tag:theconversation.com,2011:/fr/topics/ransomware-9587/articlesRansomware – The Conversation2023-11-22T03:42:35Ztag:theconversation.com,2011:article/2181172023-11-22T03:42:35Z2023-11-22T03:42:35ZAn expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways<p>After lengthy deliberation, the Australian government has released its <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy">2023–2030 Cyber Security Strategy</a>, which aims to make Australia one of the most cyber-secure nations in the world by 2030. It’s a worthy goal, considering Australia was ranked as the fifth-most powerful cyber nation in a <a href="https://www.belfercenter.org/sites/default/files/files/publication/CyberProject_National%20Cyber%20Power%20Index%202022_v3_220922.pdf">2022 report</a> by Harvard University’s Kennedy School. </p>
<p>The strategy outlines a range of ways Australia can protect its people, businesses and organisations into the next decade. Importantly, it has come at a time when the country is reeling from a series of major cyber incidents, including the <a href="https://theconversation.com/a-new-cyber-taskforce-will-supposedly-hack-the-hackers-behind-the-medibank-breach-it-could-put-a-target-on-australias-back-194532">Medibank</a> and <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus</a> data breaches last year, a nationwide Optus blackout earlier this month, and the more recent <a href="https://theconversation.com/major-cyberattack-on-australian-ports-suggests-sabotage-by-a-foreign-state-actor-217530">closure of ports</a> across the country due to a cyber breach. </p>
<h2>Key takeaways</h2>
<p>Among other things, the strategy aims to:</p>
<ul>
<li>protect critical infrastructure</li>
<li>provide businesses and organisations with tools to bolster their cyber resilience, especially against ransomware attacks</li>
<li>ensure businesses secure products and services to protect customers</li>
<li>attract skilled migrants to establish a diverse cyber security workforce</li>
<li>prioritise critical threats from the most sophisticated actors</li>
<li>engage international partners to share threat intelligence and develop new capabilities</li>
<li>expand cyber awareness programs to educate the public.</li>
</ul>
<p>The government has dedicated $586.9 million to achieving these goals, on top of $2.3 billion committed to existing cyber initiatives, including the <a href="https://www.asd.gov.au/about/what-we-do/redspice">REDSPICE program</a> aimed at enhancing the intelligence and cyber capabilities of the Australian Signals Directorate.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/budget-2022-9-9-billion-towards-cyber-security-aims-to-make-australia-a-key-offensive-cyber-player-180321">Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player</a>
</strong>
</em>
</p>
<hr>
<p>The most significant investment of $290.8 million will go towards protecting businesses and citizens. A further $143.6 million will be invested in strengthening critical infrastructure, including major telecommunications infrastructure. </p>
<p>By comparison, $9.4 million will be used to build a cyber threat sharing platform for the health sector, and only $4.8 million will go to establishing consumer standards for smart devices and software.</p>
<p>The strategy will also expand the <a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Digital ID program</a>, to “reduce the need for people to share sensitive personal information with the government and businesses to access services online” – but details on this were scant.</p>
<h2>Plans to ‘break the ransomware business model’</h2>
<p>The strategy notes ransomware is “one of the most disruptive cyber threats” in the world – and costs Australia’s economy up to $3 billion in damages each year. The government will make a “ransomware playbook” to help businesses respond to and bounce back from cyber extortion. </p>
<p>It will also work with industry to co-design a mandatory no-fault ransomware reporting scheme to encouraging reporting on ransom incidents. We know, based on past experiences with the <a href="https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/what-is-a-notifiable-data-breach#">Notifiable Data Breaches</a> scheme, that businesses <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023">sometimes won’t report</a> breaches for fear of public backlash. A no-liability reporting scheme could change this, and provide important data that will further bolster our defences against ransom attacks. </p>
<p>The strategy also “strongly discourages” making ransom payments. This makes sense, as these payments inevitably fuel the ransomware economy and fund criminals’ future attacks. </p>
<p>Controversially, however, Minister for Cyber Security Clare O’Neil has considered introducing a blanket ban on such payments at some time <a href="https://australiancybersecuritymagazine.com.au/cyber-security-minister-eyes-blanket-ransomware-ban-in-two-years/">in the next few years</a>.</p>
<p>This could have negative impacts. For instance, a business that legally can’t pay a ransom may not be able to recover stolen data, resulting in permanent data and financial loss. Attackers may also release the stolen data online out of spite. We saw this happen after last year’s <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus data breach</a>. </p>
