At the end of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. "It is a life-or-death situation," the technician said at the time.
The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.
Ransomware has been around for decades, and it's a fairly straightforward attack: Hackers distribute malware that mass-encrypts data or otherwise blocks access to a target's systems, and then demand payment to release the digital hostages. It's a well-known threat, but one that's difficult to eradicate—something as simple as clicking a link or downloading a malicious attachment could give attackers the foothold they need. And even without that type of human error, large corporations and other institutions like municipal governments still struggle to devote the resources and expertise necessary to lay down basic defenses. After watching these attacks in 2020, though, incident responders say that the problem has escalated and that the ransomware forecast for next year looks pretty dire.
“I see no reason why ransomware would slow down in 2021," says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant, which is owned by FireEye. "Everything that's played out this year leads me to believe it’s going to just keep getting worse until something really dramatic happens. I anticipate seeing threat actors get more disruptive."
Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and, unfortunately, predictable devolution. After years spent honing their techniques, attackers are growing bolder. They've begun to incorporate other types of extortion like blackmail into their arsenals, by exfiltrating an organization's data and then threatening to release it if the victim doesn't pay an additional fee. Most significantly, ransomware attackers have transitioned from a model in which they hit lots of individuals and accumulated many small ransom payments to one where they carefully plan attacks against a smaller group of large targets from which they can demand massive ransoms. The antivirus firm Emsisoft found that the average requested fee has increased from about $5,000 in 2018 to about $200,000 this year.
To make all of this happen, ransomware gangs have professionalized. A whole underground economy has developed to provide support services like stolen credentials or even consulting time with network access specialists. As a result, Emsisoft threat analyst Brett Callow says, it's not so much that the quantity or pattern of attacks has changed, it's that those attacks have become even more effective and intrusive.
"Ransomware always has peaks and troughs," Callow says. "I really think that things haven’t changed much over the course of the year. It's something that's gradual over a period of time. But credit where credit is due, the ransomware groups have done a tremendous job of growing their business."
Researchers and incident responders are wholly focused on trying to change ransomware's threatening course. On Monday, the Institute for Security and Technology launched a Ransomware Task Force with partners like Microsoft, the Shadowserver Foundation, Citrix, and McAfee.
"Ransomware incidents have been growing unchecked, and this economically destructive cybercrime has increasingly led to dangerous, physical consequences," the group said in a statement. "The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address."
One way the security industry has been working to stop more ransomware attacks is through information sharing between incident responders and institutions that may be on attackers' hit lists. Defenders can get ahead of certain campaigns, because increasingly hackers will infiltrate a target network and then wait patiently to deploy their ransomware at the most strategic moment—meaning the most disadvantageous moment for victims. For example, in a number of ransomware attacks on schools this fall, hackers laid groundwork during the summer but waited to actually launch their assault so districts would be caught at a busy time. While it can create leverage and urgency that forces victims to pay, this approach also gives incident responders an opening to detect and neutralize network threats before hackers actually use their position to mount an attack.
Mandiant's Carmakal also notes that some major law enforcement actions related to ransomware will become public in 2021. “We’ll see the fruits of that in the coming months," he says. “Law enforcement is particularly interested in arrests and indictments that can have a real impact on threat actors." International cooperation to apprehend and prosecute individuals is crucial to making a dent in the problem. There may also need to be other strong policy efforts from countries like the US, such as sanctions against countries that harbor ransomware actors.
For now, though, responders emphasize that companies and other organizations can still protect themselves. They can make ransomware less lucrative for attackers by focusing on basic security protections and tightening their defenses in fundamental ways. This not only makes it more difficult for attackers to find vulnerable targets in the first place; it can make it less likely that victims will actually need to pay a ransom to restore their services if they do get hit.
“Organizations need to get the basics right, that is absolutely critical,” Emsisoft's Callow says. “In the past, companies could often get away with having somewhat weak security, but now they can’t. They'll pay the price literally and figuratively.”