Until recently. 

In 2021, several incidents featured attackers demanding ransom, but their behavior ran counter to typical ransomware heists and suggested that lurking beneath the surface, they had different goals. They made their demands with extroverted gusto, like they intended their crime to be a public act. The targets were mainly mid-sized companies such as dating apps and insurance companies, large enough to cause public concern but not large enough to spark action from the Israeli state. Most telling, the groups behind the attacks have been linked to Iran to varying degrees. 

“I call this a hybrid threat. There are attacks that are considered political-cyber-offensive, which are by states or by non-state actors but with a political agenda,” said Gabi Siboni, the head of the cyber security program at The Jerusalem Institute for Strategy and Security. “And there are cyber criminals. But what you can see is that it’s getting mixed.”

This new generation of ransomware attacks underscores how a new front in the conflict between Iran and Israel is developing. Ostensibly financial crimes, ransomware has become a tool of statecraft with the geopolitical aim to damage the social bonds of Israeli society and public trust in the country’s institutions, rather than to damage infrastructure or extract a financial bounty.

While the Israeli Cyber Directorate has issued multiple recommendations and warnings about this new “wave of attacks,” the responsibility to protect private computer systems still rests with companies. The advent of geopolitical ransomware exploits a structural vulnerability: a route to damage the social cohesion of a country via geopolitical attacks that bypass state defenses.

Last October, in what is called the “Atraf” hack, Black Shadow, a group with links to Iran, hacked into the servers of CyberServe, an Israeli hosting company, accessing websites and applications of the company’s customers.

Among its customers was the LGBTQ dating app, Atraf. The application’s databases were not encrypted, making it easier for hackers to get their hands on very sensitive personal information. Before asking for the ransom, the group dumped tens of thousands of records from the various sites it had penetrated. The leak included a thousand user profiles in Atraf’s customer database that disclosed information such as names, sexual orientations, unencrypted passwords, locations and HIV status.

The attackers demanded $1 million in exchange for the encryption key and threatened to leak more information.

Ransomware’s parallels with disinformation are striking. While most high-profile ransomware attacks are in the U.S., U.K., and Europe, the vast majority of attacks are in countries facing political instability, like in Latin America and Africa.

Many digital hostage-taking organizations originate from the same hotbeds where disinformation campaigns are generated, like Russia, Ukraine, North Korea, and the Philippines. Ransomware travels the same political divisions as disinformation campaigns, trafficking in the exploitation of economic inequality, fear of immigrants, and racial resentments to undermine public trust in institutions and belief in social stability.

Where disinformation uses noise and incoherence to sow doubt and spread division, ransomware does something similar: it, too, is an agent of chaos. It may look like just a way to make a crypto-buck, but its effects, very often intentional, are much more profound.

The CyberServe hack had little resemblance to a classic ransom attack. Everything was very public. The group used Telegram and RaidForum for their announcements instead of directly establishing communication with the company. Typically, financially motivated actors seek private negotiations, but the Telegram groups run by Black Shadows look like a public campaign — complete with drop countdowns and cheery messages.

‘The nature of this wave of attacks is actually to seed fear and sense of terror in the Israeli people by attacking high-profile targets or ones that can generate enough media attention.’ said Lotem Finkelsteen from Checkpoint, a cybersecurity company. This explains the public behavior of the attackers. “They put more focus on echoing the attack, embarrassing the victim and developing expectations in the Twitter/Telegram followers than getting a financial payment.”

Iran and Israel are bitter foes. After the state of Israel came into existence in 1948, Iran was the second Muslim-majority country to recognize Israel as a sovereign state. Iran retracted recognition after its 1979 revolution and regularly threatens Israel with total annihilation. The cyber realm often reflects real-life tensions so, once high tech entered our lives, the two foes quickly picked up cyber weapons. 

The countries’ long-running cyber conflict has taken many turns but until recently, the tit-for-tat hacks have mainly concentrated on military infrastructure. This is changing. Both parties are increasingly targeting civilian infrastructure and private companies. Recent hacks attributed to Israel include attacks on the University of Tehran and on a system that allows millions of Iranians to use government-issued cards to buy fuel at a subsidized price. Iran has gone after Israel’s water. Last April, six facilities were targeted in an attempt to increase the amount of chlorine in the water supply to dangerously high levels. 

According to Boaz Dolev, the CEO of cybersecurity company ClearSky, Black Shadow’s previous attack on the Israeli insurance company, Shirbit, was also confounding. After stealing the company’s data, the attackers wiped the information off the servers instead of encrypting it. “This is not something a ransomware group does,” he said. After demanding $1 million in bitcoin, Black Shadow refused to give the company a four-hour extension past its deadline to provide a payment in full.

An Israeli cyber negotiator, who requested anonymity to maintain a nonpublic professional profile, also doubts Black Shadow’s motivation. “I’m not a cyber analyst, I’m a negotiator. What I can identify from the beginning is whether the motivation of the person is political, which means to cause havoc, uncertainty and to undermine public confidence in the system. With Shirbit it was very clear that it was a politically motivated attack rather than financially motivated one.”

