Q&A: What are the dangers of ransomware attacks?

A major fuel pipeline supplying the East Coast was shut down last week after the Georgia-based company operating it became the victim of a ransomware attack. 

And a Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if more money is not offered.

The extortion threat comes right after the pipeline disruption that's affected part of the U.S.'s fuel supply, highlighting the power of internet-savvy criminal gangs to sow mayhem from a half a world away with impunity.

Friday's hack forced Colonial Pipeline to halt operations in what it called an abundance of caution. The company said the ransomware attack targeted its information technology systems. White House officials said Monday that the pipeline did not appear to suffer any damage.

Cybersecurity experts have been warning for years about the threat posed by a ransomware attack on U.S. infrastructure in the wake of thousands of successful hacks of computer systems operated by governments, school districts, companies and hospitals.

To combat such cyberattacks, governments and businesses must beef up their defenses, better prepare to respond to intrusions and put diplomatic pressure on countries harboring cybercriminals, the experts say.

Ransomware is malware that infects and locks computer systems until victims pay hackers a fee to unlock them. Hackers typically infect such systems by tricking unwitting computer users into clicking an email attachment or a link containing the virus.

Colonial Pipeline reported over the weekend that it became the victim of a ransomware attack that locked up its business-side computers. The company said in a statement that on Friday it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations." The cyberassault did not appear to infect systems operating the pipeline.

By Monday, the company reported, it was bringing back online segments of the pipeline, which supplies about 45% of jet fuel, gasoline and heating oil consumed on the East Coast. White House officials and industry analysts said the shutdown was not likely to cause fuel shortages or lead to a rise in gas prices.

"It is relatively easy to hack a business network," said James Lewis, a cybersecurity expert and a senior vice president at the Center for Strategic and International Studies. "It's harder to hack the industrial network. Colonial did everything right after it was hacked. But we don't yet know if Colonial made the right move to prevent the hackers from crossing over."

These hacks shouldn't surprise anyone, said Bruce Schneier, a cybersecurity expert and lecturer at Harvard University's Kennedy School of Government.

"This happens hundreds of times a day," Schneier said. "These hackers, this time, just happened to land a big fish."

A task force of more than 60 experts from industry, government and nonprofits issued a report last month that called ransomware "a flourishing criminal industry that not only risks the personal and financial security of individuals, but also threatens national security and human life."

The report, published by the nonprofit Institute for Security and Technology, estimated that nearly 2,400 governments, healthcare facilities and schools were victims of ransomware attacks last year. Ransom payments rose to $350 million last year, a 300% increase over 2019, the report said. The average such payment topped $300,000.

The problem is growing, experts said. A cyber insurance firm told the task force that it tallied a 260% increase in ransomware attacks of its policy holders. A cybersecurity firm estimated that ransomware hacks spiked 700% in 2020 over 2019.

Christopher Krebs, the former head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, testified before congress last week that "we are on the cusp of a global digital pandemic, driven by greed, a vulnerable digital ecosystem in an ever-widening criminal enterprise."

Cybersecurity experts say two trends are behind the increase in ransomware assaults. The first, they said, was the growth of difficult-to-trace cryptocurrency, which has allowed hackers to easily obtain large ransom payments under the nose of financial regulators.

Meanwhile, they said, foreign governments have recognized the value in allowing hackers to operate inside their borders. Such hackers pay bribes to officials and agree to only target victims overseas. Russian operatives, in particular, believe such hackers help advance their foreign policy goals by causing trouble for adversaries, according to law enforcement officials and cybersecurity experts.

The U.S. government is taking steps to address the ransomware threat. The Justice Department last month formed a task force to combat ransomware, and the Biden administration says it is formulating a plan to tackle the problem.

Cybersecurity experts said they expect high-profile hacks like the one on Colonial Pipeline to prod potential victims to heighten security, create backups of data and come up with effective response plans.

"This problem will be greatly reduced over the next year because there is so much attention being paid to it," predicted Lewis, the cybersecurity expert at the Center for Strategic and International Studies.

Other experts are not so sanguine, saying hackers have proved adept at devising new ways to overcome cyberdefenses.

____

(Times staff writer Eli Stokols contributed to this report.

___

©2021 Los Angeles Times. Visit at latimes.com. Distributed by Tribune Content Agency, LLC.

The FBI attributed an earlier Colonial Pipeline attack to DarkSide ransomware, which is produced by an eponymous criminal organization that U.S. officials and cybersecurity experts say operates in Eastern Europe or Russia.

DarkSide is a "ransomware-as-a-service" business that relies on selling malware to hackers who then launch attacks and share proceeds with the developers, according to U.S. officials and cybersecurity experts.

The group's malware packs a dual punch: It not only locks networks but also siphons data. This kind of attack is effective even if a company or government backed up its information to mitigate the damage from ransomware because hackers can still threaten to release the data they are holding publicly or to competitors.

Cybereason, a Boston-based cybersecurity firm, reported that DarkSide's approach "effectively renders the strategy of backing up data as a precaution against a ransomware attack moot."

In a statement obtained by multiple media organizations, DarkSide said its "goal is to make money, and not creating problems for society."