While ransomware attacks are multiplying rapidly for private corporations, don’t expect our cybersecurity agencies to do much other than warn about them. In fact, they remain a core part of the problem of what will become a key element of 21st century life — the vulnerability of even the largest corporations to being locked out of their own data and systems.
By one count, ransomware attacks have increased 62% globally since 2019, and more than 150% in North America. That skewing reflects the fact that several major ransomware groups operate with relative impunity from Russia, on the proviso that they never attack Russian institutions.
This week a major US fuel pipeline was shut down by Russian ransomware group DarkSide, leading to Colonial Pipeline paying around US$5 million to the hackers.
Coincidentally, this week also marked four years since the attack that brought the ransomware threat to public prominence — the global WannaCry attack in May 2017 that disrupted government bodies like the National Health Service in the UK, major corporations like FedEx, universities, and individuals.
The WannaCry tool — which originated in North Korea — used an exploit called EternalBlue developed by the US National Security Agency to exploit a flaw in Microsoft’s software. The NSA didn’t bother telling Microsoft about the flaw, preferring instead to use it in its own spying operations. Problem was, hackers stole EternalBlue from the NSA. Microsoft took the unusual step of publicly criticising the NSA for its stockpiling practices.
There is evidence that the NSA is now more ready to alert software companies to major vulnerabilities. But variants of WannaCry continue to be used around the world, and one estimate suggests a quarter of systems running the relevant software remain unpatched and thus vulnerable.
So when cybersecurity agencies like the Australian Cyber Security Centre (ACSC) warn about the threat from ransomware, they’re engaging in a profound hypocrisy. The ACSC is run by the Australian Signals Directorate (ASD), which stockpiles vulnerabilities — in collaboration with its Five Eyes partner, the NSA — in order to undertake espionage, frequently commercial espionage, to help companies in Five Eyes countries.
That’s because the ASD is fundamentally conflicted. Its motto is “Reveal Their Secrets. Protect Our Own.” But WannaCry showed it’s impossible to do both. The very tools with which you Reveal Their Secrets leave you unable to Protect Your Own. And the task of protecting Australian companies, universities, government departments and individuals will always be a lower priority than the ASD’s desire to get access to the Indonesian president’s phone, provide trade intel to the Americans in their negotiations with non-Five Eyes countries, or look after the interests of Australian resources companies.
And for that matter, the ASD can’t even get its bureaucratic colleagues within the federal government to achieve the most basic of its cybersecurity requirements.
So governments have stood by and done little except lecture business about being more secure as ransomware has proliferated, and the ransoms paid have escalated into the millions. That growth has demonstrated the strong business model behind what is now a ransomware industry, complete with leasing agreements between hackers and professional-looking media releases from the perpetrators. Meanwhile, governments continue to tell business they shouldn’t pay ransoms to ransomware outfits — just this week, the UK’s bumbling Home Secretary Priti Patel warned companies they shouldn’t be paying ransoms, while offering no alternatives for corporations that can’t get their data back.
Until our governments decide spying on others isn’t worth the disruption of ransomware attacks and the cost of millions flowing to Russian hackers, the ransomware industry will continue to grow at a rate of knots. There’s too much money to be made.