This cyber negotiator recently had come across similar fishy attacks on Israeli companies. At one company, he started negotiating with the hacking group called “Pay2Key.” At first, it looked to him like a typical ransom attack, but then he noticed red flags. For example, the group was a previously unknown actor yet they used unusually aggressive language. 

Nevertheless, the company decided to pay the ransom. Pay2Key did not provide a data decryptor. To get to the top in the ransom industry, reputation matters. Taking the ransom and in return not providing the decryption key so that a company can retrieve its data is very bad for repeat business.

After several encounters with unusual ransomware actors, the cyber negotiator began looking more closely into the threat they posed. Technical analysis of the Pay2Key attack by Dolev’s cybersecurity company, ClearSky estimated “with medium to high confidence” that Pay2Key is a new operation conducted by an Iranian group called Fox Kitten, an Advanced Persistent Threat, the name for an opaque actor, typically linked to the government, which gains unauthorized access to a computer network and remains undetected. Pay2Key is believed to have begun a wave of attacks against dozens of Israeli companies in July and August, 2020.

The attacks are not limited to Israel. The FBI and the U.S. Cybersecurity and Infrastructure Security Agency recently identified a new Advanced Persistent Threat group associated with the Iranian regime involved in “data exfiltration or encryption, ransomware, and extortion” in the U.S. and Australia.

In fact, yet another group linked to Iran has had an unusual modus operandi. In June 2021, a group called Deus claimed that they had obtained 15 terabytes of data from Voicenter, a call center company. The data contained information belonging not only to Voicenter but also 8,000 companies that used their services. The hackers posted samples of the information, security camera and webcam footage, photos, ID cards, WhatsApp messages, emails and phone calls. 

They used public channels, raised their ransom demands every 12 hours, and announced that the data was for sale even before the negotiation period was over. In this way, Iranian advanced persistent threat groups play a ransomware poker game: trying to inflict maximum social and political damage without triggering state retaliation.  

Israeli companies are reluctant to acknowledge cyber attacks from Iranian groups precisely because the publicity could generate nervousness and doubt about the hardness of Israel’s defensive shell against its powerful enemy. This lack of transparency, however, also creates vulnerability, say Israeli cyber security experts. “We still do not have enough information to link these groups to the Iranian government, but even if these direct links exist, the ransom tools used in these attacks are quite conventional and small,” said Einat Myron, a cybersecurity expert in Israel. 

“Medium-sized companies can certainly do a better job at protecting against them,” Myron said. “Maybe avoiding playing into foreign actor’s games could be the new motivation for business owners to start taking data protection seriously.”

The post In Israel, ransomware attacks against private companies pose a new kind of national security threat appeared first on Coda Story.

The digital ambush thrust the charity into uncharted and potentially catastrophic territory. Paying the requested amount was unthinkable for a nonprofit group, and even if it were able to foot the bill, news of the breach trickling out to donors could be devastating. The organization eventually turned to GroupSense, which has carved a niche out of negotiating ransom payments between hackers and victims, for help. 

“They were like, the number is so far off the mark that this seems hopeless. We’re doomed,” said Kurtis Minder, the company’s founder and CEO. 

The middlemen agreed to step in.

Wrangling with the subterranean world of cyber-hijacking requires some finesse. So, GroupSense created a set of principles to guide their conversations. “Don’t be antagonistic, be polite and treat it like a business transaction,” explained Minder. But this case tested the organization’s patience. “We were so angry,” he recalled. “We were like, ‘You hit a cancer charity. They don’t have any money. You should just unencrypt their files immediately, so they can go back to saving people.” The appeal to the hackers’ better angels was ignored, but the two groups were, eventually, able to settle on a much lower fee than the original demand: $10,000.

The incident provides a glimpse into a dawning era of cyber chaos, where unscrupulous actors are seizing upon the vulnerabilities of our digital world in increasingly brazen and frequent attacks. Some are doing so via ransomware, a form of malicious software that hackers deploy to encrypt victims’ data and then extort them for payment. 

From 2019 to 2020 alone, ransomware attacks rose by 62% globally and 152% in North America, according to a report by the cybersecurity firm SonicWall. Hackers have slipped into the electronic networks of schools, hospitals, voting systems, local governments, small businesses, and major food and fuel suppliers, disrupting the lives of millions of everyday people — all as the coronavirus pandemic cements a shift toward an ever-increasing reliance on digital systems.

The data suggests that we have entered a new phase of digital disruption. While nobody can predict what the future will hold, the evolution of disinformation could provide a useful guide. A decade ago, the issue was barely on people’s radar; now, it has become so ubiquitous in political and technological debates that a world without it seems almost unimaginable. Could ransomware follow a similar trajectory?

Disinformation and ransomware share an ability to fracture the body politic. Both can sow instability, chip away at social cohesion, and compromise peoples’ faith in institutions. There is also a clear geopolitical dimension to both. 