<p>There’s also a risk that announcing an impending ban could make Australia more attractive to criminals in the short term, as they may scramble to carry out as many attacks as possible before payments are made illegal. The impact of this would be lessened if businesses adopt a disciplined approach to regular data backups.</p>
<h2>Smart devices and apps</h2>
<p>Another strategic initiative will involve working with industry to establish a mandatory cyber security standard (in line with international standards) for consumer-grade smart devices sold in Australia.</p>
<p>The government will also introduce a voluntary cyber security labelling scheme for smart devices. Ideally, such a scheme would keep the public informed about the level of security on the many different devices they own. However, given it’s voluntary, it’s hard to say whether it will have a substantial impact. </p>
<p>Another voluntary code of practice will be introduced for app stores and app developers.</p>
<h2>What are the challenges?</h2>
<p>If it’s implemented well, the strategy could result in a substantial decrease in cyber crime, greater safety for the public and a thriving cyber sector. </p>
<p>Currently, businesses and individuals struggle with a lack of cyber awareness and skills. They don’t have the resources, nor the incentive, to invest in cyber security. This strategy could change that. </p>
<p>The greatest challenge is the complexity and diversity of cyber threats, which are constantly evolving. Today’s threats may not have crossed anyone’s mind a few year ago. This inherent unpredictability may render some of the assumptions in the strategy redundant in the coming years.</p>
<p>Then there are inevitable trade-offs that come with competing values such as privacy, security, innovation and regulation. For example, a project that strongly maintains the privacy of consumers may end up sacrificing transparency. Similarly, too much transparency can lead to security risks. </p>
<p>We’ll need to innovate in the cyber security domain to stay ahead of criminals. But as we’ve seen in other areas of the tech sector, innovation that outruns regulation is often more harmful than helpful. Striking the balance is difficult. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/openais-board-is-facing-backlash-for-firing-ceo-sam-altman-but-its-good-it-had-the-power-to-218154">OpenAI’s board is facing backlash for firing CEO Sam Altman – but it’s good it had the power to</a>
</strong>
</em>
</p>
<hr>
<p>Moreover, there’s a noticeable lack of detail in many of the initiatives outlined
in the strategy. This could make it difficult to measure its progress and impact as a high-level strategic document.</p>
<p>Success will depend on voluntary action and cooperation from stakeholders, which may not be enough to ensure compliance and accountability from some businesses and individuals.</p>
<p>Any shortcomings could be managed by making the strategy inclusive and consultative. If it caters to the needs of all, it may indeed become a successful seven-year plan.</p><img src="https://counter.theconversation.com/content/218117/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Australia could become one of the world’s strongest cyber nations – but the success of the new strategy will come down to the details.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2176792023-11-16T23:59:02Z2023-11-16T23:59:02ZWhat is LockBit, the cybercrime gang hacking some of the world’s largest organisations?<p>While ransomware incidents have been occurring for more than 30 years, only in the last decade has the term “ransomware” appeared regularly in popular media. Ransomware is a type of malicious software that blocks access to computer systems or encrypts files until a ransom is paid.</p>
<p>Cybercriminal gangs have adopted ransomware as a get-rich-quick scheme. Now, in the era of “ransomware as a service”, this has become a prolific and highly profitable tactic. Providing ransomware as a service means groups benefit from affiliate schemes where commission is paid for successful ransom demands.</p>
<p>Although only one of the many gangs operating, LockBit has been increasingly visible, with several high-profile victims recently appearing on the group’s website.</p>
<p>So what is LockBit? Who has fallen victim to them? And how can we protect ourselves from them?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/international-ransomware-gangs-are-evolving-their-techniques-the-next-generation-of-hackers-will-target-weaknesses-in-cryptocurrencies-211233">International ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies</a>
</strong>
</em>
</p>
<hr>
<h2>What, or who, is LockBit?</h2>
<p>To make things confusing, the term LockBit refers to both the malicious software (malware) and to the group that created it.</p>
<p>LockBit <a href="https://www.kaspersky.com/resource-center/threats/lockbit-ransomware">first gained attention in 2019</a>. It’s a form of malware deliberately designed to be secretly deployed inside organisations, to find valuable data and steal it.</p>
<p>But rather than simply stealing the data, LockBit is a form of ransomware. Once the data has been copied, it is encrypted, rendering it inaccessible to the legitimate users. This data is then held to ransom – pay up, or you’ll never see your data again.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723850461898281180"}"></div></p>
<p>To add further incentive for the victim, if the ransom is not paid, they are threatened with publication of the stolen data (often described as double extortion). This threat is reinforced with a countdown timer on LockBit’s blog on <a href="https://theconversation.com/explainer-what-is-the-dark-web-46070">the dark web</a>.</p>
