Ransomware Continues Despite Slowdown of High-Profile Attacks

Source: AP | Published on December 21, 2021

Ransomware attack on UnitedHealth

There hasn’t been a massive attack like the one last May that resulted in gasoline shortages in the months since President Joe Biden warned Russia’s Vladimir Putin that he needed to crack down on ransomware gangs in his country. But it’s a small consolation for Ken Trzaska.

Trzaska is the president of Lewis & Clark Community College in Illinois, which canceled classes for several days last month after a ransomware attack knocked critical computer systems offline.

“I think all of us were probably up for 20-plus hours that first day, just moving through the process, trying to get our arms around what happened,” Trzaska said.

Even if the United States isn’t currently experiencing large-scale, front-page ransomware attacks on the scale of those that targeted the global meat supply earlier this year or prevented millions of Americans from filling their gas tanks, the problem hasn’t gone away. In fact, the assault on

Trzaska’s college was one of a slew of low-profile incidents that wreaked havoc on the businesses, governments, schools, and hospitals that were targeted.

The ordeal at the college reflects the challenges the Biden administration faces in eliminating the threat — and its uneven progress in doing so since ransomware became a critical national security issue last spring.

Officials in the United States have recovered some ransom payments, cracked down on cryptocurrency abuse, and made some arrests. Spy agencies have launched attacks against ransomware groups, and the United States has pushed federal, state, and local governments, as well as private industries, to strengthen security.

Yet, six months after Biden’s warnings to Putin, it’s difficult to tell whether hackers have backed down as a result of US pressure. Smaller-scale attacks continue, with ransomware criminals seemingly operating with impunity from Russia. Officials from the Obama administration have given conflicting assessments of whether Russia’s behavior has changed since last summer. To make matters worse, ransomware is no longer at the top of the US-Russia agenda, with Washington instead focused on discouraging Putin from invading Ukraine.

The White House stated in a statement that it is committed to “fighting all ransomware” with its various tools, but that the government’s response is dependent on the severity of the attack.

“Some are law enforcement matters, while others are high-impact, disruptive ransomware activity posing a direct national security threat that necessitates other measures,” the White House said in a statement.

After a May attack on the Colonial Pipeline, which supplies nearly half of the fuel consumed on the East Coast, the administration declared a national security emergency in response to ransomware attacks, in which hackers encrypt victims’ data and demand exorbitant sums to return it.

The attack forced the company to halt operations, resulting in gas shortages for several days, though it resumed service after paying a ransom of more than $4 million. Soon after, JBS, a meat processor, was attacked and paid a $11 million ransom.

In June, Biden met with Putin in Geneva, where he suggested that critical infrastructure sectors be “off limits” to ransomware and that the US should know in six to a year “whether we have a cybersecurity arrangement that begins to bring some order.”

He reiterated the message in July, just days after a major cyberattack on a software company, Kaseya, affecting hundreds of businesses, and said he expected Russia to take action against cybercriminals once the US provided enough information.

Since then, there have been a few notable attacks from groups thought to be based in Russia, including against Sinclair Broadcast Group and the National Rifle Association, but none with the same magnitude or impact as those from last spring or summer. One reason could be increased government scrutiny in the United States, or fear of it.

In September, the Biden administration sanctioned a Russian-based virtual currency exchange that officials claim helped ransomware gangs launder money. The Justice Department unsealed charges last month against a suspected Ukrainian ransomware operator who was apprehended in Poland, and has recovered millions of dollars in ransom payments. The head of US Cyber Command, Gen. Paul Nakasone, told The New York Times that his organization has begun offensive operations against ransomware groups. According to the White House, the “whole-of-government” effort will continue.

“I think the ransomware folks, the ones conducting them, are stepping back like, ‘Hey, if we do that, that’s going to get the United States government coming after us offensively,'” Kevin Powers, security strategy adviser for cyber risk firm CyberSaint, said of critical infrastructure attacks.

Meanwhile, according to two people familiar with the situation who were not authorized to speak publicly, US officials have shared a small number of names of suspected ransomware operators with Russian officials, who have stated that they have begun an investigation.

It’s unclear what Russia will do with those names, but Kremlin spokesman Dmitry Peskov insists the countries have been having a productive dialogue and that “a working mechanism has been established and is actually functioning.”

It’s also difficult to assess the effect of individual arrests on the overall threat. Even as the suspected ransomware hacker awaits extradition to the United States following his arrest in Poland, another indicted federal prosecutor was later reported to be living comfortably in Russia and driving luxury cars by a British tabloid.

Some are skeptical that any decrease in high-profile attacks can be attributed to US efforts.

“It could just have been a fluke,” said Dmitri Alperovitch, former chief technology officer of Crowdstrike. He claims that requesting Russia to crack down on large-scale attacks will fail because “it’s far too granular a request to calibrate criminal activity they don’t even fully control.”

Since Biden’s talks with Putin, top American officials have given contradictory answers about ransomware trends. According to some FBI and Justice Department officials, there has been no change in Russian behavior. National Cyber Director Chris Inglis stated that there has been a discernible decrease in attacks, but it is too early to speculate on why.

Given the lack of baseline information and inconsistent reporting from victims, it’s difficult to quantify the number of attacks, but the absence of disruptive incidents is an important marker for a White House attempting to focus its attention on the most significant national security risks and catastrophic breaches.

Hospitals, small businesses, colleges like Howard University — which briefly took many of its systems offline after discovering a September attack — and Virginia’s legislature have all been victims of ransomware attacks in recent months.

According to Trzaska, the attack was discovered two days before Thanksgiving when the school’s IT director detected suspicious activity and proactively took systems offline.

A ransom note from hackers demanded payment, but Trzaska refused to reveal the amount or identify the perpetrators. Many attacks originate in Russia or Eastern Europe, but some originate elsewhere.

With critical education systems, such as email and the school’s online learning platform, disrupted, administrators canceled classes for several days following the Thanksgiving holiday and communicated updates to students via social media and a public alert system.

This month, the college, which had backups on the majority of its servers, resumed operations.

The ordeal was harrowing enough to motivate Trzaska and another college president who, he claims, went through a similar ordeal to organize a cybersecurity panel.

“The stock quote from everyone is not if it’s going to happen, but when it’s going to happen,” Trzaska said.