“They’re both of a piece — world politics slowly grappling with the realization that all information is strategic,” explained Ryan Williams, a PhD student in public policy at The University of Texas at Austin. “And the state that can best harness the implicit value of the data that’s all around us is going to be able to project their will more effectively.”

To be sure, there are some key differences between the two. As the name suggests, ransomware is an explicitly profit-driven exercise — the whole system is built on extorting money via the kidnapping of data. That’s why there is a consensus among many cybersecurity experts that the people and entities behind ransomware are largely motivated by financial gain. The distinction doesn’t mean that the politics and profit of ransomware are mutually exclusive. Governments can benefit from attacks they don’t order, and attacks of a large enough magnitude — for example, targeting critical infrastructure projects — can inflame geopolitical tensions, even if carried out by  individuals and groups not affiliated to the state.

The ransomware ecosystem is made up of murky criminal groups whose origins and intentions can be difficult to trace. But negotiators like Minder get a rare glimpse into the anatomy of attacks and the bureaucratic machinery of some of the large cybercrime syndicates that carry them out. 

Hacks usually take a similar shape: Someone tries to log in to their company or organization’s computer system and, instead, finds a note telling them that their data has been taken hostage and with instructions for how to get in touch, often via a chat on the dark web. Navigating to the suggested page may bring up a digitized clock counting down the amount of time a target has to comply with a ransom demand before attackers up the ante — like notching up the fee or wiping out a percentage of their data.

At some point in this process, Minder, who is 44, chatty, and surprisingly upbeat for someone who spends a significant chunk of his time submerged in the bowels of the internet, will step in to mediate. Although he’s spent two decades working in technology and start-ups, Minder’s descent into the dark arts of cybercrime negotiation began about 18 months ago, after GroupSense helped a software company resolve an attack. He agreed to lead the negotiations, and took to it naturally, talking down the ransomware demand significantly. After resolving the case, Minder’s team told him he had a moral obligation to continue helping victims of the growing ransomware industry. The work quickly snowballed. Minder estimates he and his team of two negotiators have handled roughly 100 cases in the last year and a half.

Minder is emphatic that his job is “not sexy. It’s not like I’m jet-setting around, drinking martinis.” Triangulating between victims and hackers can be emotionally draining: imagine trying to help a petrified business owner on the brink of financial ruin; add in a low-level hacker on a different continent whose English is shoddy and is going to need to run your counter-offer by his manager; then multiply that by three — the number of cases Minder typically handles at once. How does he cope with it all? “I probably need to see someone,” he said.

Like a good millennial, I asked Minder about work-life balance. Unsurprisingly, I learned that cybercriminals do not respect the home lives of negotiators. “You know what sucks? The bad guys tend to attack on Friday nights, or before holiday weekends. So, I don’t even plan anything,” he sighed. “Like, it’s Labor Day? I know what I’m doing.” For Minder, who is also a wine enthusiast, even post-work drinks can be a gamble — one too many can jeopardize a delicate negotiation. “If I get a feeling that it’s ok, then I can have a glass at 7,” he said.

Some of the more sophisticated cybercrime syndicates have strict reporting structures. When dealing with them, Minder says his primary point of contact is generally a low-level hacker with limited English who is likely cutting-and-pasting a script into the Dark Web chat and plugging responses into Google translate before passing negotiations off to their manager. “The first person you’re talking to is probably 23 years old,” Minder explained. “And there’s somebody behind them yelling at them. Although Minder deals with all sorts of hackers, he says that many of them appear to be operating out of Russia. “There’s no real mission other than take money,” he said. “They do seem pretty heartless.”

For Minder, the ability to place oneself in the shoes of both hacker and hackee is the one of most important skills in a negotiator’s toolkit. “I think empathy is invaluable,” he explained. “It doesn’t mean sympathy. It means understanding the situation that the person is operating under and the lens that they might look at this through, based on their situation.”

Experts are split on paying off ransomware demands, either directly or via middlemen like Minder. Some — including the FBI, argue that acquiescence motivates cybercriminals to continue launching attacks. Others say the role of a neutral third party is useful in negotiations and can reduce the ransom amount victims end up handing over. Minder is sensitive to opponents’ concerns but realistic about the pressures facing targets. If the choice is between shutting a company down or paying up, “that ransom is probably getting paid with or without me,” he said. “At least we’re going to pay these guys as little as possible.”

Whether you agree with Minder’s position or not, recent events suggest that he is likely to remain busy for some time to come.

Ransomware: Disinformation dressed up in code?

Ransomware is not a new problem, but a spate of recent high-profile attacks points to a criminal enterprise that is becoming increasingly brazen. Just this week, a ransomware attack hit the reproductive health clinic Planned Parenthood Los Angeles, compromising hundreds of thousands of patients’ healthcare data and personal information. Add that to a list of hacks in recent months that have targeted the United States’ largest fuel pipeline, the world’s biggest meat supplier and Ireland’s health care system. In 2020, the U.S. Federal Bureau of Investigation recorded nearly 2,500 ransomware attacks, totaling $29 million in combined losses — up from $9 million in 2019, even though that figure is widely believed to be an undercount.