<p>Little is known about the LockBit group. Based on their website, the group doesn’t have a specific political allegiance. Unlike some other groups, they also don’t limit the number of affiliates:</p>
<blockquote>
<p>We are located in the Netherlands, completely apolitical and only interested in money. We always have an unlimited amount of affiliates, enough space for all professionals. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year.</p>
</blockquote>
<p>Notably, LockBit have rules for their affiliates. Examples of forbidden targets (victims) include:</p>
<ul>
<li>critical infrastructure</li>
<li>institutions where damage to the files could lead to death (such as hospitals)</li>
<li>post-Soviet countries such as Armenia, Belarus, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.</li>
</ul>
<p>Other ransomware providers have also claimed they won’t target institutions like hospitals – but this doesn’t guarantee victim immunity. Earlier this year a <a href="https://www.theregister.com/2023/01/04/lockbit_sickkids_ransomware/">Canadian hospital was a victim of LockBit</a>, triggering the group behind LockBit to post an apology, offer free decryption tools and allegedly expel the affiliate who hacked the hospital. </p>
<p>While rules may be in place, there is always potential for rogue users to <a href="https://www.scmagazine.com/analysis/ransomware-groups-dont-abide-by-promises-not-to-target-healthcare">target forbidden organisations</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1609857321315835906"}"></div></p>
<p>The final rule in the list above is an interesting exception. According to the group, these countries are off limits because a high proportion of the group’s members were “born and grew up in the Soviet Union”, despite now being “located in the Netherlands”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/putins-russia-people-increasingly-identify-with-the-soviet-union-heres-what-that-means-181129">Putin's Russia: people increasingly identify with the Soviet Union – here's what that means</a>
</strong>
</em>
</p>
<hr>
<h2>Who’s been hacked by LockBit?</h2>
<p>High-profile victims include the United Kingdom’s Royal Mail and Ministry of Defence, and Japanese cycling component manufacturer Shimano. Data stolen from aerospace company Boeing was leaked just this week after the company refused to pay ransom to LockBit.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="LockBit website screenshot showing download links for stolen data" src="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=562&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=562&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=562&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=706&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=706&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=706&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">LockBit’s website on the dark web is used to publish stolen data if the ransom is not paid.</span>
<span class="attribution"><span class="source">Screenshot sourced by authors.</span></span>
</figcaption>
</figure>
<p>While not yet confirmed, the recent ransomware incident experienced by the Industrial and Commercial Bank of China has been <a href="https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank%20https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank">claimed by LockBit</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723060456888193238"}"></div></p>
<p>Since appearing on the cybercrime scene, LockBit has been linked to almost <a href="https://www.cyber.gov.au/about-us/advisories/understanding-ransomware-threat-actors-lockbit">2,000 victims in the United States alone</a>.</p>
<p>From the list of victims seen below, LockBit is clearly being used in a scatter-gun approach, with a wide variety of victims. This is not a series of planned, targeted attacks. Instead, it shows LockBit software is being used by a diverse range of criminals in a service model.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="LockBit blog screenshot showing victims with countdown timer" src="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=294&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=294&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=294&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=369&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=369&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=369&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">LockBit’s blog on the dark web provides a showroom for public shaming of their victims.</span>
<span class="attribution"><span class="source">Screenshot sourced by authors.</span></span>
</figcaption>
</figure>
<h2>How we can protect ourselves</h2>
<p>In recent years, ransomware as a service (RaaS for short) has become popular.</p>
<p>Just as organisations use software-as-a-service providers – such as licensing for office tools like Microsoft 365, or accounting software for payroll – malicious services are providing tools for cybercriminals.</p>
<p>Ransomware as a service enables an inexperienced criminal to deliver a ransomware campaign to multiple targets quickly and efficiently – often at minimal cost and usually on a profit-sharing basis.</p>
