IN OCTOBER CYBER-CRIMINALS hacked into the British Library, a storied institution in the heart of London, encrypted its data and demanded money in exchange for the key. Months later the library and its catalogue of 14m books remain offline, with no end in sight. Similar ransomware attacks—in which criminals encrypt or steal data and demand a ransom to decrypt or refrain from leaking it—are not only undermining business and sapping prosperity across North America and Europe. Financially motivated attacks on infrastructure, such as schools, hospitals and power utilities, also pose a large and growing threat to national security. Western countries now face what a British parliamentary committee described on December 13th as “a high risk [of] a catastrophic ransomware attack at any moment”.
The scale of the problem is not easy to measure. Companies that are hacked or pay a ransom are reluctant to own up to it. Rising numbers can reflect better detection rather than more attacks. But what is clear is that, after a lull in 2022, caused in part by a split between Russian and Ukrainian hackers, ransomware attacks are back at their peak. Officials expect that 2023 will turn out to be the worst year on record.
The number of victims is troubling (see chart). In the four months to October the number listed on “leak sites”, where attackers name victims who refuse to pay, was the highest ever recorded, according to Secureworks, a cyber-security firm. Sophos, another such firm, estimates that on average individual ransom payments doubled from around $800,000 in 2022 to more than $1.5m in the first three months of 2023. And Chainalysis, a data company, estimates that ransom payments between January and June 2023 added up to $449m, compared with about $559m for the entirety of 2022. These numbers might reflect just the tip of the problem.
The growing threat from ransomware is occurring amid a shift in the nature of the business. An activity once dominated by a few large criminal groups is giving way to a mosaic of smaller attackers, many of them based in Russia or other ex-Soviet states, who can buy the necessary hacking tools. Western countries are striking back with sanctions and cyber-attacks of their own. Yet this does not seem to have stopped the wave of ransom payments, which is enriching criminal groups—and so potentially exacerbating the problem for years to come.
Ransomware has been mainly a Western problem but it is spreading globally. America, Australia, Britain, Canada and Germany are the most affected countries, but Brazil and India are not far behind them. Victims span the public and private sectors—in recent weeks attacks have hit an Italian cloud-service provider that hosts government data, Germany’s energy agency and a Chinese bank in New York, among others. An attack on Christmas Eve disrupted emergency care at a German hospital network, and attacks on the education sector are rising. This adds up to a slow-burning but serious national-security crisis. “It is the one serious organised crime that could bring the country to a standstill,” warned Graeme Biggar, the director of Britain’s National Crime Agency (NCA), recently.
That risk is relatively new. Ransomware, says Will Lyne, the NCA’s head of cyber-intelligence, was once a “niche cyber-crime problem” which attracted little attention in government. That began changing five to ten years ago with the rise of cryptocurrency, like Bitcoin. The hardest part of a ransomware attack was once cashing out and laundering the ransom. Attackers would have to buy high-end goods using stolen banking credentials and sell them on the black market in Russia, losing perhaps 60-70% of the profit along the way. Cryptocurrency has enabled them to cash out immediately with little risk.
But the bigger shift has been the growth of ransomware-as-a-service, or RaaS. Large organised criminal groups, like the delightfully named Evil Corp in Russia, once developed their own tools and infrastructure, such as malware and servers, as a vertically integrated corporation might do. Some continue to do this. A few of these big beasts are still active: LockBit, the leading group, probably based in Russia, was involved in more than a quarter of ransomware and related extortion attacks between January 2022 and September 2023, according to ZeroFox, a cyber-security company.
What has changed is that smaller criminal “affiliates” can now buy advanced services from specialised providers: everything from malware to professional copywriting for the phishing emails that help hackers get a foothold in a business. That trade is lubricated by online marketplaces that did not exist five years ago. One such, Genesis Market, which was shut down in April, illicitly offered for sale 80m credentials, stolen from 2m people. The cost of buying a credential, such as an employee’s log-in details for a company network, was typically less than $100, with some going for as little as a dollar. It has become easier and cheaper than ever before to mount a ransomware attack.
One consequence of this increasing division of labour is a shift towards smaller groups. Many new ones consist of just four to five people. Another is that the threat keeps changing. “When we first started looking into the ransomware problem, we were tracking maybe a dozen different ransomware variants at a time,” says Mr Lyne, referring to the different types of malicious code used in attacks. The figure is now closer to 100, he says.
Moreover the median “dwell time”—the time between an attacker getting access to a network and executing their ransomware—has fallen from 5.5 days in 2021, to 4.5 days in 2022 and to just under 24 hours in 2023, according to Secureworks. In a tenth of cases ransomware was deployed within five hours of the initial intrusion. Most attacks are not sophisticated—“I have not seen an interesting ransomware attack in many years,” says one official—but they are swift. That gives defenders less time to spot attacks in progress.
