Ransomware and the extortion economy

13th May 2021

US company Colonial Pipeline shut down four major pipelines supplying fuel to the east coast of the US at the weekend, following a ransomware attack on their IT systems purportedly by criminal hacking gang DarkSide. The company has stated the shutdown was a precautionary measure and they have yet to comment on any damage incurred or data held to ransom. 1

The use of ransomware has increased exponentially in the last year with cybersecurity company Palo Alto Networks reporting the average payment made by companies to retrieve their data has risen 171% over the past year to USD312,493. The ‘benefits’ of a ransomware attack are two-fold and referred to as ‘double extortion’; the stolen data can be uploaded to sites hosted on the darkweb and managed by other ransomware operators, as well as being sold back to the hacked company. 2 Ransom demands are now so commonplace that there is a standard practice for negotiations, says Jason Kotler, CEO of cyber-negotiation company, Cypfer: “For billion dollar companies, they expect multimillion dollar payments… It’s roughly a percentage of their published net revenues – half a percent for billion dollar companies.”3

In July 2020, US travel services company CWT Global paid USD4.5 million to have their ransomware ‘Ragnar Locker’ removed, and they are not the only company having to capitulate to these demands. The US city of Lafayette, Colorado, reportedly paid USD45,000 in ransom to regain control of their systems 4 and technology company GARMIN fell foul of ransomware ‘Wasted Locker’ with demands of USD10 million made to retrieve their data. GARMIN has refused to comment on whether demands were met but gained full access to their data after a four-day shutdown, with industry experts suggesting the level of sophistication used means the company would have no way to recover their stolen files without paying the ransom. Cyber-security experts Heimdal Security advises that paying the ransom goes against US government recommendations and may even be illegal in certain situations. 5

London based cyber-security firm Digital Shadows suggests remote working during the pandemic is partly to blame for the Colonial Pipeline attack as engineers log in remotely and login details to access remote working can be bought from disgruntled employees. 6 The repercussions of this latest attack against the oil industry have yet to be realised as the US government puts contingency plans in motion to continue the delivery of the much-needed fuel. Colonial Pipeline is yet to confirm if any data was stolen or if the delay in re-establishing full operational capabilities is a precaution to ensure they are on top of the malware before re-booting.

For guidance from the UK’s National Cyber Security Centre (NCSC) on mitigating malware and ransomware attacks please click here.