<p>The RaaS platform handles the malware management, data extraction, victim negotiation and payment handling, effectively outsourcing criminal activities.</p>
<p>The process is so well developed, such groups even provide guidelines on how to become an affiliate, and what benefits one will gain. With a 20% commission of the ransom being paid to LockBit, this system can generate significant revenue for the group – including the deposit of 1 Bitcoin (approximately A$58,000) required from new users.</p>
<p>While ransomware is a growing concern around the globe, good cybersecurity practices can help. Updating and patching our systems, good password and account management, network monitoring and reacting to unusual activity can all help to minimise the likelihood of any compromise – or at least limit its extent.</p>
<p>For now, whether or not to pay a ransom is a matter of preference and ethics for each organisation. But if we can make it more difficult to get in, criminal groups will simply shift to easier targets.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-considering-a-ban-on-cyber-ransom-payments-but-it-could-backfire-heres-another-idea-194516">Australia is considering a ban on cyber ransom payments, but it could backfire. Here's another idea</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/217679/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Prolific and highly profitable, LockBit provides ransomware as a service. Aspiring cybercriminals sign up to the scheme, and the group takes a cut. Here’s how it works.Jennifer Medbury, Lecturer in Intelligence and Security, Edith Cowan UniversityPaul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2112332023-08-28T11:39:01Z2023-08-28T11:39:01ZInternational ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies<figure><img src="https://images.theconversation.com/files/542594/original/file-20230814-24-9r3xkv.jpg?ixlib=rb-1.1.0&rect=233%2C155%2C5458%2C2967&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/ransomware-cyber-security-email-phishing-internet-2014441709">Shutterstock/JLStock</a></span></figcaption></figure><p>In May 2023, the <a href="https://www.govtech.com/security/dallas-officials-say-ransomware-recovery-could-take-months">Dallas City Government</a> was hugely disrupted by a ransomware attack. Ransomware attacks are so-called because the hackers behind them encrypt vital data and demand a ransom in order to get the information decrypted. </p>
<p>The attack in Dallas put a halt to hearings, trials and jury duty, and the eventual <a href="https://www.nbcdfw.com/news/local/dallas-municipal-court-building-closed-this-week-due%20to-ongoing-ransomware-attack/3262694/">closure</a> of the Dallas Municipal Court Building. It also had an indirect effect on wider police activities, with stretched resources affecting the ability to deliver, for example, <a href="https://www.nbcdfw.com/news/local/ransomware-attack-still-impacts-police%20as-dallas-plans-summer-youth-programs/3259229/">summer youth programmes</a>. The <a href="https://www.cbsnews.com/texas/news/royal-ransomware-group-threatens-release-sensitive-information-dallas/">criminals threatened</a> to publish sensitive data, including personal information, court cases, prisoner identities and government documents.</p>
<p>One might imagine an attack on a city government and police force causing widespread and lengthy disruption would be headline news. But ransomware attacks are now so common and routine that most pass with barely a ripple of attention. One notable exception happened in May and June 2023 when hackers exploited a vulnerability in the <a href="https://theconversation.com/moveit-hack-attack-on-bbc-and-ba-offers-glimpse-into-the-future-of-cybercrime-207670">Moveit file transfer app</a> which led to data theft from hundreds of organisations around the world. That attack grabbed headlines, perhaps because of the high profile victims, reported to include British Airways, the BBC and the chemist chain Boots.</p>
<p>According <a href="https://www.theguardian.com/technology/2023/may/10/ransomware-payments-nearly-double-in-one-year">to one recent survey</a>, ransomware payments have nearly doubled to US$1.5 million (£1.2 million) over the past year, with the highest-earning organisations the most likely to pay attackers. Sophos, a British cybersecurity firm, found that the average ransomware payment rose from US$812,000 the previous year. The average payment by UK organisations in 2023 was even higher than the global average, at US$2.1 million.</p>
<p>Meanwhile, in 2022 <a href="https://www.bbc.co.uk/news/uk-60158874">The National Cyber Security Centre</a> (NCSC) issued new guidance urging organisations to bolster their defences amid fears of more state-sponsored cyber attacks linked to the conflict in Ukraine. It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.</p>
<hr>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/288776/original/file-20190820-170910-8bv1s7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><strong><em>This article is part of Conversation Insights</em></strong>
<br><em>The Insights team generates <a href="https://theconversation.com/uk/topics/insights-series-71218">long-form journalism</a> derived from interdisciplinary research. The team is working with academics from different backgrounds who have been engaged in projects aimed at tackling societal and scientific challenges.</em></p>
<hr>