“Ransomware has exploded into a multi-billion-dollar global racket that threatens the delivery of the very services so critical to helping us collectively get through the Covid pandemic,” Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency, said in testimony before Congress in May. “To put it simply, we are on the cusp of a global pandemic of a different variety, driven by greed, an avoidably vulnerable digital ecosystem, and an ever-widening criminal enterprise.”

Ransomware attacks have wide-ranging consequences. They can leave small businesses on the brink of financial ruin, threaten election integrity, hobble critical infrastructure, destabilize municipalities, and jeopardize the lives of hospital patients. 

Ransomware attacks targeted nearly 2,400 schools, hospitals, and local governments in the U.S. in 2020. In May, hackers took down the sprawling Colonial Pipeline, which runs from Texas to New Jersey, driving up gas prices, causing fuel shortages, and unleashing pandemonium at filling gas stations across the southeast of the country. A 2019 attack paralyzed Baltimore for weeks, preventing people from paying water bills, parking tickets, and property taxes, ultimately costing the city an estimated $18 million. The White House has begun to acknowledge the magnitude of the threat. After the Colonial Pipeline debacle, President Joe Biden signed an executive order aimed at shoring up the country’s cyber defenses and established a ransomware task force to combat attacks.

Richard Forno, director of the graduate cybersecurity program at the University of Maryland, Baltimore County, said the spate of cyber attacks reveals “the fragility of the modern economic and social environment. Our nation is dependent on technology. We’ve built all these infrastructures and services, this digital world we live in, on top of some very flawed foundations.” He likens the contemporary landscape of cyberwarfare to strategic bombing campaigns during World War Two. “You attack a pipeline, you paralyze large swaths of the East Coast. That’s almost as bad as actually physically blowing up the pipeline,” he said.

“Our nation is dependent on technology. We’ve built all these infrastructures and services, this digital world we live in on top of some very flawed foundations.”

The effects of such attacks extend well beyond the practical or financial. Ransomware leaves a mark on our collective conscience, reminding us that the electronic systems that we rely on are vulnerable to widespread disruption at any moment. Maybe it is time to start thinking about ransomware as a form of disinformation draped in code — one that fosters chaos, erodes institutional trust, and inflames geopolitical tensions.Major cyberattacks have also been linked to hackers operating out of Russia, China and North Korea. In July, U.S. officials accused Chinese government-employed contractors of carrying out a massive hack on Microsoft Exchange’s email server, which compromised tens of thousands of computer systems globally, along with ransomware attacks against private companies, prompting NATO’s first-ever condemnation of China’s cyber activities.

In February 2021, the U.S. Justice Department indicted three North Korean intelligence officers over an alleged global hacking scheme aimed at, among other things, stealing more than $1.3 billion from companies and financial institutions, including a 2017 ransomware attack on the U.K.’s National Health Service. Announcing the charges, a U.S. official described the case as a “striking example of the growing alliance between officials within some national governments and highly sophisticated cyber-criminals.” The same month, a report by a United Nations panel found that North Korean cyberattacks totaling hundreds of millions of dollars helped provide revenue for the country’s nuclear weapons program.

Currently, however, the main perpetrators of ransomware attacks appear to be operating out of Russia. According to Josephine Wolff, an associate professor of cybersecurity policy at Tufts University, the country is “the biggest player in the ransomware space and the one that causes the most problems for the United States.”

In June, the FBI accused the Russian cyber gang REvil — reportedly responsible for over 360 attacks on U.S.-based organizations in 2021 — of orchestrating a hack on the world’s largest meat producer, JBS, temporarily hobbling the company’s entire U.S.-based operation. That same month, the crippling of the Colonial Pipeline, which U.S. officials traced to the Russian hacking group Darkside, brought cybersecurity into the spotlight at Joe Biden and Russian President Vladimir Putin’s first face-to-face meeting. “I looked at him and said: ‘How would you feel if ransomware took on the pipelines from your oil fields?’” Biden said in June 2021. The comments prompted a forceful denial from Putin, who argued that most cyberattacks originate in the U.S.

Perhaps the defining feature of Russia’s ransomware landscape is its ambiguity. Experts say it’s extremely difficult to determine if Russia-based hackers are operating at the behest of the government, or merely with its tacit approval. For years, the Kremlin has been accused of giving hackers free rein within its borders, as long as they don’t interfere with government interests or attack Russian targets. (Malware used by REvil is designed to avoid computers that use the Russian language, according to a report from one cybersecurity company). That dynamic allows the government to maintain a posture of plausible deniability about ransomware attacks, attributing them to criminal groups, while potentially benefiting from their outcomes.

