A slew of disruptive ransomware attacks have rattled the U.S., including the recent massive breach of software company Kaseya, and a reported attempted hack on the Republican National Committee. In the aftermath, both the corporate sector and U.S. government officials are scrambling to address how Congress and individual businesses should handle the growing threat.
“We’ve got a moment in time where you can’t ignore it anymore,” said Sen. Lindsey Graham, R-S.C., at a June 17 press conference to unveil legislation that would target cybercrime. Graham said cyber threats should be considered part of the nation’s core infrastructure.
On July 2, the Miami-based software company Kaseya announced it was investigating a possible cyber attack on its VSA software, an IT management tool. According to Kaseya, many customers who use the compromised software provide third-party IT service to between 800,000 and 1 million other companies, intensely magnifying the possible impact of the breach, which used a technique called a “supply-chain attack.”
Kaseya said Monday that the breach compromised just 800 to 1,500 of those companies, still making it one of the largest ransomware attacks to date. Hackers thought to be associated with the group REvil requested a $70 million payment in Bitcoin to unlock the compromised data. The attack is not thought to have damaged any U.S. critical infrastructure.
WATCH: Why ransomware attacks target local governments like Atlanta
But earlier attacks have made it clear that U.S. critical infrastructure is not safe from cybercrime. In May, a ransomware attack left Colonial Pipeline stalling its operations, prompting consumers to flood gas stations amid fears of a gas shortage The company paid upwards of $5 million to the hackers in Bitcoin — the currency of their choosing — before the governmentrecovered about half back. And just weeks later, cybercriminals ransomed meat-packer JBS, forcing some of its facilities to temporarily close before they paid $11 million in ransom.
These attacks — along with news of several high-profile data breaches linked to the Russian government-backed hack of American software company SolarWinds, including at tech titans like Microsoft — have prompted questions about how these attacks have occured, and how to better guard against them.
State and local leaders testified June 17 before the Senate about how cyber threats they face have grown. And along with the increased penalties for cybercriminials included in a bipartisan Senate infrastructure package, a second bipartisan Senate bill would require public and private entities to report cybersecurity breaches to the government within 24 hours, as well as add liability protections to help encourage businesses to come forward.
Here’s what you should know as debate over cybersecurity and how to fight ransomware continues.
What is ransomware?
Traditionally, ransomware is a kind of malicious software that encrypts a user’s files, making them impossible to access without a key. In exchange for that key, a user must pay a ransom to the attackers withholding the data.
This model has existed for more than two decades, emerging in the late 1980s and rising in popularity and complexity in the early 2010s. But experts say the attacks that have recently embroiled companies in the U.S. are more complex. Not only have the keys for unlocking files become much harder to crack without paying the ransom, the stakes for victims have also grown.
“We’ve seen ransomware grow to a point where now it’s not just about locking up data and just collecting a ransom to release that data,” said Steve Morgan, CEO of market research firm and publisher Cybersecurity Ventures. “It’s about extortion.”
Hackers now threaten to leak or sell sensitive information accessed through a process called “dwelling,” in which they spend weeks or months embedded in an organization’s computer system undetected. Spending time inside the network of an organization allows cybercriminals to find the most valuable data to encrypt and exploit, said cyber defense specialist Roger Grimes.
“An encryption is the least of your worries,” said Grimes, a so-called “Data-driven Defense Evangelist” with the cybersecurity training company KnowBe4. “If you’re checking your bank account, 401(k), medical stuff, the bad guys are getting all that information.”
And the damage doesn’t end there. News of data breaches and cyber attacks can hurt a company’s reputation on several fronts: it generates bad press, it can turn employees or customers against the victimized organization and it proves further to cybercriminals that the organization is vulnerable to these types of attacks. These many factors, which Grimes calls “quintuple extortion,” push companies to pay hackers the ransom.
Ransomware attacks have garnered increasing attention as more and larger attacks continue to plague U.S. entities. A recent report from the Institute for Security and Technology found that the amount of victims paying the ransom increased more than 300 percent from 2019 to 2020. Experts say the attacks act in a vicious cycle: a company is hit and pays the ransom, the attack is widely publicized, more hackers see the attack’s success and want to do it themselves, with increasing stakes for steeper payouts.
Are ransomware attacks actually rising, or just becoming more high-profile?
The answer is yes to both, experts say. Not only has the sheer number of attacks increased, the price of ransoms has, too.
“Without question, we’re seeing an explosion of ransomware attacks,” said Steve Morgan, who is also the editor-in-chief of Cybercrime Magazine.
