It is making regular splashes across the news and become the subject of discussion across government and corporate circles. It has featured in meetings between US president Joe Biden and Russian president Vladimir Putin. Ransomware is not only here to stay, but here to concern.
Before the July 4th holiday weekend in the US, organisations using Kaseya VSA remote management software became victims of a ransomware attack by the Russian-language group REvil. REvil is best described as your modern syndicate operator of the dark web, a digital bushranger swooping in on the data of enterprises and holding it to ransom. Unlike Ned Kelly, the gun is less important than the encryption. Once seized, such outfits demand their fee for decryption. The fee for REevil: US$70 million paid in bitcoin.
The scope of the attack was impressive, affecting 1,500 companies across the globe, including five IT services companies in Australia. REvil made its Australian debut in 2020 by targeting the consulting firm Nexia Australia, from whom it demanded a $1 million ransom within 72 hours. The penalty for not doing so would have been the online release of personal information of the company’s clients, customers and staff. Noting that this was a ruse – the hackers had only obtained screenshots of Nexia’s documents – the threat was dismissed. Unfortunately for Nexia, an online whispering campaign by the hackers claiming the company’s cybersecurity had been compromised necessitated an intense campaign of reassurance for customers that their data was safe.
In May, an audacious ransomware attack was staged against Colonial Pipeline, which supplies 45% of the US east coast’s diesel, gasoline and jet fuel. Seized and encrypted was 100 GB of company data. Subsequently found was that the company’s cyber security had been lamentably poor. The embarrassed Colonial Pipeline CEO, Joseph Blount, had to admit to a US Senate committee that the attack was aided by the absence of multifactor authentication. The company’s Virtual Private Network (VPN) “only had single-factor authentication.” Blount promised that the single password in question was “complicated” and “not a Colonial123-type password.” The senators were not impressed.
Australia has not been spared, with the number of organisations subjected to ransomware attacks growing in recent years. According to the Australian Cyber Security Centre (ACSC), there has been a 60% increase in ransomware attacks against Australian entities in the past year alone.
This year has already witnessed a string of notable attacks: two, one during February, the other in May against logistics company Toll Holdings; an infiltration of Nine News Entertainment in March that affected news bulletins and newspapers; and the June penetration of the world’s largest meat supplier, JBS Foods, affecting 47 facilities in Australia alone. REvil again featured prominently.
In her testimony before the Parliamentary Joint Committee on Intelligence and Security last month, Rachel Noble, director-general of the Australian Signals Directorate, spoke of the economic cost of such attacks to Australia. Citing an assessment from the ACSC, Noble claimed that Australia could face losses amounting to $30 billion and 160,000 or more jobs. Specific sectors had also been targeted for their vulnerabilities, with health being particularly susceptible “because their employees work endlessly and tirelessly to help us in a pandemic.”
Not that this surge has necessarily caused the required concern. Chief technology officer Michael Sentonas, who works for cyber security firm Crowdstrike, is rather taken aback by what he sees as a dangerous complacency in Australia. “I still speak to a lot of Australian organisations that say, ‘Why would somebody attack us?’” In its 2020 Global Security Attitude Survey report of 2,200 senior IT decision-makers and IT security professionals, Crowdstrike found that two-thirds of Australian organisations had been targeted by ransomware attacks. Of these, 44, or a third, had paid the ransom.
A problem identified by the ASD is the reluctance of some victim organisations to cooperate with agencies after an attack. Noble furnished a clear example, citing an instance when a certain entity did not wish to discuss a ransomware attack upon its services with the ASD when approached. For that reason, the actor was left unidentified. Five days later, there was only “very sluggish engagement with the agency” and by day 14, the ASD was “only able to provide them with generic protection advice, and their network was still down. Three months later, they got reinfected and we started again.”
The approach taken by organisations infected by such ransomware vary. Holding off on paying the ransom and having backup systems is certainly one way of doing things. This was not the case with Colonial Pipeline, which decided, fairly quickly, to fork out the fee. While it remains unclear, JBS seems to take the position that it was faring well in coping with the attack and felt no need to pay the ransom. It had also received support from Australian, Canadian and US authorities, including the FBI.
Those using Kaseya’s software faced mixed results. First, REvil reduced the amount demanded by US$20 million. Then, on July 13, the group went offline, suddenly abandoning forums, disconnecting servers and shutting down a page on the dark web that facilitated communications with victims. Eight days later, Kaseya revealed it had obtained a universal decryptor from an unspecified “third party” to restore the encrypted data, surprising many of its clients. The organisation had “teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor.”
Those wishing to know more about how the key was obtained will be left disappointed. Kaseya has made its customers sign non-disclosure agreements as a condition to obtaining the decryptor. This has encouraged speculation. Was the Russian government, pressured by the Biden administration, the source of the key? Was the smaller ransom paid, after which the hackers went into hiding?
For Australian companies, the lessons seem clear enough in age of increasingly effective and disparate ransomware deployments: disclose the incident as quickly as possible to investigative bodies such as the ASD; ensure backup infrastructure regarding data; and maintain what IT professionals like to call good password hygiene.