The screen goes blank.
A message appears in crude, Google Translate English, advising that all your files have been encrypted — rendered unusable — and can be restored only if you pay a ransom.
After some back and forth, you pay out in Bitcoin or some other cryptocurrency, most likely to a Russian-based gang. There’s no choice: It’s cheaper and far quicker to pay up than to rebuild a computer system from scratch. To avoid further trouble or embarrassment, many victims don’t even notify the police.
A few years ago, the ransom may have been a few hundred bucks. In early May, Colonial Pipeline shelled out $5 million to the DarkSide ransomware gang to get oil flowing through its pipes again. (Some was recovered by the Justice Department.) In June, the meat processor JBS paid $11 million to the Russian-based REvil (Ransomware Evil) gang. About a month ago REvil came back to score what may be the biggest attack yet, freezing the systems of about a thousand companies after hacking an IT service provider they all used. The ask this time was $70 million.
The criminals behind ransomware have also evolved, expanding from lone sharks to a business in which tasks are farmed out to groups of criminals specializing in hacking, collecting ransom or marshaling armies of bots. Ransomware attacks can cripple critical infrastructure like hospitals and schools and even core functions of major cities. Using methods as simple as spoof emails, hackers can take over entire computer systems and pilfer personal data and passwords and then demand a ransom to restore access.
In about a dozen years, ransomware has emerged as a major cyberproblem of our time, big enough for President Joe Biden to put it at the top of his agenda with Russia’s president, Vladimir Putin, when they met in June and for lawmakers in Congress to be working on several bills that would, among other things, require victims to report attacks to the government.
It is a war that needs to be fought, and won. While the extortion business is run by a relatively small network of criminals seeking windfall profits, their ability to seriously disrupt economies and to breach strategically critical enterprises or agencies also makes them a formidable potential threat to national security. The Colonial Pipeline attack created an almost instant shortage of fuel and spread panic in the southeastern United States.
Big strikes make the big news, but the main prey of the ransomware gangs is the small to medium enterprise or institution that is devastated by the disruption of its computers and the ransom payment. How many have been hit is anybody’s guess — unlike breaches of personal information, the law does not require most ransomware attacks to be reported (though that is another thing Congress may soon change).
The FBI Internet Crime Report for 2020 listed 2,474 attacks in the United States, with losses totaling more than $29.1 million. The reality is probably of a different magnitude. The German data-crunching firm Statista has estimated that there were 304 million attacks worldwide in 2020, a 62% increase over 2019. Most of them, Statista said, were in the professional sector — lawyers, accountants, consultants and the like.
Whatever the true scope, the problem will not be solved with patches, antivirus software or two-factor authentication, though security experts stress that every bit of protection helps. “We’re not going to defend ourselves out of this problem,” said Dmitri Alperovitch, chair of Silverado Policy Accelerator and a leading authority on ransomware. “We have too many vulnerabilities. Companies that are small, libraries, fire departments will never afford the required security technology and talent.”
The battle must be joined elsewhere, and the place to start is Russia. That, according to the experts, is where the majority of attacks originate. Three other countries — China, Iran and North Korea — are also serious players, and the obvious commonality is that all are autocracies whose security apparatuses doubtlessly know full well who the hackers are and could shut them down in a minute. So the presumption is that the criminals are protected, either through bribes — which, given their apparent profits, they can distribute lavishly — or by doing pro bono work for the government or both.
It’s clear that the ransomware gangs take care not to target the powers that shelter them. Security analysts found that REvil code was written so that the malware avoids any computer whose default language is Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian or Syriac.
Finding the criminals is not the problem. The U.S. government has the wherewithal to identify and arrest would-be cyberblackmailers on its own soil and to help allies find them on theirs. In fact, Washington has identified and indicted many Russian cybercriminals — the FBI, for example, has offered a reward of $3 million for information leading to the arrest of one Evgeniy Bogachev, aka “lucky12345,” a master hacker in southern Russia whose malware has led to financial losses of more than $100 million.
The key is to compel Putin to act against them. At his summit with him in June, Biden said he demanded that Russia take down the ransomware gangs it harbors and identified 16 critical sectors of the American economy on which attacks would provoke a response.
Yet two weeks later, REvil made the biggest strike ever, hacking into Kaseya, a firm that supplies management software for the IT industry, and attacking hundreds of its small-business customers. That led Biden to telephone Putin and to say afterward that “we expect them to act.” Asked by a reporter whether he would take down REvil’s servers if Putin did not, Biden simply said, “Yes.” Shortly after that, REvil abruptly disappeared from the dark web.
Tempting as it might be to believe that Biden persuaded the Russians to act or knocked the band’s servers out with American means, it is equally possible that REvil went dark on its own, intending, as happens so often in its shadowy world, to reappear later in other guises.
So long as the hackers focus on commercial blackmail abroad, Putin probably sees no reason to shut them down. They do not harm him or his friends, and they can be used by his spooks when necessary. Unlike the “official” hackers working for military intelligence who have drawn sanctions from Washington and Europe for meddling in elections or mucking around in government systems, Putin can deny any responsibility for what the criminal gangs do. “It’s just nonsense. It’s funny,” he said in June when asked about Russia’s role in ransomware attacks. “It’s absurd to accuse Russia of this.”
The Russians apparently also believe they can parlay their control over the ransomware gangs into negotiating leverage with the West. Sergei Rybakov, the deputy foreign minister…