Starting with the emergence of the “AIDS Trojan” (AIDS Trojan), ransomware has been raging in the online world for more than 30 years. As human society gradually enters the era of “Internet of Everything”, ransomware is becoming more and more pervasive and the scope of harm is increasing.
The Colonel Pipeline Transportation Company’s blackmail incident that occurred on May 7, 2021 has caused an unprecedented negative social impact in the history of software blackmail. Due to a ransomware attack, Colonier took key systems offline and the oil pipeline had to be suspended.
The US government immediately declared a state of emergency in 17 states and Washington, DC. There was a situation of people rushing to buy fuel in the local area, resulting in a shortage of fuel supply in some areas.
Colonel has restarted the pipeline on May 12, local time, but it seems that Dark Side, the organization that initiated the blackmail, is the winner. Ondre Krzehel, the chief executive of the network security company LIFARS, claimed that Colonel paid the extortion party a ransom in Bitcoin worth $5 million at the time.
Data price is higher
Joseph Pope wrote the “AIDS Trojan” 32 years ago, which is regarded as the beginning of ransomware. The “AIDS Trojan” hides the files of the infected machine and requires users to pay $189 to PC Cyborg to obtain software to restore the displayed files.
In the era when electronic money was not yet born, extortionists such as Pope could only collect ransoms through traditional bank accounts. The law enforcement agencies will be able to track down the people behind the scenes. But after the birth of electronic money, the situation has changed. Especially cryptocurrencies, which are anonymous and difficult to trace, are favored by blackmailers in the 21st century. A common ransomware scenario is probably a hacker asking the user to pay a dollar equal to the value of Bitcoin, or a specified amount of Bitcoin.
In addition to the “upgrade” of payment methods, hackers’ blackmail schemes are also escalating. In the case of a few years ago, after the general ransomware locked the user’s device, a pop-up window prompted “The file has been encrypted”. After paying the ransom, the user will get an unlocking tool.
The Colonel Pipeline Transportation Company, the largest fuel pipeline operator in the United States, was blackmailed. The incident severely affected the fuel supply on the east coast of the United States.
However, current ransomware uses “dual threats”. Not only are users unable to access their files, but the files are backed up to servers owned by hackers. If the user does not pay the ransom within the specified time, the server will automatically publish the file on the network, causing the user’s sensitive information to leak.
This method naturally makes the victims hate and fear. The personal file data is locked, and the user can still give up the data without bowing to the blackmailer. However, the data of enterprise users is related to the normal operation of themselves, and the failure to obtain it will affect operations: in the light of the inability to log in to the enterprise mailbox and office automation system, the work flow is blocked; in the worst, the core data is lost and the “lifeblood” of the enterprise is cut off. Disclosure of information is more destructive. If a company’s business secrets are disclosed, its competitive advantage may be completely lost.
So in most cases, companies have to pay a ransom. For example, the currency exchange company Travelex suffered a file encryption attack at the end of 2019 and reportedly paid 2.3 million US dollars to a hacker organization; in June 2020, the server used by the University of California, San Francisco School of Medicine was encrypted by hackers, and the ransom was negotiated. From 3 million US dollars to 1.14 million US dollars.
To pay or not to pay the ransom?
”Whether to pay the ransom or not, this is a problem.” Some companies or organizations do not compromise with hackers, but are willing to bear greater losses. In February 2020, Danish facility management company ISS World was attacked by ransomware, and hundreds of thousands of employees were unable to access internal systems and mailboxes. ISS World chose to cooperate with data companies and security companies to repair the system itself, which took more than ten months and had a budget of up to 75 million US dollars.
During the epidemic, workers had to work remotely, and the system had to frequently access external networks, giving hackers a chance.
The most demanding ransomware incident in 2020 was the attack on a Foxconn factory in Mexico. The amount of ransomware was 1804.0955 bitcoins (approximately US$34.7 million). It can be seen that hackers will take advantage of corporate psychology, and the ransom price is lower than the budget for self-recovery of data, so that the company will yield after measuring its benefits.
Ransomware Petya interface
WannaCr y interface
At the end of 2019, currency exchange company Travelex suffered a file encryption attack and allegedly paid $2.3 million to a hacker organization
Security experts naturally do not advocate victim surrender, because this is bound to encourage hackers’ arrogance. In some cases, even if the user pays the ransom, the file still cannot be unlocked, and the final data and money are “lost”. Even if the unlocking tool is obtained, the matter may not be completely over. It is possible that hackers still have intrusive “backdoors” in the system.