<p>In reality, not a week goes by without attacks affecting governments, schools, hospitals, businesses and charities, all over the world. These attacks have significant financial and societal costs. They can affect small businesses, as well as huge corporations, and can be particularly devastating for those involved.</p>
<p>Ransomware is now <a href="https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/">widely acknowledged</a> as a major threat and challenge to modern society. </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/international-ransomware-gangs-are-evolving-their-techniques-the-next-generation-of-hackers-will-target-weaknesses-in-cryptocurrencies-211233&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/us/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>Yet ten years ago it was nothing more than a theoretical possibility and niche threat. The way in which it has quickly evolved, fuelling criminality and causing untold damage should be of major concern. The ransomware “business model” has become increasingly sophisticated with, for instance, advances in <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9895237">malware attack vectors</a>, <a href="https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/">negotiation strategies</a> and the structure of criminal enterprise itself.</p>
<p>There is every expectation that criminals will continue to adapt their strategies and cause widespread damage for many years to come. That’s why it is vital that we study the ransomware threat and preempt these tactics so as to mitigate the long-term threat – and that is exactly what our research team is doing.</p>
<p><strong>Prediction of global ransomware damage costs - source: Cyber Security Ventures</strong></p>
<figure class="align-center ">
<img alt="A graph showing the damges related to ransomware" src="https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=373&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=373&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=373&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=469&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=469&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543190/original/file-20230817-19-7du7xx.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=469&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Alpesh Bhudia</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>For many years <a href="https://ieeexplore.ieee.org/abstract/document/9854946">our research</a> has looked <a href="https://link.springer.com/chapter/10.1007/978-3-031-16035-6_9">to preempt this evolving threat</a> by exploring new strategies that ransomware criminals can use to extort victims. The aim is to forewarn, and be ahead of the game, without identifying specifics that could be used by criminals. In our <a href="https://arxiv.org/pdf/2308.00590.pdf">latest research</a>, which has been peer reviewed and will be published as part of the International Conference on Availability, Reliability and Security (<a href="https://www.ares-conference.eu/">ARES</a>), we have identified a novel threat that exploits vulnerabilities in cryptocurrencies.</p>
<h2>What is ransomware?</h2>
<p>Ransomware can mean subtly different things in different contexts. In 1996, Adam Young and Mordechai “Moti” Yung at Columbia University <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=502676">described</a> the basic form of a ransomware attack as follows: </p>
<p>Criminals breach the cybersecurity defences of the victim (either through tactics like phishing emails or using an insider/rogue employee). Once the criminals have breached the victim’s defences they deploy the ransomware. The main function of which is to encrypt the victim’s files with a private key (which can be thought of as a long string of characters) to lock the victim out of their files. The third stage of an attack now begins with the criminal demanding a ransom for the private key. </p>
<p>The simple reality is that many victims <a href="https://www.bbc.co.uk/news/business-60478725">pay the ransom</a>, with ransoms potentially into the millions of dollars.</p>
<p>Using this basic characterisation of ransomware it is possible to distinguish different types of attack. At one extreme we there are the “low level” attacks where files are not encrypted or criminals do not attempt to extract ransoms. But at the other extreme attackers make considerable efforts to maximise disruption and extract a ransom.</p>
<p>The <a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5461132/">WannaCry ransomware attack</a> in May 2017 is such an example. The attack, <a href="https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and">linked to the North Korean government</a>, made no real attempt to extract ransoms from victims. Nevertheless, it led to widespread disruption across the world, <a href="https://www.bbc.co.uk/news/technology-41753022">including to the UK’s NHS</a>, with some cybersecurity risk-modelling organisations even saying the global economic losses going into the billions.</p>
<p>It is difficult to discern motive in this case, but, generally speaking, political intent, or simple error on the part of the attackers may contribute to the lack of coherent value-extraction through extortion.</p>
