Federal law enforcement officials report computer network ransomware attacks are on the rise in Utah as recent cybercriminal “double-extortion” schemes are earning headlines for multimillion dollar payouts.
Once upon a time, cybercriminals were content with breaking into a company’s computer network with the sole purpose of locking out access to the business’ own data and then demanding a ransom payment to provide a code or “key” to restore operations.
But digital thieves have shown an evolving approach in successful attacks in recent weeks on meatpacking multinational JBS and East Coast fuel network operator Colonial Pipeline. In these cases, hackers first harvest — or “exfiltrate” — sensitive customer and/or employee data, then perform lockouts. This tactic creates a double-tiered threat that ensures that, even if a business target has backup copies of data secured in another storage location that it can easily recover, criminals have snared information they can threaten to make public, like personal credit details or proprietary secrets.
Laura Hoffner, chief of staff for Seattle-based strategic security consulting firm Concentric, said there’s an emerging hacker business model that employs a double-extortion approach to squeeze ransom money out of attack targets and sometimes in multiple payments.
“We’ve seen a lot more of this in the past year and a half,” Hoffner said. “First, hackers take control of a company’s network or cloud backup. But, they’ve already extracted any sensitive data and that can be used to get a bigger or secondary payout after they’ve unlocked access.”
Hoffner said not only are the volume of cyberattacks on the rise, up over 300% from 2019 to 2020, but dollar values of the ransom demands associated with network intrusions are also rising dramatically.
While questions and concerns rise about whether acceding to ransom demands only serves to exacerbate the criminal ransomware ecosystem, Hoffner said the decision to pay is often based on simple economics.
“Our government is saying, ‘Don’t pay these ransoms ... the money often goes to support terrorism,’” Hoffner said. “But what else are these companies going to do when they are victims of these attacks? The cost of waiting the attackers out is typically about three times the amount of whatever the ransom payment would be.”
And the amount of money paid out in recent attacks gives some insight into how big those numbers can get.
Brazil-based JBS, the world’s largest meat processing company, said it paid the equivalent of $11 million to hackers who broke into its computer system late last month.
The company said on May 31 that it was the victim of a ransomware attack, but Wednesday was the first time the company’s U.S. division confirmed that it had paid the ransom.
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, the CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
Production at some JBS meatpacking facilities, including one in Utah that employs about 1,200 people, suffered temporary closures as a result of the hack. But the company said that even though the vast majority of its facilities were operational at the time it made the payment, it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated.
The FBI has attributed the attack to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.
Earlier this week, the Justice Department announced it had recovered most of a multimillion-dollar ransom payment made by Colonial Pipeline, the operator of the nation’s largest fuel pipeline.
Colonial paid a ransom of 75 bitcoin — then valued at $4.4 million — in early May to a Russia-based hacker group. The operation to seize cryptocurrency reflected a rare victory in the fight against ransomware as U.S. officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.
Utah Department of Public Safety and FBI Cybercrime Task Force member Sgt. Jeffrey Plan said he is also seeing an uptick in double-extortion scams that rely on first exfiltrating sensitive data ahead of ransom demands and is also concerned about emerging pay-to-hack services being offered by some criminal groups.
“Another trend on the rise is the fact that you have a lot of criminal gangs that have become proficient at operating ransomware attacks starting to offer, basically, ransomware as a service,” Plank said. “In these cases, you don’t need to know anything about intrusion or setting up a ransomware crime, you simply pay to have the service done.”
Plank also noted that ransomware attacks have been on the rise in Utah in recent weeks, with dozens of cases reported.
One of the biggest Utah cases involving a ransomware scam happened last summer.
The University of Utah was stung by cybercriminals for almost $500,000 in ransom following a July attack that gave the state’s flagship institution the choice of sacrificing private student and employee data, or paying up and hoping the information wasn’t compromised.
The U. reported that on July 19, computing servers in the College of Social and Behavioral Science experienced a “criminal ransomware attack, which rendered its servers temporarily inaccessible.” The school said it immediately isolated the servers from the rest of the institution’s computer network systems, notified appropriate law enforcement entities and deployed its Information Security Office, which, according to a web posting, “investigated and resolved the incident in consultation with an external firm that specializes in responding to ransomware attacks.”
That resolution included making a bitcoin payment of $457,059 to the hackers who provided a code to unlock the data servers. The school said the payment was covered by its insurer and the school but stipulated that “no tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”
On Thursday, Corey Roach, the U.’s chief Information security officer, said the ransomware attack against the University of Utah in 2020 “certainly raised awareness of IT security issues among our staff and students. It was an example of how an attacker can leverage minor security events like phishing to gain a foothold in an organization.”
“The attack helped our users understand the need for more modern security controls such as multi-factor authentication,” Roach said in a statement. “It also illustrated how interconnected our organization is and that we need to enhance security in all areas, not just those with sensitive data.
“Recent significant ransomware incidents at other businesses remind us that we were lucky to contain the attack to a small portion of our environment and to drive us to continue to improve our security program.”
Cybersecurity experts say the ability to trick humans into clicking on or downloading malicious code continues to be the most common entry point for hackers and emphasize that training employees and staff members on how to identify, and avoid, malicious activity is critical to keeping companies safe from hackers and potential ransomware attacks. Further information on strategies to prevent cyber attacks can be found at ready.gov/cybersecurity.
Contributing: Associated Press