Margo Anderson is senior associate editor and telecommunications editor at IEEE Spectrum.
Thirty-five years ago, a misguided AIDS activist developed a piece of malware that encrypted a computer’s filenames—and asked for US $189 to obtain the key that unlocked an afflicted system. This “AIDS Trojan” holds the dubious distinction of being the world’s first piece of ransomware. In the intervening decades the encryption behind ransomware has become more sophisticated and harder to crack, and the underlying criminal enterprise has only blossomed like a terrible weed. Among the most shady of online shady businesses, ransomware has now crossed the $1 billion mark in ransoms paid out last year. Equally unfortunately, the threat today is on the rise, too. And in the same way that the “as a service” business model has sprouted up with software-as-a-service (SaaS), the ransomware field has now spawned a ransomware-as-a-service (RaaS) industry.
Guillermo Christensen is a Washington, D.C.-based lawyer at the firm K&L Gates. He’s also a former CIA officer who was detailed to the FBI to help build the intelligence program for the Bureau. He’s an instructor at the FBI’s CISO Academy—and a founding member of the Association of U.S. Cyber Forces and the National Artificial Intelligence and Cybersecurity Information Sharing Organization. IEEE Spectrum spoke with Christensen about the rise of ransomware-as-a-service as a new breed of ransomware attacks and how they can be understood—and fought.
Guillermo Christensen on…:
Guillermo ChristensenK&L Gates
How has the ransomware situation changed in recent years? Was there an inflection point?
Christensen: I would say, [starting in] 2022, which the defining feature of is the Russian invasion of Eastern Ukraine. I see that as a kind of a dividing line in the current situation.
[Ransomware threat actors] have shifted their approach towards the core infrastructure of companies. And in particular, there are groups now that have had remarkable success encrypting the large-scale hypervisors, these systems that basically create fake computers, virtual machines that run on servers that can be enormous in scale. So by being able to attack those resources, the threat actors are able to do massive damage, sometimes taking down an entire company’s infrastructure in one attack. And some of these are due to the fact that this kind of infrastructure is hard to keep updated to patch for vulnerabilities and things like that.
Before 2022, many of these groups did not want to attack certain kinds of targets. For example, when the Colonial Pipeline company [was attacked], there was a lot of chatter afterwards that maybe that was a mistake because that attack got a lot of attention. The FBI put a lot of resources into going after [the perpetrators]. And there was a feeling among many of the ransomware groups, “Don’t do this. We have a great business here. Don’t mess it up by making it so much more likely that the U.S. government’s going to do something about this.”
How did you know the threat actors were saying these sorts of things?
Christensen: Because we work with a lot of threat intelligence experts. And a threat intelligence expert does a lot of things. But one of the things they do is they try to inhabit the same criminal forums as these groups—to get intelligence on what are they doing, what are they developing, and things like that. It’s a little bit like espionage. And it involves creating fake personas that you insert information, and you develop credibility. The other thing is that the Russian criminal groups are pretty boisterous. They have big egos. And so they also talk a lot. They talk on Reddit. They talk to journalists. So you get information from a variety of sources. Sometimes we’ve seen the groups, for example, actually have codes of ethics, if you will, about what they will or won’t do. If they inadvertently attack a hospital, when the hospital tells them, “Hey, you attacked the hospital, and you’re supposed to not do that,” in those cases, some of these groups have decrypted the hospital’s networks without charging a fee before.
“There was a feeling among many of the ransomware groups, ‘Don’t do this. We have a great business here.’”
But that, I think, has changed. And I think it changed in the course of the war in Ukraine. Because I think a lot of the Russian groups basically now understand we are effectively at war with each other. Certainly, the Russians believe the United States is at war with them. If you look at what’s going on in Ukraine, I would say we are. Nobody declares war on each other anymore. But our weapons are being used in fighting.
And so how are people responding to ransomware attacks since the Ukraine invasion?