<p>Our research focuses on the second extreme of ransomware attacks in which criminals look to coerce money from their victims. This does not preclude a political motive. Indeed, there is evidence of <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4507111">links between major ransomware groups and the Russian state</a>. We can distinguish the degree to which ransomware attacks are motivated by financial gain by observing the effort invested in negotiation, a willingness to support or facilitate payment of the ransom, and the presence of money laundering services. By investing in tools and services which facilitate payment of the ransom, and its conversion to fiat currency, the attackers signal their financial motives.</p>
<h2>The impact of attacks</h2>
<p>As the attack on the Dallas City Government shows, the financial and social impacts of ransomware attacks can be <a href="https://heimdalsecurity.com/blog/companies-affected-by-ransomware">diverse and severe</a>.</p>
<p>High-impact ransomware attacks, such as the one which targeted <a href="https://www.bbc.co.uk/news/business-57178503">Colonial Oil in May 2021</a> and took a major US fuel pipeline offline, are obviously dangerous to the continuity of vital services. </p>
<p>In January 2023, there was a ransomware <a href="https://talion.net/blog/royal-mail%20cyber-attack-wheres-my-mail-gone/">attack on the Royal Mail</a> in the UK that led to the suspension of international deliveries. It took over a month for service levels to <a href="https://www.bbc.co.uk/news/business-64718824">get back to normal</a>. This attack would have had a significant direct impact on the Royal Mail’s revenue and reputation. But, perhaps more importantly, it impacted all the small businesses and people who rely on it.</p>
<p>In May 2021, the Irish NHS was hit by a ransomware attack. This affected every aspect of patient care with widespread cancellation of appointments. The <a href="https://www.bbc.co.uk/news/world-europe-57184977">Taoiseach Micheál Martin said</a>: “It’s a shocking attack on a health service, but fundamentally on the patients and the Irish public.” Sensitive data was also reportedly leaked. The financial impact of the attack could be as <a href="https://www.infosecurity-magazine.com/news/ransomware-attack-cost-irish">high as 100 million euros</a>. This, however, does not account for the health and psychological impact on patients and medics affected by the disruption.</p>
<p>As well as health services, education has also been a prime target. For instance, in January 2023 a school in Guilford, UK, suffered an attack with the criminals threatening to publish sensitive data including safeguarding reports and <a href="https://therecord.media/vice-society-ransomware-guildford-school-student-data-extortion">information about vulnerable children</a>.</p>
<p>Attacks are also timed to maximise disruption. For instance, an attack in June 2023 on <a href="https://www.bbc.co.uk/news/uk-england-dorset-65685607">a school in Dorchester, UK</a>, left the school unable to use email or access services during the main exam period. This can have a profound impact on children’s wellbeing and educational achievement.</p>
<p>These examples are by no means exhaustive. Many attacks, for instance, directly target businesses and charities that are too small to attract attention. The impact on a small business, in terms of business disruption, lost reputation and the psychological cost of facing the consequences of an attack <a href="https://academic.oup.com/cybersecurity/article/%206/1/tyaa023/6047253?login=false">can be devastating</a>. As an example, a survey in 2021 found that <a href="https://atlasvpn.com/blog/31-of-us-companies-close-down-after-falling-victim-to-ransomware">34% of UK businesses that suffered a ransomware attack</a> subsequently closed down. And, many of the businesses that continued operation still had to lay off staff.</p>
<h2>It began with floppy disks</h2>
<p>The origins of ransomware are usually traced back to the <a href="https://medium.com/@alinasimone/the-bizarre-pre-internet-history-of-ransomware-bb480a652b4b">AIDS or PC Cyborg Trojan</a> virus in the 1980s. In this case, victims who inserted a floppy disk in their computer would find their files subsequently encrypted and a payment requested. Disks were distributed to attendees and people interested in specific conferences, who would then attempt to access the disk to complete a survey - instead becoming infected with the trojan. Files on affected computers were encrypted using a key stored locally on each target machine. A victim could, in principle, have restored access to their files by using this key. The victim, though, may not have known that they could do this, as even now, technical knowledge of cryptography is not common among most PC users.</p>
<p>Eventually, law enforcement traced the floppy disks to a Harvard-taught <a href="https://edition.cnn.com/2021/05/16/tech/ransomware-joseph-popp/index.html">evolutionary biologist named Joseph Popp</a>, who was conducting AIDS research at the time. He was arrested and charged with multiple counts of blackmail, and has been credited by some with being the inventor of ransomware. No one knows exactly what provoked Popp to do what he did.</p>
<figure class="align-center ">
<img alt="Early form of white computer text on red background" src="https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=293&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=293&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=293&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=369&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=369&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543197/original/file-20230817-17-pzdpm2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=369&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The on-screen message after the AIDS Trojan Horse ransomware was activated.</span>
