said.
Advertisement Premium costs have risen by up to 50 percent since the beginning of the year, said Adam Lantrip, leader of the cyber practice at insurance broker CAC Specialty, and ransomware claims just keep pouring in.
The trend is so vexing that Franceâs largest general insurer, AXA France, announced this month that it will no longer cover ransomware payments for customers within the country, though a French resident could purchase a global policy that would cover such payments.
The U.S.government has long held the position that victims should not pay ransoms so as not to encourage and finance criminals.The FBI routinely advises against paying ransoms, a position political leaders also have endorsed.âWe donât want people to think thereâs money in it to threaten the security of a critical infrastructure in our country,â House Speaker Nancy Pelosi told reporters at her weekly news conference on Thursday.
But, officials note, the decision is ultimately the victimâs to make.âAre you going to tell a hospital you canât pay, and patients die?â Krollâs Bennett said.
Complicating the decision to pay are federal laws that bar transactions with people or groups that have been sanctioned by the Treasury Department.In guidance issued in October , the department warned that victims making ransom payments to a sanctioned person or group could be fined.âRansomware payments made to sanctioned persons ⦠could be used to fund activities adverse to the national security and foreign policy objectives of the United States,â the guidance said.
Currently, only a handful of ransomware groups are on the sanctions list, and experts say Treasury has not been known to impose a penalty on anyone for paying a sanctioned entity.
Figuring out if a hacker whoâs extorted you is related to a group thatâs been sanctioned is not easy, experts said.Hackers use pseudonyms, proxy Internet addresses and generally live in the shadows.Affiliates of operations like DarkSide may have links to a sanctioned group.
That puts companies in a difficult spot.
âRansomware attackers are by definition liars, thieves, extortionists and members of a global criminal enterprise, and they take extreme technological measures to conceal any trace of their identity and location,â said John Reed Stark, a cybersecurity consultant and a former chief of the Securities and Exchange Commission Office of Internet Enforcement.âDetermining the bona fides of a ransomware attacker is like trying to confirm the height and weight of a poltergeist.Yet that is exactly what the government expects the company to do.â
The guidance also leaves unclear whether ransom negotiators or insurance companies that make payments might also be held liable.Berglas said last year a client wanted to pay a ransom to unlock its data, but the attacker, the Russia-based Evil Corp , was on the sanctions list, so BlueVoyant refused.The client went to another firm, which paid it, he said.
Treasuryâs guidance indicates that reporting an attack to law enforcement will be considered a âsignificant mitigating factorâ in determining whether to fine someone for violating the rule.
The international nature of ransomware crime is also an impediment to bringing it under control.The Justice Department and FBI are working with allies and partners overseas to investigate criminal rings, disrupt their operations and online infrastructure, and prosecute hackers, officials said.
In January, the department joined Canada, France, Germany, the Netherlands and Britain in dismantling the botnet known as Emotet, which had infected hundreds of thousands of computers in the United States and caused millions of dollars in damage worldwide.The botnet, an army of hijacked computers, could also be used to spread ransomware.
But many of the actors are in countries outside the reach of U.S.and allied authorities.DarkSide, for example, is believed to be based in Russia and many of its communications are in Russian.
âTheyâve become the 21st century equivalent of countries that sheltered pirates,â said Daniel, the Obama White House cyber coordinator.
âWe have to impose diplomatic and economic consequences so they donât see it as in their interest to harbor those criminals.â
Companies and organizations need to be encouraged to strengthen their defenses, experts say.Many are failing to deploy even basic best practices, such as requiring multifactor authentication for employees logging onto systems, patching vulnerabilities promptly, segmenting networks, keeping backups off line and testing them periodically to ensure they work.
One way companies and law enforcement can team up to thwart extortionists is by quickly identifying midpoint servers used by the hackers to âstageâ or store data after itâs siphoned from a company but before itâs sent to the hackersâ server.That happened in the case of Colonial Pipeline, when a cloud provider in New York shut down a server containing data stolen from the firm.The provider had been notified by Mandiant, the company helping Colonial investigate the attack.
The move prevented the hackers from collecting the data, which could have been used as part of the extortion effort.
Regulating cryptocurrency is another step experts recommend, especially by enforcing requirements that exchange houses that facilitate cryptocurrency transactions abide by anti-money laundering laws.Even if an exchange is overseas, if it has âsubstantiveâ business with a U.S.person, Treasury can regulate it, experts say.
âThese operators are required to know their customers, and if Treasury enforced the law, it would arm the Justice Department with the tools they need to identify and prosecute these criminals,â said Phillips.
âA ransomware attacker is not going to use PayPal,â said Allan Liska, senior intelligence analyst at the cyber firm Recorded Future , and a task force member.
The task force also urged Congress to mandate that ransomware victims report attacks to the federal government and, if a payment is made, reveal all of the financial details, including the address of the electronic wallet to which a payment was made.âThe ransomware data gap is real and it is an extraordinary obstacle to national and international disruption of these cyber criminals,â Phillips said.
Berglas said itâs unlikely that the problem can be solved by simply hoping businesses wonât make payments.
BlueVoyantâs client, he noted, was down all week, its corporate networks frozen by ransomware.
By the weekend, with the payment made, the firm was gradually restoring services.
âIn the grand scheme of things,â said Berglas, âbeing down for a few days is better than shutting your doors and going out of business.ââ
comment .