Christensen: So now, they’ve taken it to a much higher level, and they’re going after companies and banks. They’re going after large groups and taking down all of the infrastructure that runs everything from their enterprise systems, their ERP systems that they use for all their businesses, their emails, et cetera. And they’re also stealing their data and holding it hostage, in a sense.
They’ve gone back to, really, the ultimate pain point, which is, you can’t do what your business is supposed to do. One of the first questions we ask when we get involved in one of these situations—if we don’t know who the company is—is “What is effectively the burn rate on your business every day that you’re not able to use these systems?” And some of them take a bit of effort to understand how much it is. Usually, I’m not looking for a precise amount, just a general number. Is it a million dollars a day? Is it 5 million? Is it 10? Because whatever that amount is, that’s what you then start defining as an endpoint for what you might need to pay.
What is ransomware-as-a-service? How has it evolved? And what are its implications?
Christensen: Basically, is it’s almost like the ransomware groups created a platform, very professionally. And if you know of a way to break into a company’s systems, you approach them and you say, “I have access to this system.” They also will have people who are good at navigating the network once they’re inside. Because once you’re inside, you want to be very careful not to tip off the company that something’s happened. They’ll steal the [company’s] data. Then there’ll be either the same group or someone else in that group who will create a bespoke or customized version of the encryption for that company, for that victim. And they deploy it.
Because you’re doing it at scale, the ransomware can be fairly sophisticated and updated and made better every time from the lessons they learn.
Then they have a negotiator who will negotiate the ransom. And they basically have an escrow system for the money. So when they get the ransom money, the money comes into one digital wallet—sometimes a couple, but usually one. And then it gets split up among those who participated in the event. And the people who run this platform, the ransomware-as-a-service, get the bulk of it because they did the work to set up the whole thing. But then everybody gets a cut from that.
And because you’re doing it at scale, the ransomware can be fairly sophisticated and updated and made better every time from the lessons they learn. So that’s what ransomware as a service is.
How do ransomware-as-a-service companies continue to do business?
Christensen: Effectively, they’re untouchable right now, because they’re mostly based in Russia. And they operate using infrastructure that is very hard to take down. It’s almost bulletproof. It’s not something you can go to a Google and say, “This website is criminal, take it down.” They operate in a different type of environment. That said, we have had success in taking down some of the infrastructure. So the FBI in particular working with international law enforcement has had some remarkable successes lately because they’ve been putting a lot of effort into this in taking down some of these groups. One in particular was called Hive.
They were very, very good, caused a lot of damage. And the FBI was able to infiltrate their system, get the decryption keys effectively, give those to a lot of victims. Over a period of almost six months, many, many companies that reported their attack to the FBI were able to get free decryption. A lot of companies didn’t, which is really, really foolish, and they paid. And that’s something that I often just am amazed that there are companies out there that don’t report to the FBI because there’s no downside to doing that. But there are a lot of lawyers who don’t want to report for their clients to the FBI, which I think is incredibly short-sighted.
But it takes months or years of effort. And the moment you do, these groups move somewhere else. You’re not putting them in jail very often. So basically, they just disappear and then come together somewhere else.
What’s an example of a recent ransomware attack?
Christensen: One that I think is really interesting, which I was not involved with, is the attack on a company called CDK. This one got quite a bit of publicity. So details are quite well known. CDK is a company that provides the back office services for a lot of car dealers. And so if you were trying to buy a car in the last couple of months, or were trying to get your car serviced, you went to the dealer, and they were doing nothing on their computers. It was all on paper.
It appears the threat actor then came back in and attacked a second time, this time, harming broader systems, including backups.
And this has actually had quite an effect in the auto industry. Because once you interrupt that system, it cascades. And what they did in this particular case, the ransomware group went after the core system knowing that this company would then basically take down all these other businesses. So that it was a very serious problem. The company, from what we’ve been able to read, made some serious mistakes at the front end.