<span class="attribution"><a class="source" href="https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)">wikipedia</a></span>
</figcaption>
</figure>
<p>Many <a href="https://arxiv.org/pdf/2107.09470.pdf">early versions</a> of ransomware were quite basic cryptographic systems which suffered from various issues surrounding how easy it was to find the key information the criminal was trying to hide from the victim. This is one reason why ransomware really came of age with the <a href="https://www.bbc.co.uk/news/technology/28661463">CryptoLocker attack in 2013</a> and 2014.</p>
<p>CryptoLocker was the first technically sound ransomware attack virus to be distributed en masse. Thousands of victims saw their files encrypted by ransomware that could not be reverse engineered. The private keys, used in encryption, were held by the attacker and victims could not restore access to their files without them. Ransoms of around US$300-600 were demanded and it is estimated the criminals <a href="https://www.bbc.co.uk/news/technology-28661463">got away with</a> around US$3 million. Cryptolocker was eventually shut down in 2014 following an operation involving multiple, international law enforcement agencies.</p>
<p>CryptoLocker was pivotal in showing proof of concept that criminals could earn large amounts of money from ransomware. Subsequently, there was an explosion of new variants and new types. There was also significant evolution in the strategies used by criminals.</p>
<h2>Off-the-shelf and double extortion</h2>
<p>One important development was the emergence of ransomware-as-a-service. This is a term for markets on the dark web through which criminals can obtain and use <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468">“off-the-shelf” ransomware</a> without the need for advanced computing skills while the ransomware providers take a cut of the profits. </p>
<p>Research has shown how the dark web is the “<a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468">unregulated Wild West</a> of the internet” and a safe haven for criminals to communicate and exchange of illegal goods and services. It is easily accessible and with the help of anonymisation technology and digital currencies, there is a global black economy thriving there. An <a href="https://www.europol.europa.eu/cms/sites/default/files/documents/iocta_2019.pdf">estimated US$1 billion</a> was spent there during the first nine months of 2019 alone, according to the European Union Agency for Law Enforcement.</p>
<p>With <a href="https://www.sciencedirect.com/science/article/pii/S0167404820300468?ref=pdf_download&fr=RR-2&rr=7f373d3fbf9b0722">ransomware as a service</a> (Raas) the barrier to entry for aspiring cyber criminals, in terms of both cost and skill, was lowered. </p>
<p>Under the Raas model, expertise is provided by vendors who develop the malware while the attackers themselves may be relatively unskilled. This also has the effect of compartmentalising risk – the arrest of cyber criminals using ransomware no longer threatens the entire supply chain, allowing attacks launched by other groups to continue.</p>
<p>We have also seen a movement away from mass phishing attacks, like CryptoLocker, which reached more than 250,000 systems, to more targeted attacks. That has meant an increasing focus on organisations with the revenue to pay large ransoms. Multinational organisations, legal firms, <a href="https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector">schools, universities, hospitals and healthcare providers</a> have all become prime targets, as well as many small and micro businesses and charities.</p>
<p>A more recent development in ransomware, such as Netwalker, REvil/Sodinokibi, has been the threat of double extortion. This is where the criminals not only encrypt files but also exfiltrate data by copying the files. They then have the potential to leak or post potentially sensitive and important information.</p>
<p>An example of this occurred in 2020, when one of the largest software companies, Software AG, was hit with a <a href="https://www.computerweekly.com/news/252490395/Software-AG-caught-in-double-extortion-ransomware-hit">double extortion ransomware</a> called Clop. It was reported that the attackers had requested an exceptionally high ransom payment of US$20 million (about £15.7 million) which Software AG refused to pay. This led to attackers releasing confidential company data on the <a href="https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/">dark web</a>. This provides criminals with two sources of leverage: they can ransom for the private key to decrypt files and they can ransom to stop publication of sensitive data.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1314648938704588801"}"></div></p>
<p>Double extortion changes the business model of ransomware in interesting ways. In particular, with standard ransomware, there is a relatively straightforward incentive for a victim to pay a ransom for access to the private key if that would allow decryption of the files, and they cannot access the files through any other means. The victim “only” needs to trust the cyber criminal will give them the key and that the key will work.</p>
<h2>‘Honour’ among thieves?</h2>
