There’s no denying it: Ransomware is a growing industry.
Ransomware attacks have increased 41% since the beginning of 2021, and 93% year over year since last June per cybersecurity firm Check Point. The list of victims includes not only the Colonial Pipeline, but also prominent local businesses such as a community college in my hometown, Des Moines, Iowa.
In a recent and particularly notable attack, a Russian ransomware group reportedly exploited vulnerabilities in IT management software company Kaseya’s VSA remote management platform and used it to propagate ransomware to their customers. The attack raised questions about what happens when a company’s trusted vendors are compromised. More than 1,000 businesses and more than 1 million computers were affected, The Verge reported.
“This is the new form of modern warfare,” said Gray Taylor, executive director of Conexxus, the member-driven technology organization dedicated to the development and implementation of standards, technologies innovation and advocacy for the c-store and petroleum market. “The takeaway is we as an industry, we as an economy, have a poor understanding of the risk assessment — the nuts and bolts — of data security.”
History of Ransomware
If you grew up on the internet like me in the 1990s and early 2000s, then you’re no stranger to the concept of ransomware. I remember a fear that lax security or a visit to a sketchy website might lead to a locked computer and demands for payment — or at least the threats of such actions.
The AIDS Trojan is generally credited as the first ransomware attack. It was released back in 1989 through floppy disks, and targets were directed to send $189 dollars to a P.O. box in Panama to restore access to their systems. Ransomware has, of course, evolved considerably since then.
The early 2000s witnessed the growth of ransomware with notable examples such as GPCoder and Trojan.Cryzip — the former using weak encryption and being spread by email attachments claiming to be job applications. Even in those days, much of the ransomware was developed in Russia, by Russian organized criminals and aimed at Russian victims in nearby countries.
Everything began to change in the early 2010s with the emergence of cryptocurrencies. This opened the doors for quick, convenient, and in some cases, untraceable methods of payments — all outside the structure of traditional finance.
The real inflection point for growth was the CryptoLocker attack in 2013, according to cybersecurity firm CrowdStrike. It not only used Bitcoin transactions, but also stronger encryption. Even if CryptoLocker was removed, affected files remained encrypted in a way that was considered unfeasible to break.
But while CryptoLocker was a “spray and pray” attack aimed at securing low sums of around $300 from individual victims, the ransomware industry began to shift its attention to larger organizations including small businesses. It just made economic sense. On average, companies can afford to pay more than individuals.
What’s an Organization to Do?
While prescriptive recommendations on how retailers can protect themselves would require more than a few subsequent articles, Matt Beale was quick to offer a few tips. As the cybersecurity partner at W. Capra, he’s no stranger to this topic.
Consider email security. Nearly every email system supports putting headers on messages sent from outside the company, and that can help employees identify if they’re receiving a spoofing message from someone pretending to be a colleague or boss.
Beale also recommended deploying internal phishing exercises. For example, a company might direct their IT teams to use phishing products and see who falls for them. Those employees can then be targeted for retraining.
However, Beale is quick to caution that sometimes senior leadership may be ones who need additional training or curtailed access.
“Leaders often think they need more access than the average individual, but they actually need less,” explained Beale. “If you’re a malicious actor targeting a specific password, you’re going for the most senior people in the organization. Sometimes they’re not as protective as the up-and-comers are.”
The Troll Playbook
Nearly 10 years ago, I received a frantic call from a family member.
A firm called Prenda Law had sent an aggressive letter demanding an out-of-court settlement for supposedly downloading copyrighted pornography. This was of course nonsense since they never downloaded anything. I told them it was a scam. Fortunately, the entire debacle resulted in prison for the law firm’s founder, John Steele, in 2017.
But many other victims did send checks. From 2010 to 2013, Prenda Law netted more than $6 million from these tactics.
Meanwhile, industry experts note that malicious actors are now using the fear of ransomware to deploy similar tactics. This only serves to reinforce the importance of making data security a top organizational priority. Even with fake threats, the emotional and financial costs can be just as bad.