Between 2019 and 2020, ransomware attacks rose by 62 percent worldwide, and by 158 percent in North America alone, according to cybersecurity firm SonicWall’s 2021 report. The FBI received nearly 2,500 ransomware complaints in 2020, up about 20 percent from 2019, according to its annual Internet Crime Report. The collective cost of the ransomware attacks reported to the bureau in 2020 amounted to roughly $29.1 million, up more than 200 percent from just $8.9 million the year before.
The largest reason for the increase in these attacks, Morgan argues, is that more companies are choosing to pay the ransom to get their data back, and cybercriminals are taking note.
“It’s the proverbial get rich quick scheme for a lot of criminals,” he said.
Other cybersecurity professionals, including Luta Security founder & CEO Katie Moussouriss, cite the rise of cryptocurrency like Bitcoin as a major reason for the increase in ransomware attacks. The value of Bitcoin, now down from a peak of around $60,000 earlier this year, rose more than 800 percent between April 2020 and April 2021, according to data from CoinDesk. Cryptocurrencies like Bitcoin are less regulated and harder to trace than other forms of payment, making them attractive to hackers.
“The cryptocurrency exchanges, outside the U.S. especially, allow for a lot more anonymity in these transactions that are criminal in nature,” Moussouriss said.
A third reason for the uptick in attacks is simply the growing number of people online, said Morgan. Though internet use has risen steadily since the web’s inception, the pandemic prompted a spike in internet usage across the world, especially as many shifted to working and learning remotely. Like a populous city, Morgan said, more humans online means more crime.
As the rate of crime grows, so do the payouts. Global ransomware costs are expected to reach $20 billion in 2021, according to the latest report from Cybersecurity Ventures. That’s up from an estimate of $325 million in 2015, a 57-fold increase over the last six years. And cybercrime costs in general, now estimated at around $6 trillion for 2021, are expected to continue their rise at a rate of 15 percent each year for the next five years, the firm predicts.
In a vicious cycle, the many factors that push a company to pay the ransom incentivize cybercriminals to continue ransomware attacks and ask for higher sums of money.
“Imagine if people were able to rob banks, walk away with money and never get caught,” said Grimes. “Would we have more or less bank robberies?”
What can be done to stop ransomware?
The first step to dealing with any kind of cybercrime is to be proactive rather than reactive, experts say.
“Be prepared,” Morgan advised. “Engage expertise you don’t have before you’re hit with ransomware.”
He counsels companies to reach out to the FBI’s cybercrime arm, cybersecurity firms and other law enforcement to help stop attacks before they start. Organizations should be backing up every piece of data they have and investing in insurance policies that cover cyberattacks, he said.
Many organizations are taking heed: the proportion of companies with a cyber policy in addition to their existing coverage rose from about a quarter in 2016 to nearly half in 2020, according to a May report from the Government Accountability Office. But with the risk and cost of cybercrime on the rise, insurance agencies are faced with the question of how to continue coverage without losing money.
In the event of a ransomware attack, the FBI and many cybersecurity experts have been firm in urging victims not to pay up.
“Ideally you’re dealing with your security hygiene number one,” Moussouriss said.“But if it’s already too late and you’ve been hit, try and determine what options you have that do not include paying the ransom.”
Still, that’s not always a practical solution for especially vulnerable industries like healthcare, which saw a 123 percent increase in attacks per customer last year, according to SonicWall’s report. In those cases, although paying the ransom may seem the only option, Morgan says preparation is even more important.
“Every hospital in the country should ask themselves, ‘What do we do if the oncology equipment goes down?’” he said. “Otherwise they’ll pay the ransom.”
READ MORE: How ransomware attacks are roiling the cyber insurance industry
Individuals can also take fairly simple steps to make their own information more secure, said KnowBe4’s Roger Grimes. First, be wary of social engineering, or attackers pretending to be someone they’re not. That alone accounts for between 70 percent and 90 percent of cyberattacks, according to Grimes’ research.
“Don’t get tricked into doing something you shouldn’t do,” he said. “That’s how most people are compromised.”
Phishing emails are a classic example of social engineering, Grimes said. That’s when a hacker poses as someone else in an email — maybe pretending to be a colleague or a trusted company — in an attempt to make the user click a link containing malicious software that would compromise their computer.
He also recommends regularly updating software, which often includes fixes to “patch” vulnerabilities developers may have noticed, and using a different password for each of your log-ins. Password manager programs like 1Password or BitWarden can make that task less daunting.
As for the array of cybersecurity bills currently working their way through Congress, Cybersecurity Ventures’ Steve Morgan believes they’re a step in the right direction. Still, he cautioned that companies should be able to exercise their judgement, in tandem with the FBI, on determining whether reporting cyberattacks within 24 hours would actually further compromise security, as a reported bipartisan Senate bill would mandate.