“I do think the way that Russia handles this is brilliant,” Minder said. “It’s like, well, it’s not us. It’s just some kids in somebody’s basement. And they are achieving their nation-state goal. A bunch of that money is ending up in Russian banks. And it is highly disruptive to the U.S. economy and productivity. I don’t know that they’re orchestrating it. They just let that monster go.”

After the Colonial Pipeline attack, the Russian-linked Darkside group posted a statement on its website stressing the “apolitical” nature of its work. “We do not participate in geopolitics,” they wrote. “Our goal is to make money.” 

Julie Davila, the co-founder of the cybersecurity startup ZibaSec, is understandably skeptical. “What I find curious about people taking the word of some of these syndicates from the dark web is how quickly they trust the random username of some random spokesperson,” she said. 

And that unclear line between state and criminal groups moves ransomware into what the PhD student Ryan Williams of the University of Texas at Austin calls “the gray zone of conflict” Because this murky space can prove useful for governments, the future could, in theory, see states increasingly relying on intermediaries to disguise politically motivated attacks as financially driven intrusions carried out by criminals. Such ambiguity also provides fertile ground for the spread of rumor and conspiracy.

“You can imagine the worst-case scenario is an actual cyber-attack on some sort of key electoral infrastructure in an upcoming election that is themed as a ransomware attack from a private actor,” said Williams. “It would just be another huge cycle of really emotionally charged conflicts over the basic facts of our democracies.”

The post The rise of the geopolitical hack appeared first on Coda Story.

The attack put ransomware on the map, but companies and individuals have been painfully slow to shore up their systems against similar assaults. Ransomware attacks increased by 93% in the first six months of 2021 as compared to the same time last year, according to the cybersecurity company CheckPoint. JBS USA, one of the largest meat suppliers in the US, paid an $11 million ransom after a breach forced five of its plants to temporarily halt operations in May. The Japanese tech giants Fujifilm and Toshiba have both been hit this year. Even the Houston Rockets, an NBA basketball team, was a target.

While the motivations behind WannaCry and many similar ransomware attacks appear to be financial, ransomware has the potential to become a powerful geopolitical tool. We spoke with Jenny Jun, non-resident fellow at the Atlantic Council’s Cyber Statecraft Initiative about how ransomware can be used coercively against adversaries and hostile governments.

This conversation has been edited for length and clarity.

Coda Story: Let’s look into the history of ransomware. From what I know, it emerged a long time ago, demanding small amounts of money — typically less than $500 — from individuals. Now, we’re seeing massive attacks on companies and governments, asking for millions.

Jenny Jun: The first case of ransomware ever recorded was in 1989. It was basically some guy who spread this virus on a floppy disk. It wasn’t really for money. He was interested in this novel thing. I think he ended up donating all the proceeds to some foundation or other. That’s how it first started. Then people forgot about it. Then in 1996, some computer scientists — Adam Young and Moti Yung —wrote an influential paper on how to use encryption coercively. That’s when it resurfaced again. That idea, coupled with the rise of cryptocurrency, which makes it really easy for criminals to get the money without risking their capture or revealing their identity, facilitated its evolution into an organized criminal enterprise.

In the early 2010s you started to see some of the early variants of ransomware, the rudimentary stuff. It was like spam. You spray and pray, and hope that at least one person will click on it. The ransom demand was not tailored to you specifically. They set what they thought was the average price that any individual would be willing to pay. Anyone who was willing to pay about $300, they paid and got their decryption key. For a long time, that was the business model. It wasn’t really making a lot of money. It was just nickels and dimes.

In 2016 to 2017, things started to change. These criminal groups were realizing that, usually, people would rather pay a couple of hundred bucks to instantly get their data back and their hardware unlocked than to brute force their way through the encryption. Once they realized that, they started going for individuals or enterprises who would be willing to pay more. That’s when we started to see a shift towards targeted ransomware, also called “big game hunting.” That was a whole different game.

So, this assumes that the fundamental goal is often financial. What about nation states? Why would a country be interested in conducting ransomware attacks?

So far, here are two cases where a nation state was involved in ransomware. The most famous is North Korea’s WannaCry. North Korea is famous for using cyber attacks to generate money. They’ve been doing illicit trade, they’ve been selling illegal weapons all over the world. They’re making counterfeit currency. So, this is like an extension of that. They’re dabbling in cybercrime, they’re stealing money from banks, they’re hacking cryptocurrency exchanges. 

WannaCry was a nickels and dimes ransomware attack. It’s a worm-based ransomware, so it spreads from network to network. It self-propagates. The goal was to try to infect as many systems as possible. Per system infected, it asked for $300. The goal was presumably to make cash. 

But what if they don’t have a financial interest? Why are they using ransomware? There are two examples here. One is Russia. In 2017, hackers from there used a ransomware worm called NotPetya, which worked like WannaCry and encrypted a lot of systems mainly in Ukraine, but elsewhere too. It locked up a lot of critical infrastructure. There, the goal was pure disruption. They weren’t really interested in getting anything in return.