At the same time, ransomware’s business model is also changing. In the past hackers demanded a ransom in exchange for decrypting a victim’s data. But scrambling data is usually the most technically demanding part of an attack, and the part most liable to alert a victim. Now attackers almost always exfiltrate the data and threaten to publish it online; in a growing minority of attacks they do not even bother encrypting it. Some cases also involve “triple extortion”, with criminals identifying for extortion prominent individuals within a company, such as a CEO.
Search for vulnerabilities
Stopping all this is fiendishly hard. Most attacks are not aimed at a specific business. Attackers, much like car thieves testing for unlocked doors, tend to spray phishing emails at a wide range of organisations in a particular sector or hunt for cyber vulnerabilities in enterprise products, like the VPN networks, which allow employees remote access to their workplace. Basic cyber-hygiene, including backing up data, changing passwords and patching software, would fix much of the problem. Human nature being what it is, though, defences will always have holes.
The normal response of law enforcement—investigate, arrest and prosecute—rarely works. Although some attackers are based in jurisdictions, like Romania and Ukraine, where co-operation or extradition are feasible, most are in places like China, Iran, North Korea and Russia, beyond the reach of Western courts. There is, says Mr Biggar, a “spectrum of state complicity”, with some Russia-based groups closely tied to the country’s intelligence services and others there merely tolerated.
The relationship is probably symbiotic. Russian state hackers, whose priority is to steal foreign secrets, can use malware that looks like ransomware to disguise their espionage as criminal activity. They can also draw on ransomware talent directly. Maksim Yakubets, a member of Evil Corp, worked for the FSB, Russia’s domestic security service, and was “tasked to work on projects for the Russian state”, according to an American indictment.
And ransomware can be deployed, or at least encouraged, in line with foreign-policy aims. A recent paper by Karen Nershi and Shelby Grossman of Stanford University, analysing more than 4,000 victims between 2019 and 2022, found that several Russia-based groups tended to increase attacks in the weeks before elections in major democracies. Moreover, companies that had pulled out of Russia in the aftermath of its invasion of Ukraine were more likely to be targeted.
The flipside is that these murky connections between the Russian state and cyber-criminals provide an opening for diplomacy. In June 2021, shortly after a Russia-based group attacked Colonial Pipeline, an American firm that transports 45% of the petrol and diesel used on the east coast, Joe Biden, America’s president, warned Vladimir Putin, his Russian counterpart, against attacks on critical infrastructure. Russia later arrested hackers associated with the REvil group, including one linked to the pipeline attack. But countless others were left untouched and continue to operate unhindered.
Increasingly, Western governments are resorting to attacking the hackers directly. The first public attack came in 2021, when the Pentagon’s Cyber Command hacked REvil’s servers and blocked its website, causing the group to panic and shut down. This year alone America and its allies have hacked Hive, which had extorted more than $100m from victims, Qakbot, prolific malware used to steal credentials, and, on December 19th, the Blackcat ransomware group, which had hacked more than 1,000 organisations, collecting $300m out of some $500m in ransom demands. Meanwhile, covert activities against ransomware groups aim to sow distrust among their members, as occurred in 2022 at Conti, the most profitable ransomware outfit of recent times. Its Russian and Ukrainian members began feuding, hastening its decline.
Rachel Noble, director-general of the Australian Signals Directorate, which has responsibility for offensive cyber-action, told the country’s Senate in October that her agency conducted formal “battle-damage assessment[s]” to judge whether operations had had a real effect by degrading a criminal syndicate or hurting its reputation. There had been 30 to 50 individual activities against cyber-criminals in the previous year, she said. The conclusion was that these had been “very effective”. Other Western officials concur, though they say that the evidence for this is classified.
There are some indications that Western operations have also had a wider deterrent effect. Since the Colonial Pipeline episode in 2021, ransomware groups have tended to avoid high-profile targets liable to put them in the crosshairs of Western intelligence agencies. One consequence of that, according to Joseph Jarnecki and Jamie MacColl, both of the Royal United Services Institute, a think-tank in London, has been a growing number of attacks on softer targets in low- and middle-income countries, which have poorer defences and are less likely to strike back.
Despite this displacement effect, offensive operations are not a silver bullet. Big take-downs like those against Hive and Qakbot are rare, says an official familiar with the issue, because the process is “long, painstaking and incredibly resource-intensive”, with many dead ends along the way. Moreover, the effects can be dramatic but short-lived, akin to the consequences of killing the leaders of terrorist groups.
Striking back through the courts
A second prong of the fightback has involved legal measures. America and Britain have imposed sanctions on dozens of cyber-criminals, most recently in September against 11 members of Trickbot, a cyber-crime group, and Conti. Sanctions work in part by targeting ransomware bigwigs and preventing them from travelling or spending their money abroad. But they also exploit a unique aspect of the criminals’ business model.