Or, as Brett Carlow, a cyber threat expert at Enms Software, pointed out when reviewing the Travelex incident, sensitive information is always in the hands of hackers: “If you pay the ransom, the file may be restored, but the company can only Believe that criminals will delete the promise of backing up data. However, criminals benefit from extortion. Why do they believe that they will delete files?” Hackers may sell sensitive information—for example, personal information of corporate customers to darknet merchants. Make a fortune.
The right of two evils should be the lesser one, but sometimes it is not easy to measure which one is more important. In November 2020, approximately 1TB of data from the well-known game company Capcom was stolen, and hackers demanded a ransom of 11 million U.S. dollars. Capcom ignored the hacker’s statement, and as a result, Capcom’s game development plans for the next few years were leaked. But in the end, Capcom didn’t seem to have suffered much. The sales volume of “Resident Evil: Village” released in May has exceeded 3 million copies, which shows that Capcom’s current situation is very good.
Other victims of ransomware are not as “chic” as Capcom, such as Atlanta and Baltimore, the two largest cities in the United States. Atlanta was the first major U.S. city to be attacked by ransomware. In March 2018, it was recruited. The database and wireless network were all lost. Hackers ransomed approximately US$51,000.
Extortion incidents also broke out in Atlanta in 2019. The amount of extortion was approximately US$76,000. But in the end, both governments rejected the hacker’s request, and the final cost of data recovery and other work delays were as high as tens of millions of dollars. In front of customers, the “backbone” of the two major cities seems to be very straight, but fighting against hackers at the cost of hundreds of times the loss, it is inevitable that it sounds too “blooded.”
Hackers “spread the net” to make money
The ransomware war is initiated by hackers, and the party that maintains network security is in a passive position and is always at a disadvantage. In daily battles, the maintainer can only remind users to increase their awareness of prevention based on the characteristics and methods of ransomware.
Early ransomware usually used “phishing” methods to invade the system, such as enticing users to open email attachments or clicking trap links on websites. Software such as “Petya” and “WannaCry” fall into this category. The corresponding advice given by the maintainer is that users should not trust unfamiliar emails and unreliable websites.
The “SamSam”, which was born in 2018, uses brute force password cracking as a means of attack. Once the system encryption method falls behind or uses weak passwords, it is easy to be broken down by software. The murderer who attacked Atlanta was “SamSam”. Most of Atlanta’s government systems were old and not upgraded, which became the breakthrough point for hackers to succeed. The maintainer’s suggestion is to keep the system upgraded and set a strong password.
But in fact, hackers attack in the form of “casting the net”, and they can always find people who have thrown the net or obvious loopholes. The basic extortion amount of “WannaCry” is “only” US$300, but the estimated damage caused is more than US$4 billion. Infecting a large number of ordinary users is the key to hackers making money.
Home office provides convenience for invasion
The outbreak of the new crown pneumonia in 2020 has made the network security situation more complicated. Capcom claimed that the vulnerability of the hacker attack came from an old virtual private network device. In October 2020, Capcom discovered unauthorized activities in the device. Although Capcom will immediately deploy an upgrade plan, due to frequent work from home during the epidemic period, Capcom’s network has to withstand huge traffic, and devices with unauthorized activities are also left as backups, ultimately leaving a convenient door for hackers.
In the science fiction game “Watch Dogs”, every networked device is a tool for hackers to invade.
The Colonel incident is also related to the epidemic. Eric Cole, the founder of the cyber security company Secure Anchor, analyzed that before the outbreak, the workers in Colonial mainly managed various tasks through the system in the factory. This system has less communication with external networks, and the risk of being attacked is low. During the epidemic, workers had to work remotely, and the system had to frequently access external networks, giving hackers a chance.
Security experts worry that under the concept of interconnection of all things, channels of aggression are everywhere. Just like the scenes described in the sci-fi game “Watch Dogs” series: from traditional personal computers to mobile phones, from new concept drones to new energy vehicles, from small headsets to cameras, from large electronic gates To the urban power grid… every connected device is a tool for hackers to control the cyber world and interfere with the real world.
According to Kregel, the outcome of the Colonial incident is intriguing-the $5 million ransom is “not high”: “For a company of this size, the ransom is often between 25 million and 35 million US dollars.” Rehel speculated that the social chaos caused by the fuel shutdown and the high level of intervention by the US government made hackers afraid.
But who knows whether there will be more bold organizations in the future whose purpose is not to “seeking money” but to concoct appalling anti-social incidents? When this type of organization was born, human society probably began to be bayonet in favor of “cyber terrorism”.