By Nick Paton Walsh, CNN
Significant cyberattacks attacks against critical targets in Europe have doubled in the past year, according to new EU figures obtained by CNN, as the pandemic pushed lives indoors and online.
The European Union Agency for Cybersecurity, ENISA, told CNN there were 304 significant, malicious attacks against “critical sectors” in 2020, more than double the 146 recorded the year before.
The agency also reported a 47% rise in attacks on hospitals and health care networks in the same period, as the same criminal networks sought to cash in on the pandemic’s most vital services.
The figures show the growing global impact of cyberattacks, often in the form of ransomware, which has recently caused havoc in the United States when the Darkside group targeted the Colonial Pipeline network causing gas station queues because of a fear of shortages.
The pandemic meant “a lot of services were provided online and that happened in a kind of rush, so security was as an afterthought,” said Apostolos Malatras, team leader for knowledge and information at ENISA. At the same time people stayed indoors and had time to explore vulnerabilities in systems and critical infrastructure, he added.
Surveys of businesses by the British security firm Sophos also concluded that the average cost of a ransomware attack has doubled in the year to date. The survey estimated the cost for 2020 at $761,106, but by this year that figure had leapt to $1.85 million. The cost includes insurance, business lost, cleanup and any ransomware payments.
The rising cost reflects the greater complexity of some attacks, said John Shier, senior security adviser at Sophos, who added that while the number of attacks had dropped, their sophistication had risen.
“It looks like they are trying to be more purposeful,” Shier said. “So they’re breaching companies, understanding exactly what company they breached and trying to penetrate as fully as possible, so that they can then extract as much money as possible.”
Both Shier and Malatras pointed to the latest threat of a “triple extortion,” in which ransomware attackers freeze up data on a target’s systems through encryption, and extract it so they can threaten to publish it online. They said the attackers then adopt a third phase, using that data to attack the target’s systems and blackmail its clients or contacts.
“If you are a customer of this company whose data has been stolen, they’ll threaten to release your information or they’ll also call other companies that are your partners,” said Shier. He added the highest ransom payment he had heard of was $50 million.
A further threat involves “fileless attacks” in which the ransomware is not contained in a file, normally accessed by human error — such as clicking on a suspicious link or opening an attachment. Fileless attacks seep into the operating system of a computer, and often live in its RAM memory, making it harder for antivirus software to locate them.
The US Department of Justice last week announced plans to coordinate its anti-ransomware efforts with the same protocols as it does for terrorism, and the Biden administration is considering offensive action against major ransomware groups and cyber criminals.
The approach would be in line with that taken by other allies, including the United Kingdom, which in November publicly acknowledged the existence of a National Cyber Force (NCF) to target key threats to the UK online. A spokesperson for GCHQ, the UK’s signals intelligence and information security organization, told CNN: “Last year we avowed the NCF, a partnership between GCHQ and the Ministry of Defence, with the remit to disrupt adversaries … using cyber operations to disrupt hostile state activities, terrorists, and criminal networks threatening the UK’s security.”
Tracing criminal transactions
While law enforcement and security experts say the best policy is not to pay ransoms as these encourage the criminals, there is some hope for companies that pay up.
Better technology enables some security firms to trace the crypto-currency, usually bitcoin, as criminals move it around different accounts and crypto-currencies.
This week, FBI investigators were able to recover some of the money paid out to the Darkside ransomware group by the Colonial Pipeline network, after an attack that caused significant disruption to gas supplies in the United States.
Cyber-security firm Elliptic, which assisted the FBI in that trace, said the short time that Darkside had the money meant it was unable to adequately cyber-launder the funds, so the route was easy to discover.
“At the moment, criminals want to cash out in euros or whatever in order to benefit from their criminal activity,” said Tom Robinson, chief scientist at Elliptic. This meant the crypto-currency was usually sent to a financial exchange in the real world, to be turned into real-world cash, he said.
“If the exchange is regulated, then you should be identifying their customers and reporting any suspicious activity,” said Robinson.
Tricks used to hide the route of illicit crypto-currency by criminal groups are growing in complexity, he said. Some use “mixer wallets,” which enable users’ crypto-currencies to be mixed together — like shuffling used banknotes — making ownership difficult to trace. Robinson said regulation of these wallets and all exchanges would help slow criminal incentives for using ransomware.
“It’s about identifying who the perpetrators are, but also ensuring that it’s very difficult for these criminals to cash out,” said Robinson. “It means there’s less of an incentive to commit this kind of crime in the first place.”