Who are the ransomware gangs wreaking havoc on the world’s biggest companies? | Renee Dudley

In the past year, some of the UK’s most recognised institutions, from the Guardian to Royal Mail, have been hit with the defining cyber crime of our time: ransomware. Hackers locking up computer networks and demanding payment for the keys to restore them have snarled operations and left victims scrambling to recover.

Nearly every sector of society, including healthcare, business, government and education, has now been targeted by ransomware gangs making demands that stretch into the tens of millions. Ironically, just a few months before the release of my own book on ransomware, my publisher was hit with a bruising attack, leaving my co-author and I unable to reach our editors via phone or email.

In the UK over the past few weeks alone, separate attacks have reportedly compromised NHS employee records and confidential emails, as well as data on more than 1 million patients. In the US, a baby’s death was attributed to a 2019 ransomware attack on an Alabama hospital that knocked out monitors displaying foetal heart-rate tracing information at a nurses’ station.

So how has this criminal enterprise taken hold with such force? Just a decade ago, ransomware was a relatively unknown crime that mainly affected home computer users. Hackers would demand a few hundred pounds of cryptocurrency for the return of locked family photos and other personal files. They operated mainly alone or in small groups connected online, spreading ransomware through spam email distributed indiscriminately to large numbers of prospective victims — only a small fraction of whom would actually open the malicious links or attachments.

Although profits gained from this early “spray and pray” model were modest, ransomware was nonetheless appealing to hackers, who were attracted in part by the straightforward nature of the crime. Traditional data breaches were labour-intensive affairs that required them to find buyers for records such as credit card numbers in order to cash in. Ransomware made the hack itself profitable.

Criminals seeking the path of least resistance rushed to get in on the extortion economy, and as ransomware matured as a business, gangs began to organise in ways that mirrored legitimate corporations. Many seemed to find safe haven in places such as Russia, North Korea and Iran, but large parts of eastern Europe also became hotbeds for cyber gang operations, and hackers now operate all over the world.

The most ambitious ones, such as Ryuk and REvil, hired workers with the expertise to get their ransomware inside large organisations that had much deeper pockets than home users — a strategy known as “big game hunting”. In job ads on the dark web, prospective “employers” outlined qualifications they were looking for, such as proficiency in Cobalt Strike, a legitimate tool, co-opted by hackers, that is used to identify system vulnerabilities. The ads asked applicants to submit examples of their prior attacks, with promising candidates invited for online interview.

Just as a legitimate manufacturer might hire other companies to handle logistics or web design, ransomware gangs began to outsource tasks beyond their purview. They engaged specialists through the dark web to steal credentials and find vulnerabilities in target networks. They hired others to ensure their ransomware could not be detected by standard anti-malware scanners. Some groups even shared a call centre in India, with representatives contacting employees or clients of victim organisations that hadn’t paid up. The outsourcing allowed the gangs to focus on improving the quality of their ransomware; and their success — as well as victims’ devastation — accelerated.

Then in late 2019, a prolific gang known as Maze pioneered a strategy that made ransomware more painful than ever for victims. In an intrusion on a security staffing company, Maze downloaded mountains of its victim’s most sensitive files before detonating ransomware to lock the company out of them. The group told the company it would leak the data if it failed to pay the ransom demand of 300 bitcoin (about £1.8m at the time). The company didn’t pay, and Maze leaked the files.

But victims of Maze’s “double extortion” tactics often felt pressured to pay. Even if they had reliable backups of their files, the risk of huge quantities of sensitive data being leaked was too great. The scheme caught on, with dozens of gangs following Maze’s lead and even creating “leak sites” on the dark web where other cyber criminals or even members of the public could view victims’ names and stolen data, either for free or for a price.

It laid the groundwork for yet another type of cyber ransom tactic, which was levelled against British Airways, Boots and the BBC in early June. This time, hackers stole records including names, addresses, national insurance numbers and banking details, but instead of locking victims’ networks, the criminals skipped directly to ransom demands. In recent weeks, additional UK victims, such as Transport for London and Shell, have been identified. The global attack also compromised data from US government agencies including the Department of Energy, among many other victims. In this latest twist, victims again no longer have the failsafe option of protecting themselves against digital extortionists by maintaining robust backups.

But despite advances in criminal tactics, groundbreaking work to weaken cyber gangs is happening. The Netherlands has long been a popular spot for hackers to set up the servers they use to commit crimes because of its fast and reliable internet. The Dutch national police responded by launching its high tech crime unit in 2007. Beyond arrests, the unit has prioritised anything that reduces hackers’ returns on investment, seizing criminals’ servers, disrupting ransomware-spreading botnets and notifying victims of impending attacks.

With the prospect of hostile foreign governments using ransomware as a cover for intelligence-gathering operations, hackers’ focus on data theft is more alarming than ever, and law enforcement efforts to stop it more important. As George Orwell once observed: “The history of civilisation is largely the history of weapons.” Today, digital weapons are reshaping the world, and ransomware poses what may be the greatest threat of all. Hackers are only starting to exploit its potential for money and mayhem.

  • Renee Dudley is a technology reporter at ProPublica and co-author of The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World From Cybercrime

Read More

Renee Dudley