The first thing is rule number one, when you have a ransomware or any kind of a compromise of your system, you first have to make sure you’ve ejected the threat actor from your system. If they’re still inside, you’ve got a big problem. So what it appears is that they realized they [were being attacked] over a weekend, I think, and they realized, “Boy, if we don’t get these systems back up and running, a lot of our customers are going to be really, really upset with us.” So they decided to restore. And when they did that, they still had the threat actor in the system.
And it appears the threat actor then came back in and attacked a second time, this time, harming broader systems, including backups. So when they did that, they essentially took the company down completely, and it’s taken them at least a month plus to recover, costing hundreds of millions of dollars.
So what could we take as lessons learned from the CDK attack?
Christensen: There are a lot of things you can do to try to reduce the risk of ransomware. But the number one at this point is you’ve got to have a good plan, and the plan has got to be tested. If the day you get hit by ransomware is the first day that your leadership team talks about ransomware or who’s going to do what, you are already so behind the curve.
It’s the planning that is essential, not the plan.
And a lot of people think, “Well, a plan. Okay. So we have a plan. We’re going to follow this checklist.” But that’s not real. You don’t follow a plan. The point of the plan is to get your people ready to be able to deal with this. It’s the planning that is essential, not the plan. And that takes a lot of effort.
I think a lot of companies, frankly, don’t have the imagination at this point to see what could happen to them in this kind of attack. Which is a pity because, in a lot of ways, they’re gambling that other people are going to get hit before them. And from my perspective, that’s not a serious business strategy. Because the prevalence of this threat is very serious. And everybody’s more or less using the same system. So you really are just gambling that they’re not going to pick you out of another 10 companies.
What are some of the new technologies and techniques that ransomware groups are using today to evade detection and to bypass security measures?
Christensen: So by and large, they mostly still use the same tried and true techniques. And that’s unfortunate because what that should tell you is that many of these companies have not improved their security based on what they should have learned. So some of the most common attack vectors, so the ways into these companies, is the fact that some part of the infrastructure is not protected by multi-factor authentication.
Companies often will say, “Well, we have multi-factor authentication on our emails, so we’re good, right?” What they forget is that they have a lot of other ways into the company’s network—mostly things like virtual private networks, remote tools, lots of things like that. And those are not protected by multi-factor authentication. And when they’re discovered, and it’s not difficult for a threat actor to find them. Because usually, if you look at, say, a listing of software that a company is using, and you can scan these things externally, you’ll see the version of a particular type of software. And you know that that software does not support multi-factor authentication perhaps, or it’s very easy to see that when you put in a password, it doesn’t prompt you for a multi-factor. Then you simply use brute force techniques, which are very effective, to guess the password, and you get in.
Everybody, practically speaking, uses the same passwords. They reuse the passwords. So it’s very common for these criminal groups that hacked, say, a large company on one level, they get all the passwords there. And then they figure out that that person is at another company, and they use that same password. Sometimes they’ll try variations. That works almost 100 percent of the time.
Is there a technology that anti-ransomware advocates and ransomware fighters are waiting for today? Or is the game more about public awareness?
Christensen:Microsoft has been very effective at taking down large bot infrastructures, working with the Department of Justice. But this needs to be done with more independence, because if the government has to bless every one of these things, well, then nothing will happen. So we need to set up a program. We allow a certain group of companies to do this. They have rules of engagement. They have to disclose everything they do. And they make money for it.
I mean, they’re going to be taking a risk, so they need to make money off it. For example, be allowed to keep half the Bitcoin they grab from these groups or something like that.
But I think what I would like to see is that these threat actors don’t sleep comfortably at night, the same way that the people fighting defense right now don’t get to sleep comfortably at night. Otherwise, they’re sitting over there being able to do whatever they want, when they want, at their initiative. In a military mindset, that’s the worst thing. When your enemy has all the initiative and can plan without any fear of repercussion, you’re really in a bad place.