Another example is Iran, which has been using ransomware called Pay2Key against Israel since early last year. For context, Iran and Israel have been fighting a shadow war, assassinating nuclear scientists, blowing up ships. Pay2Key was used as one of the means to get back at Israel. It is suspected that it wasn’t really used for financial purposes, but for disruptive ones.

Is “ransomware as a geopolitical tool” the general direction that you’re seeing? 

That’s one of my main predictions. I would go even further and say that, yes, ransomware can be used as a quasi-wiper attack, which basically fries computer systems. But it can go further, because the encryption is not totally destructive. It’s reversible and you can ask for something in return. There’s no rule saying that it has to be bitcoin or cash. 

For example, Iran is under sanctions, and a lot of U.S. allies hold Iranian financial assets frozen in their country’s banks. South Korea has a lot of frozen Iranian oil funds. So, early this year, Iran hijacked a South Korean oil tanker off the Strait of Hormuz. They said, “We’re gonna hold the ship and crew hostage, but, we’ll let them go if you unfreeze some of that money that you’re holding in your banks.” They ended up doing a swap. Iran released the crew and South Korea unfroze some of Iran’s assets. Then Iran returned the ship and got paid some more. 

Ransomware can be used in that way. That’s my prediction for the next five to 10 years, that ransomware will be used coercively — as a bargaining tool.

So, rather than being restricted to espionage and information gathering, we’re going to start to see hacking as a tool of state coercion? Which states do you think will be first to adopt it? 

I think so. I think it will be more useful in Iran and North Korea than in, say, Russia. I say that because Iran and North Korea don’t have much to lose. Victims can always retaliate and, if you think about a state like Russia, their grids, their businesses and their economy are vulnerable. Let’s say Russia encrypted a significant U.S. target and issued serious geopolitical demands —  the U.S. is not going to just say, “OK, we’ll do that.” It’s going to also encrypt targets in Russia. We’re just going to have the usual hostage situation. Attacking North Korea will cause fewer problems, because there’s less at stake there. 

Why is ransomware a powerful tool for coercion, as opposed to other kinds of cyber attacks, like wiper attacks, which essentially erase all the data?

For a long time, scholars and policymakers, government officials have been saying that we can’t really use cyber tools for coercion. The reason why they said that is that when you’re trying to use a tool coercively, you have to say “I want a certain thing in return,” and also demonstrate that you have the capability to inflict harm if they don’t listen.  

A lot of cyber operations rely on deception and surprise. That makes coercion really awkward, because for you to convey that you want something in return, you have to let them know that you’re in their network. Then the other side will say, “Well, screw you, I’m just gonna unplug my computer from the network, or mitigate that vulnerability.” 

Then ransomware comes along, which is extremely effective at coercing victims and extorting money. Theory tells me that cyber attacks are ineffective for coercion, and yet they’re coercing the hell out of everyone. 

So, I’ve been thinking about ransomware and its similarities to disinformation campaigns. They’re both low-cost, high-impact. And disinformation is becoming more accessible— disinformation for hire is now a reality. Isa the same true for ransomware? 

There’s a whole industry in the cyber-criminal world where they’re offering ransomware as a service. You and I, who know nothing about coding and nothing about how the encryption algorithm works under the hood, can go to the dark web and purchase ransomware. You pay $100 or something — it depends on the company — and then they give it to you. It’s a point-and-click system where you don’t code a single thing. There is very little barrier of entry. 

That means that it’s a lot cheaper for poorer, isolated states, like North Korea, than waging actual war. You can do a lot of damage without firing a single shot. Are we going to see more states making that kind of calculation?

I do a little bit of digging on North Korea’s cyber strategy. The reason that they got into it is that it’s a good tool to advance their national strategy. For example, they wanted to influence South Korea and change its policy in ways that benefit them. But, because of the deterrence structures that exist between the two countries, it’s very hard to do that with conventional forces. I think cyber attacks emerged as a loophole in that deterrence framework. There are no set red lines. There’s a fuzziness and ambiguity around how we respond to a cyber attack, as opposed to artillery fire. 

However, it is also empirically true that overall, states have used cyber capabilities overwhelmingly for espionage rather than as a strategic weapon. In reality, planning a cyber operation takes considerable time and resources, and systems must be compromised well in advance in order to create effects when you want to. The use of these capabilities must also serve some political or military purpose beyond simple destruction, and for aforementioned reasons it was relatively difficult to translate cyber power alone into such strategic victories. I think it’s more realistic to think that cyber capabilities would be used in tandem with existing conventional capabilities in a future conflict, rather than by itself.

Institutional victims, like hospitals or companies, aren’t concerned about calling out whoever carried out the attack, so much as they just want their data back so they can get back to business, right?

This used to be the culture, but I think it’s changing after high-profile ransomware events this year like Colonial and Kaseya. Government agencies are encouraging victims to report ransomware incidents, and there are even several bills in Congress right now to mandate such reporting. The U.S. government is using these reports to investigate and actively go after ransomware gangs such as REvil and intermediary money launderers. 

