The frequency, scope and scale of ransomware attacks against public and private systems is accelerating. In the latest incident, the ransomware group REvil has demanded $70 million to unlock the systems of the software company Kaseya, an attack that affects not only Kaseya, but simultaneously exploits all of the company’s clients.
The REvil, JBS meatpacking and Colonial Pipeline attacks have abruptly raised the profile of ransomware from a malicious strand of criminality to a national security priority. These are issues that Christopher Painter, an affiliate at the Center for International Security and Cooperation (CISAC), has worked on at length during his tenures as a senior official at the Department of Justice, the FBI, the National Security Council and as the world's first top cyber diplomat at the State Department.
Jen Kirby, a reporter for Vox, interviewed Painter to discuss how cybercrimes are evolving and what governments should do to keep ransomware attacks from escalating geopolitical tensions online and off.
I think a good place to start would be: What are “ransomware attacks”?
It is largely criminal groups who are getting into computers through any number of potential vulnerabilities, and then they essentially lock the systems — they encrypt the data in a way that makes it impossible for you to see your files. And they demand ransom, they demand payment. In exchange for that payment, they will give you — or they claim, they don’t always do it — they claim they’ll give you the decryption keys, or the codes, that allow you to unlock your own files and have access to them again.
That is what traditionally we say is “ransomware.” That’s been going on for some time, but it’s gotten much more acute recently.
There is another half of that, which is that groups don’t just hold your files for ransom, they either leak or threaten to leak or expose your files and your information — your secrets and your emails, whatever you have — publicly, either in an attempt to embarrass you or to extort more money out of you, because you don’t want those things to happen. So it’s split now into two tracks, but they’re a combined method of getting money.
We’ve recently had some high-profile ransomware attacks, including this recent REvil incident. Is it that we’re seeing a lot more of them, or they’re just bigger and bolder? How do you assess that ransomware attacks are becoming more acute?
We’ve seen this going on for some time. I was one of the co-chairs of this Ransomware Task Force that issued a report recently. One of the reasons we did this report was we’re trying to call greater attention to this issue. Although governments and law enforcement were taking it seriously, it wasn’t being given the kind of national-level priority it deserved.
It was being treated as more of an ordinary cybercrime issue. Most governments’ attention is focused on big nation-state activity — like the SolarWinds hack [where suspected Russian government hackers breached US government departments], which are important, and we need to care about those. But we’re very worried about this, too.
It’s especially become more of an issue during the pandemic, when some of the ransomware actors were going after health care systems and health care providers.That combined with these big infrastructure attacks — the Colonial Pipeline clearly was one of them. Another one was the meat processing plants. Another one was hospital systems in Ireland. You also had the DC Police Department being victimized by ransomware. These things are very high-profile. When you’re lining up for gas because of a ransomware attack, and you can’t get your food because of a ransomware attack, that brings it home as a priority. And then, of course, you have what happened this past weekend. So ransomware has not abated, and it continues to get more serious and hit more organizations.