The paradox of ransomware, says Max Smeets of the Centre for Security Studies at ETH Zurich, a university, is that it works only if victims trust their attackers, a dynamic that distinguishes ransomware from cyber-espionage or even other sorts of cybercrime, like straight-up fraud. Victims must have confidence that their extortionists will decrypt data or refrain from publishing it if a ransom is paid. So attackers need a reputation for honesty and competence. They aim to build brands that embody those virtues. Although state hackers generally want to pass unnoticed, ransomware attackers want publicity. LockBit, for instance, has offered $1,000 to people who tattoo the group’s logo onto their body.
This gives rise to curious dynamics. Some attackers create multiple brands, says Mr Smeets, in order to extort money from previous victims under a new logo without sullying the reputation of the original—not unlike big car companies releasing cheap models under a lower-end marque. And much as high-end designer handbags drive an industry of knock-offs, so too have smaller groups sought to piggyback on the reputation of bigger firms. When Conti imploded last year a new group, Monti, promptly repurposed its code and sought to trade off its name.
Sanctions—travel bans, asset freezes and other financial restrictions—have the potential to disrupt this model because they make it illegal for victims to pay ransoms to blacklisted groups. The result is that such groups might have to abandon a brand they have spent years building up. Allan Liska of Recorded Future, a cyber-security company, notes that after Evil Corp was subjected to American sanctions in 2019 it began obscuring its hand in attacks by using other groups’ ransomware variants. The long-term effect of sanctions could be to make it harder for attackers to build the brands and trust that their business model relies on.
Many would like to ban ransom payments altogether. “We have normalised ransom payments, big and small,” laments Ciaran Martin, a former chief of Britain’s National Cyber Security Centre (NCSC). In June 2021 JBS, a meat processor, paid $11m to REvil simply to prevent the exfiltration of its data, even though its business was largely unaffected. “If what happened at JBS happens at scale, continuously,” says Mr Martin, “then we’re stuffed.” Governments have shied away from a ban for two reasons. One is the fear that firms would stop reporting attacks and pay in secret. The other is that ransom payment is often a last resort to keep a business or vital service afloat.
For Mr Martin the more pressing task is to break the narrative that paying a ransom is the only way out. Decryption keys, he points out, often work imperfectly (and in 5% of cases not at all). Some research shows that 80% of organisations that pay up get hit again and that 29% of victims of data extortion end up with data leaked anyway. He urges more focus on cases where victims refuse to pay, as in the attack on the Irish health-care system in May 2021, where attackers eventually gave up and handed over the decryption key without payment, perhaps chastened by the political fallout of what they had done.
It is also important to keep data leaks in perspective. When attackers stole data from Australia’s Medibank health insurer in November 2022 and demanded a $10m ransom to not release it, the firm refused to pay. Its decision was helped by two things. One was that Australian spooks made assiduous efforts to remove leaked data from the dark web and track who was buying it. The other was the Australian media’s decision to avoid publishing any of it, diminishing the impact of the leak. Australia’s experience “was a masterclass in how to neutralise the value of a dataset”, concludes Mr Martin.
A growing number of firms also avail themselves of insurance against ransomware attacks. The global cyber-insurance market was worth $12bn in 2022 and is expected to grow to $23bn by 2025. In theory, the usual problems of moral hazard apply: if an attacker knows that a firm has insurance that covers ransom payments—or worse still, has stolen details of the policy—he is likely to drive up his demand. In practice, however, insurance can have a beneficial effect. Insurers are incentivised to encourage policyholders to improve their cyber-security standards. They also cover alternatives to ransom payment, such as data recovery, that can be less costly. Perhaps most important, they provide access to specialist cyber-security advice, which eases the pressure on victims, buys them time and helps them negotiate more effectively. That can drive down payments
.At present, the fight against ransomware is impeded by uncertainty. The true extent of the threat is poorly understood, argues Megan Stifel of the Ransomware Task Force, a coalition of experts. Better data is a priority. British firms are obliged to report data breaches, but the law is full of loopholes—if data is encrypted but not stolen, for instance, lawyers can argue that no data has been compromised. A new American law, CIRCIA, will soon require firms to report major cyber incidents and ransomware payments to the country’s cyber-security agency within 72 hours, but it applies only to critical-infrastructure organisations, such as firms in the energy, food and transportation sectors.
In general, the cumulative impact of sanctions, take-downs and other activity has been quite limited. Technology is giving a fresh boost to attackers. Generative artificial-intelligence (AI) tools like ChatGPT are helping improve everything from the quality of English in phishing emails to the potency of malware, says Mr Lyne. He points out that the online forums used by cyber-criminals already have dedicated AI sections. Ransomware syndicates remain “well-resourced, adaptable and [are] growing bolder”, says Mr MacColl, despite all the disruptive efforts of the past three years. “I’m fairly confident in saying they’re still doing as much harm to UK national security as anything Russia, China, Iran or North Korea does in cyberspace.” ■