Unlike the typical cyber attribution problem, the problem isn’t necessarily coming from attributing the identity of the attackers – often the ransomware operators make their brand clear in the ransom note. The problem is that ransomware victims often do not want to disclose that they have been attacked and/or that they have paid. There is a trust issue that needs to be managed between these victims and federal agencies who handle this information, and making the reporting process clear and easy. 

Right, you could flip it and incentivize stronger cybersecurity, training, updated software and the backing up of data.

The critical flaw of ransomware is that, if you have a shadow copy of everything, then they can’t really coerce you. Invest in real-time, offline backup technology. There’s cloud technology — use that to back up your stuff. Migrate your legacy system. Subsidize the adoption of such technologies and recovery processes, or incorporate such features in cyber insurance underwriting. Update everything. It’s not rocket science.

The post Ransomware could soon be about more than just money appeared first on Coda Story.

“Everything had been encrypted,” said Sice. “All the children’s records, staff records, all the teaching and learning, all the data, all the finances, internet. Everything.” 

Lanesend Primary, which serves roughly 400 students, aged four to 11 years old, had experienced IT problems the day before. Staff couldn’t access their emails or remotely log into the school’s systems. Sice was aware of the issues, but attributed them to routine maintenance. 

“I really, really hadn’t thought that it would be a cyber attack,” she said.

Lanesend was not the main target. The Isle of Wight Education Federation (IWEF), a multi-academy trust of three secondary schools, serving a total of over 2,000 students, provides technical support and data storage for Lanesend and two other primary schools on the island. A week into the summer holiday, its systems and those of the six schools for which it is responsible were crippled by hackers. 

To regain access to them, a ransom of more than $1 million was demanded from IWEF. Payment was to be made in bitcoin, as has become common in similar attacks, but IWEF refused to comply. Now, it faces massive administrative disruption and thousands of dollars’ worth of bills to recover.

A worsening trend

In recent years, education has become one of the sectors most frequently subjected to ransomware attacks. According to one British independent authority, the Information Commissioner’s Office, the number launched against U.K. universities and schools increased by 148% between 2019 and 2020. 
In the U.S., however, the figures are even more stark. Attacks on schools from kindergarten through to 12th grade increased by 860% in 2019 — a record high. In July that year, the governor of Louisiana declared a state of emergency after three school districts were taken offline, just weeks before students were set to return from summer vacation. The number of incidents involving educational institutions decreased slightly in 2020, but the targets have become much bigger, including large school districts with higher budgets. In total 1.36 million American students were potentially affected last year alone.

The problem has become so bad that the Federal Bureau of Investigations and the U.K.’s National Cyber Security Center have warned schools about a growing number of attacks that have exploited increased cybersecurity weaknesses connected to remote learning during the pandemic. 

According to Doug Levin, founder of the K-12 Cybersecurity Resource Center, which helps schools improve cybersecurity and conducts an annual study of ransomware attacks in the U.S., hackers are also demanding more money.   

Levin first started tracking the phenomenon in 2015. “The extortion demands for schools at the time were $5,000, $10,000, $25,000,” he said. “It’s not unheard of for those ransomware demands to be $1 million or more now. That’s a dramatic change.” 

After a hack in March, the Harris Federation, which runs 50 primary and secondary schools in London, received a ransom request for $4 million. But that was nothing compared to the demand issued to Broward County Public Schools of Florida in March, which came in at a whopping $40 million. The district refused to pay. 

The ransom faced by IWEF was nowhere near that high, but it was still far beyond the organization’s means. “They asked for an amount that we couldn’t afford,” said executive headteacher Matthew Parr-Burman. “It was an easy decision, because it was like. ‘Well, this is a stupid amount.” 

So, why schools?

Educational institutions can be a lucrative option for hackers — especially in parts of the U.S., where high property taxes contribute to big budgets, explained Levin. 

As for the $40 million demand received by Broward County Public Schools, the district’s annual revenue sits at $4 billion. While that figure is not actually enough to meet the needs of the sixth largest school district in the United States, it’s still enough to be very attractive to cyber-criminals. 

Schools are also a relatively soft target. Unlike major corporations, educational institutions rarely employ cybersecurity experts and their IT teams are often spread thin, tasked with both keeping their networks safe and more routine technical needs. 

Many schools use older versions of software, with unpatched vulnerabilities, and frequently fail to put in place basic security measures. The Isle of Wight Education Federation, for example, had not enabled two-step authentication.

“Everything has been run for the convenience of the teacher, which is obviously quite convenient for a hacker too,” Parr-Burman explained. 

That changed after the ransomware attack. Now, IWEF is one of many around the world directing significant resources towards the strengthening of its cybersecurity. 

“The fact of the matter is that, in the last five or so years, school districts have flipped from where technology is a nice thing to have to it being really integral to their operations, not just in the classroom but in the back office,” said Levin. 

