Washington, D.C., Police Chief Robert Contee addresses reporters in January. The police department has acknowledged that its computer network has been breached by attackers seeking a ransom. Such attacks against local governments, hospitals and corporations have been rising sharply.
The NBA’s Houston Rockets were hit by a ransomware attack earlier this month. Now it’s the Washington, D.C., police department. The common thread is a ransomware group called Babuk, which was unknown and likely didn’t exist until it began posting on the dark web early this year.
This group is just one of many that reflect the proliferation of ransomware outfits that are increasingly sophisticated, specialized and largely beyond the reach of law enforcement.
In short, the cybercriminals have the upper hand, while U.S. authorities and those targeted are struggling to keep up, according to cybersecurity experts.
“There are certainly cases where people have been caught for running ransomware attacks, but it seems like it is a pretty small minority,” said Ryan Olson, vice president of threat intelligence at the cybersecurity firm Palo Alto Networks. “It doesn’t seem like there’s a high likelihood of a ransomware attacker today ending up in handcuffs.”
Solid numbers are hard to come by since many attackers and victims don’t want to be identified. But Palo Alto Networks was able to gather information on more than 300 cases worldwide last year that reflected several clear trends.
— Payments are soaring. The average ransomware payment in the U.S., Canada and Europe nearly tripled last year, going from $115,000 in 2019 to $312,000 in 2020.
— The U.S. remains the most targeted country by far, suffering 151 of the attacks last year, or nearly half of those in which information was available.
— A rise in “double extortion.” This is when an attacker seizes data and demands payment. If the money isn’t forthcoming, the attackers will publish the data in an attempt to damage or embarrass the victim.
Many ransomware groups are believed to be operating from Russia and parts of Eastern Europe — countries that don’t extradite suspects to the U.S. Still, it’s hard to nail down the exact locations of the attackers since so few cases result in arrests and prosecutions.
A task force made up of cyber experts from government, academia and the private tech sector released a report Thursday that calls ransomware a “national security risk that threatens schools, hospitals, businesses, and governments across the globe.” The report includes dozens of recommendations, including a call for increased international cooperation.
In the D.C. case, the Babuk hackers said Monday they had seized a large cache of computer records from the D.C. police department, and unless they receive an undisclosed ransom payment, they’ll post confidential police files.
The D.C. police have confirmed the breach, but haven’t provided details.
Cybersecurity experts says the D.C. police would be trying to determine a number of basic facts about the stolen data. Is it mission-critical information needed to make arrests and prosecutions? Or is it mostly information that could be embarrassing and disrupt operations in a limited way, like revealing the disciplinary records of police officers or publishing the names of police informants?
Those are just a few of the factors that could determine whether the police pay a ransom, and if so, how much.
The reality is that many cases do end with ransoms being paid.
Babuk has posted statements on the dark web in fractured English and Russian, suggesting it may be a Russian organization.
The group calls itself a bunch of “cyberpunks” who describe their work as “audits” that test the cybersecurity of organizations.
The group lays out a strange list of organizations it will and won’t attack. Babuk says it won’t go after hospitals or medical facilities — except for plastic surgery and private dental clinics.
Babuk considers charitable foundations to be off-limits but says it will pursue those that support the Black Lives Matter movement or LGBT organizations.
Babuk also pledges to refrain from hitting companies with annual revenue of less than “4 mln$.” That style reflects the way a monetary figure would be written in Russian, rather than the way it would typically be written in English, as “$4 million.”
According to Kimberly Goody, manager of cybercrime analysis for Mandiant Threat Intelligence, ransomware attackers like Babuk now tend to be highly specialized. They often partner to carry out different parts of an attack, then split up the ransom money afterward.
“With a typical ransomware operation that we see today, one threat actor is gaining access to organizations, another is deploying the ransomware, and then maybe a third party is providing the ransomware that is actually deployed,” she said.
In the attacks, two groups are frequent targets — hospitals and local governments.
With hospitals, patient data can be a matter of life and death. If attackers lock up a hospital’s computers, it has to respond urgently and that almost always means paying a ransom.
Both hospitals and municipal governments are considered prime targets for other reasons. They have money to pay ransoms, and increasingly they have insurance that will help cover the cost.
They tend to be vulnerable because they have large numbers of people logging on to their computer systems, and many have invested little in cybersecurity.
More than two dozen local governments have reportedly been hit so far this year.
Attackers do go after small towns and organizations, which will likely have limited cyberdefenses. But with little fear of prosecution, cybercriminals often prefer bigger targets with deeper pockets.
“Threat actors have been targeting organizations that would be considered larger Fortune 500 companies, instead of smaller organizations, partially because they can elicit higher payments from larger organizations,” said Goody.
For several years now, ransomware groups have demanded payment in cryptocurrencies, which can be difficult, though not impossible, to trace.
Olson, of Palo Alto Networks, says ransomware groups can be most at risk of being identified “when they’re moving money around inside the financial system, rather than when they’re actually launching the attacks.”
“That’s where there’s a lot of data that gets attached to an actual human with a name. And those suspicious transfers can really stand out,” he added.
Greg Myre is an NPR national security correspondent.