Grocery stores with cash locked in the registers. Rail travel disrupted. Dentists' offices forced to close. Barely a month after the cyberattack that shut down one of the world's largest meat packers, hackers are once again making headlines. This time, the group is demanding a ransom of $70 million (€59 million) in bitcoin to restore control of IT infrastructure systems back to all affected businesses. More than 1,000 companies in at least 17 countries are affected, and the number is expected to rise.
Fingers have already been pointed at the Russian-linked cybercrime gang REvil, the group behind the May attack on JBS meat processing. The latest hack comes just weeks after US President Joe Biden discussed cybersecurity with Russian President Vladimir Putin at an in-person meeting, telling Putin that critical infrastructure should be "off limits."
The UN Security Council also held its first-ever meeting on cybersecurity this week, highlighting the growing threat that hackers are believed to pose to global stability.
What happened this time?
The hackers targeted US firm Kaseya, which provides remote software services to about 37,000 clients. Kaseya CEO Fred Voccola said the company believed that fewer than 40 of its customers had been affected. However, at least 20 of those were managed-service providers (MSPs). Companies hire MSPs to remotely manage their IT infrastructure. Attacks against MSPs are tricky because affected MSPs end up inadvertently passing the ransomware onto their clients, who can pass it onto their clients, in what is known as a "supply chain attack."
"It's particularly insidious for all the customers because it spreads through a supposedly trusted channel," Miriam Föller-Nord, dean of the Department of Computer Sciences at Mannheim University of Applied Sciences, told DW.
What is ransomware?
In a ransomware attack, hackers encrypt a user's or organization's data so the owner can't access files, data or applications. Hackers then demand payment to restore access. They may also threaten to destroy it or to release sensitive data to the public.
The share of organizations that are paying ransoms to recover compromised data is going up. According to a 2021 survey of international companies by market research firm CyberEdge, 72% of companies targeted by ransomware attacks have paid up. That's up from 49% in 2018. Ransomware victims paid over $406 million worth of cryptocurrency to hackers in 2020, according to Chainanalysis, a company that tracks cryptocurrency payments.
How much do people pay?
Chainanalysis also found that the average known ransomware payment more than quadrupled, from $12,000 to $54,000, between the last quarter of 2019 and the first quarter of 2021.This shows that ransomware attacks are much more commonplace than one might assume looking at the daily news coverage, which tends to focus on large-scale, multimillion-dollar attacks.
This increase in the amount of ransom being demanded can be partly attributed to the proliferation of third-party ransomware service providers, Chainanalysis says. These wide array of criminal services, which include selling access to networks that have already been compromised and special call centers dedicated to contacting ransomware victims, help hackers to target larger organizations.
"I would definitely give companies the advice not to pay a ransom," said Föller-Nord. "Because that only makes matters worse, and it motivates the criminals even more."
Can companies protect themselves?
There are basic steps all companies should follow to prevent cyberattacks. These include hiring employees or a service provider dedicated to IT security, making employees aware of signs of a potential attack, and taking advantage of tools like antivirus and anti-ransomware software.
"But, in this case, whether that would have really helped anything is uncertain. ... It would have been really very difficult to protect against this," said Föller-Nord, speaking about the recent attack.
For now, the best thing a company can do is run regular backups of its data and save them on a separate hard drive or server.
"The more frequently the backups are performed, the more up-to-date the data that can be restored," said Föller-Nord. "That is actually the only real and good measure you have against these ransomware attacks."