He went on to explain that everything from locks on doors to telephone systems and school bus routing is now controlled and organized by computers. The growing reliance on technology seen during the pandemic could leave schools even more exposed.

According to Levin, distance learning could “increase the threat profile of school districts, because now you have people working on their personal networks and personal devices.” It is also likely that disruptions will be felt more widely in education systems with remote learning at their core. In September, a ransomware attack forced Howard University in Washington, D.C. to cancel all of its online classes. 

Like hospitals — another prime target for ransomware — schools cannot afford to be offline for long. This means that the educational sector is more likely to pay out than other industries. In a survey of IT decision makers at nearly 500 schools around the world, conducted by the British security software company Sophos, 35% of those targeted by ransomware paid off the hackers. 

But, for cybercriminals, ransoms are not the only potential source of revenue. In addition to demanding fees to decrypt data, they are stealing information and threatening to leak it online if they are not paid. 

“On the dark web, identity information for minors and young children is actually more valuable,” explained Levin. “That is because they have a fresh credit record that they can start to abuse and that no one is monitoring.”

So far, Parr-Burman doesn’t believe that any student or staff data was stolen from the Isle of Wight Education Federation, but it has happened to other schools. When Toledo Public Schools in Ohio was targeted by hackers in September 2020, the district refused to pay. Data was dumped on the dark web, including the addresses and social security numbers of current and former students. Months later, one parent was notified that someone had tried to open a credit card in the name of his elementary-school-aged son.

Wide-ranging disruption

As soon as Caroline Sice got the call informing her about the ransomware attack on Lanesend Primary, she snapped into problem-solving mode. She telephoned the school’s chair of trustees, business manager and leadership team to set up a meeting. She then sent an email to teachers, letting them know that she was on the case. 

For a moment, it felt like the matter was under control. But, as the scale of the problem became clearer, she started to lose hope.

“Over the weekend, it got heavier and heavier and heavier,” she said. “Suddenly, it begins to dawn on you that you’ve got nothing. Nothing. All the lesson plans. Oh my goodness, how are the teachers going to respond? This is years and years of their work, years of learning. The more you thought of it, the bigger and bigger it grew.”

The hackers also encrypted the backups of all of the data for Lanesend Primary and the five other schools, which meant the easiest way to resolve the problem was off the table. Staff would have to recreate all of the schools’ records from scratch. Then the Isle of Wight Education Federation informed Sice that it would no longer provide data storage or technical support to the primary schools including Lanesend after October 31. On top of recovering from the ransomware attack, Sice now has to find a new place to host all of her school’s information. 

Ultimately, Parr-Burman, Sice and the headteachers of the other affected schools made the decision to delay the start of classes by three days, to allow staff time to regroup and bring students back safely amid the pandemic. For the first six weeks of school, everything was done on paper. 

Kids are now back at their desks, but the upheaval caused by the attack is far from over. Some of the problems have been minor, like supplies not being delivered because schools could not pay bills after losing all of their financial information. Other things were unexpected. Hackers encrypted access to the digitized bells in one of the secondary school’s buildings, so for the first three weeks of classes, they rang at random intervals. Because the schools lost all their contact lists and access to email, the IWEF couldn’t inform parents or staff that the systems were down and the start of term would be delayed, so Parr-Burman put out a notice in the local paper. 

Some of the lost data was more important and more laborious to reassemble. The medical information of staff and students, financial records, payroll details, staff background checks — all of it was gone and none of it has been decrypted. 

On top of all the administrative challenges created by the ransomware attack, Caroline Sice is concerned teachers who lost lesson plans that they had devised will be forced to turn to a more rote curriculum.

“We’re a very creative school,” she said. “We learn from what interests the children. So every year is different. I’m worried that actually what they’ll now pull on is just whatever they can get rather than it being what was really made for the children.” 

Lanesend has about a dozen students with special needs, who have individual education, health and care plans, a government program to identify a child’s needs and ensure that they are met. It took three weeks, even with two people working on it, to recreate the learning plans for each of those students.

IWEF is facing high costs, as well. To prevent a future attack, the federation will now back up the secondary schools’ data, apart from the three primary schools, on a daily basis and store it separately so it can’t be encrypted during another attack. This will likely cost tens of thousands of dollars a year.  

Overall, Parr-Burman estimates the ransomware attack will cost IWEF up to $160,000, plus an additional $53,000 each year for increased security. 

Rebuilding databases, lesson plans and records will take hundreds of hours, on top of staff’s other responsibilities. The emotional toll is weighing on Sice and the team at Lanesend Primary. The school’s head of finance resigned recently, owing to stress. Sice says that she is trying to maintain a brave face for the children, but that she has trouble sleeping at night.   

“As head teacher, I’ve done some pretty tough things. This is the toughest. And it’s come on the back of Covid,” she said. “It’s challenging because it’s out of my control. It’s out of my expertise. And I’m relying on other people to try and get it back together. I would say it’s bent me towards breaking.” 

The post Ransomware attackers are going after schools appeared first on Coda Story.