Jun 2, 2021 - Technology

Ransomware business achieves critical mass

Illustration of a skull and crossbones with the crossbones as cursors.

Illustration: Aïda Amer/Axios

The Memorial Day weekend ransomware attack that left the world's largest meat processor hobbled also had CEOs around the globe asking, "Am I next?"

Why it matters: The attack on Brazil-based JBS came just weeks after a similar attack on Colonial Pipeline, the U.S.'s largest refined-fuel pipeline operator. Attacks that disrupt food and energy supplies are the kinds that rouse governments to strike back.

Details: JBS said Sunday the attack hit its servers in the U.S. and Australia. Many of the firm's U.S. plants were shut down Tuesday, but by evening the company's CEO promised that "the vast majority" of its plants would be operating Wednesday.

The big picture: Ransomware is a longstanding problem, but it has recently become a "global pandemic" (as former U.S. cyber leader Chris Krebs puts it) thanks to the rise of a profitable industry around it.

  • 2020 saw roughly $350 million in cryptocurrency payments to ransomware attacks, triple the previous year's take, per one study.
  • Startup costs are cheap because malware providers have built low-cost "software as a service"-style ransomware tools that don't demand wizard-level skills to use.
  • Companies and organizations whose data and/or networks are locked up typically choose to pay a ransom rather than go through the extended trauma of accepting data loss and rebuilding systems from scratch.
  • Bitcoin makes it possible for the criminals to collect that ransom efficiently and anonymously.

How it works: Today's ransomware world operates like a macabre parody of the modern tech industry.

  • The original backers, the "venture capitalists" in the equation, are governments looking to "disrupt" their enemies.
  • These investors pay third-party hacking groups who function as "entrepreneurs" and "startups."
  • Their products are technical platforms that enable "users" to launch ransomware attacks, producing a revenue stream.

Ransomware has enabled a scalable business model for one species of cyberattack, but it requires careful calibration.

  • Attackers must select targets big enough to pay up but not so big that governments intervene to shut the ransomware operation down. The Colonial attack crossed that line, and the Darkside group that made it possible has since apparently disbanded.
  • Attackers also have to choose ransom amounts carefully: They want a big payoff, sure, but they also don't want to demand so much that victims just throw up their hands and choose to take the data loss.

The most effective "vaccine" for the ransomware pandemic would be tighter security at target companies, who are commonly infiltrated by e-mail phishing attacks or other vulnerabilities. But that's slow and hard to make happen.

Another potential remedy could involve cutting ransomware business' profits by blocking cryptocurrency pathways.

  • Bitcoin itself is tough to monitor. But governments, if provoked, could pretty quickly crack down on companies that move assets between the crypto underworld and the by-the-book economy.

Or the Biden administration could turn the screws on Russia to stop funding and backing the ransomware plague — as most intelligence and industry experts believe it does.

  • President Biden is set for a summit with Russian president Vladimir Putin June 16 in Geneva.

Yes, but: U.S. efforts to discourage Russian-backed disinformation campaigns haven't succeeded in ending them. And U.S. retaliation for the massive SolarWinds breach last winter hasn't deterred the group behind it from continuing attacks more recently.

  • It may prove similarly tough to shut down a criminal software industry that's also making its perpetrators millionaires.
Go deeper