Gas prices are going up, and ransomware hackers are (partly) to blame. Now, finally, we have your attention.
Ransomware gangs have enjoyed free rein over the Internet for several years now, marauding as they wish, free from fear, terrorizing large and small companies, non-profits, schools, local government agencies, and even hospitals. They hold people and their data hostage, crippling operations by encrypting data, making it useless, demanding ransom for a decryption tool. Even during the pandemic, ransomware gangs targeted health care facilities, often winning five-and six-figure payments from haggard executives there who were too busy trying to cure Covid patients that they didn’t have time to fend off the attack.
Still, there have been only token efforts to stop ransomware gangs. A report published by Third Way suggests only a tiny fraction (they claim 0.05%) of cybercrime perps even face law enforcement. Meanwhile, the role of cryptocurrency in enabling such crime — ransomware gangs only take payment in crypto — has been barely discussed.
“The cybercrime wave is so big it should be setting off alarm bells at every level of law enforcement. And yet, the response from the enforcement community is a drop in the bucket compared to the sheer volume of crimes occurring,” the report, published back in 2018, said.
But now that gas prices have been impacted by a ransomware attack — AAA says they will rise 3 to 7 cents this week on the east coast after last week’s Colonial Pipeline incident — perhaps that provide the impetus to attract attention to the problem.
“Attacks on hospitals didn’t and nor did attacks on schools, local governments and other private and public sector organizations, but disruption to the gas supply and a bump in prices may finally do the trick,” said Brett Callow, Threat Analyst at security firm Emsisoft, which carefully monitors ransomware.
Statements from the White House are hopeful: President Joe Biden said he planned to talk with Vladimir Putin about Russia’s role in harboring criminal computer gangs. And the Department of Justice is creating a task force to deal with the problem. Good.
But it will take a lot more than meetings and task forces to make a difference in the ransomware scourge.
“I predict that we will keep seeing these types of events for the foreseeable future unless action is taken at the national and international level, that in my opinion should start with regulating cryptocurrency. These groups are in it for the money, as long as they keep making money there is no disincentive for them to stop. Regulate cryptocurrency so we know where the money is going and target the money,” said Art Ehuan, vice president at Palo Alto Networks. Ehuan is sometimes called in to negotiate with ransomware hackers. “Next, I hate regulation as much as the next person but there needs to be cyber regulation that needs to be enforced for critical infrastructure at both the national and state level.”
I’ve written about the Bitcoin/cryptocurrency role in ransomware before. The simultaneous rise in both isn’t coincidental. Fixing the ransomware problem is going to require new rules around cryptocurrency and that’s…not going to be easy. But it is necessary. Make no mistake: perhaps we can giggle at the power of a 3 to 7 cent increase in gas prices, but this really is no laughing matter. If you read Kim Zetter’s Substack, Zero Day (and you should) you’d know she’s heard hackers only infiltrated the business systems at Colonial Pipeline. A first blush, that sounds positive: physical devices that control oil flow weren’t compromised. On the other hand, billing software directly influences oil flows, etc. The incident should make clear that hackers who want to impact the US economy don’t have to go so far as to raise or lower a dam. They can attack invoicing software instead.
Third Way’s report suggests that far too much emphasis has been put on blaming the victim solutions (Why didn’t this company have better security?) and not nearly enough on catching bad guys. There is virtually no dis-incentive to attacking institutions with ransomware. The issue is so important, and the attention so sparse, that Third Way made this dramatic clain in 2018:
“We believe that the United States is as far from this human attacker strategy as the nation was toward a strategic approach to countering terrorism in the weeks and months before 9/11,” the report says.
Callow, from Emsisoft, has been ringing the alarm bell even longer..
“The time has come for governments to finally develop a clear and comprehensive strategy to combat the problem,” he told me on Tuesday. “That strategy needs to include policy measures to help public and private sector organizations improve their security posture and to disincentivize ransomware attacks by increasing the enforcement rate and decreasing the amount of money paid into the cybercrime ecosystem.“
Let’s hope higher gas prices jump-start that conversation.
For further reading: Brian Krebs has a great example of the pipeline perp, Dark Side, negotiating with another victim earlier this year.