In contrast, Roger Grimes sees any nationally focused legislation as limited, because cybercrime is international.
“I don’t think a lack of laws or regulations is our problem,” he told the PBS NewsHour. “[Cybercriminals] are mostly untouchable already. You could threaten them with the death penalty and they would laugh.”
Instead, he said, governments should focus on bettering communication and cooperation across borders to prosecute cybercriminals worldwide. But those efforts are largely thwarted by countries like Russia, which he and other experts point to as one of the “safe havens” for cyber criminals, so long as they do not attack entities within that country. All four of the recent high-profile cyber attacks in the U.S., on SolarWinds, JBS, Colonial Pipeline and Kaseya are thought to have originated in Russia.
Who’s fighting off these attacks?
The demand for cybersecurity professionals to tackle these threats is increasing. Morgan, whose market research firm tracks the demand for jobs, says there are 3.5 million unfilled cybersecurity jobs worldwide — enough to fill approximately 50 NFL stadiums, he says.
In the U.S., data from the Bureau of Labor Statistics (BLS) projects that between 2019 and 2029, employment for information security analysts will grow 31 percent, a rate the BLS considers “much faster than average.” That translates to adding 40,900 jobs and is the 10th fastest-growing occupation out of the nearly 800 occupations the bureau projects, according to BLS economist Lindsey Ice.
“Businesses are expanding their digital presence, digitizing their operations, adopting cloud services — all of these factors are going to continue to increase demand for [information technology] services in general, as well as cybersecurity,” Ice said.
The jobs are well-paying, too. The median pay for information security analysts was $103,590 annually, according to BLS’ 2020 data, compared to a $41,950 median for all other occupations BLS tracks.
But Bryson Payne, professor of computer science and director of the University of North Georgia’s Center for Cyber Operations Education, says that if there are not enough young people in the pipeline for cybersecurity jobs in the next decade, existing tech staff should also be retrained.
Payne teaches college and high school students how to reverse engineer ransomware and also about “ethical hacking,” so that it gives “students a chance to think like an adversary, but to behave ethically.”
“They look for weaknesses in their systems, so they can strengthen, so they can harden those computer systems against attacks,” he said.
Payne says his students are very easily getting jobs in cybersecurity and often graduating with multiple offers from both private sector employers and public sector agencies in the military, the defense department and the National Security Agency (NSA).
The demand has been very high for the cybersecurity programs at the Community College of Denver, according to program chair and associate professor, Jesse Brannen.
“We’ve had a massive influx of students,” Brannen said. “They definitely see the correlation between the demand for cybersecurity, what it has the potential to pay, and how fast they can get into the field.”
But Brannen cautions that the quality of training is most important. Candidates that go through haphazard training with inexperience could potentially leave companies vulnerable. Brannen isn’t so much worried about the quantity of candidates that enter the market but the quality, since some go through quick certification or expedited bootcamp programs. That’s why Payne, whose program has the seal of approval from the Department of Homeland Security and the National Security Agency, says educators need to recruit students into cybersecurity and IT support early. “We really need students thinking about careers [in cybersecurity] in middle and high school,” Payne said.
There are hurdles still in the way: About half (52 percent) of American adults say more people don’t pursue science, technology, engineering and mathematics (STEM) fields because they believe the subjects are too difficult, according to a Pew Research Center study released in 2018. But the cybersecurity sector actually needs people from a variety of backgrounds, says Payne, because he believes it takes a diverse team of problem solvers and ethical hackers to tackle cyberthreats.
From May 2020 to May 2021, the share of job searches for cybersecurity roles on jobs site Indeed increased by almost 14 percent. But in that same time period, the share of Indeed job postings for cybersecurity roles decreased by almost 20 percent.
Between 2020 and in 2021, there was a 30 percent increase in cybersecurity job counts on LinkedIn. But year over year, there has been only a 2 percent increase in the number of members who have a cybersecurity-related job title.
This means “the share of members with a cybersecurity title is … down when expressed as a percentage of total membership across LinkedIn, suggesting that the cybersecurity field is not growing as rapidly as the overall talent market,” the company said in an analysis for the PBS NewsHour
“It’s a chicken-and-egg problem,” Luta Security’s Moussouriss said. “Everyone’s fighting for the same slice of the cybersecurity workforce.”
Despite the industry’s apparent skills-to-need mismatch, Morgan believes there’s cause for hope as more people enter the field.
“I’m definitely seeing momentum,” Morgan added. “I think we’re gonna be in a much better place in four to five years.”