<p>But with data exfiltration, by contrast, it is not obvious what the victim gets in return for paying the ransom. The criminals still have the sensitive data and could still publish it any time they want. They could, indeed, ask for subsequent ransoms to not publish the files.</p>
<p>Therefore, for data exfiltration to be a viable business strategy the criminals need to build a <a href="https://www.mdpi.com/2073-4336/10/2/26">credible reputation</a> of “honouring” ransom payments. This has arguably led to a normalised <a href="https://www.pure.ed.ac.uk/ws/portalfiles/portal/257573307/How_Cyber_Insurance_WOODS_%20DOA27052021_VOR.pdf">ransomware ecosystem</a>.</p>
<p>For instance, ransom negotiators are private contractors and in some cases are required as part of a cyber insurance agreement to provide expertise in the managing of crisis situations involving ransomware. Where instructed, they will facilitate negotiated ransom payments. Within this ecosystem, some ransomware criminal gangs have developed a reputation for not publishing data (or at least delaying publication) if a ransom is paid.</p>
<p>More generally, the encryption, decryption or exfiltration of files is typically a difficult and costly task for criminals to pull off. It is far simpler to delete the files and then claim they have been encrypted or exfiltrated and demand a ransom. However, if the victims suspect that they won’t be getting the decryption key or encrypted data back then they won’t pay the ransom. And those that do pay a ransom and get nothing in return may disclose that fact. This is likely to impact the attacker’s “reputation” and the likelihood of future ransom payments. Simply put, it pays to play “fair” in the world of extortion and ransom attacks.</p>
<p>So in less than ten years we have seen the ransomware threat evolve enormously from the relatively low scale CryptoLocker, to a <a href="https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/">multi-million dollar business</a> involving organised criminal gangs and sophisticated strategies. From 2020 onwards the incidents of ransomware, and consequent losses, have seemingly increased by another order of magnitude. Ransomware has become too big to ignore and is now a major concern for governments and law enforcement.</p>
<h2>Crypto extortion threats</h2>
<p>Devastating though ransomware has become, the threat will inevitably evolve further, as criminals develop new techniques for extortion. As mentioned already, a key theme in our collective research over the last ten years has been to try and preempt the likely strategies that criminals can employ so as to be ahead of the game. </p>
<p>Our research <a href="https://arxiv.org/pdf/2308.00590.pdf">is now focused on</a> the next generation of ransomware, which we believe will include variants focused on cryptocurrency, and the “consensus mechanisms” used within them.</p>
<p>A consensus mechanism is any method (usually algorithmic) used to achieve agreement, trust and security across a decentralised computer network.</p>
<figure class="align-center ">
<img alt="Financial business concept, bitcoin, etheruem, litecoin" src="https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543204/original/file-20230817-25-qp0zf3.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The next target could by crypto.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/financial-business-concept-bitcoin-etheruem-litecoin-1056178808">Shutterstock/sundaemorning</a></span>
</figcaption>
</figure>
<p>Specifically, cryptocurrencies are increasingly using a so called “<a href="https://theconversation.com/ethereum-second-biggest-cryptocurrency-to-cut-energy-use-by-over-99-but-the-industry-still-has-a-long-way-to-go-189907">proof-of-stake</a>” consensus mechanism, in which investors stake significant sums of currency, to validate crypto transactions. These stakes are vulnerable to extortion by ransomware criminals.</p>
<p>Cryptocurrencies rely on a decentralised blockchain that provides a transparent record of all the transactions that have taken place using that currency. The blockchain is maintained by a peer-to-peer network rather than a central authority (as with conventional currency). In principle, the transaction records included in the blockchain are immutable, verifiable and securely distributed across the network, giving users full ownership and visibility into the transaction data. These properties of blockchain rely on a secure and non-manipulable “consensus mechanism” in which the independent nodes in the network “approve” or “agree” which transactions to add to the blockchain.</p>
<p>Until now, cryptocurrencies like Bitcoin have relied on a so-called “proof-of-work” consensus mechanism in which the authorisation of transactions involves the solving of complex mathematical problems (the work). In the long term this approach is unsustainable because it results in duplication of effort and avoidable <a href="https://www.forbes.com/advisor/investing/cryptocurrency/bitcoins-energy%20usage-explained/">large scale energy use</a>.</p>
<p>The alternative, which is now becoming a reality, is a “proof-of-stake” consensus mechanism. Here, transactions are approved by validators who have staked money and are financially rewarded for validating transactions. The role of inefficient work is replaced by a financial stake. While this addresses the energy problem, it means that large amounts of staked money becomes involved in validating crypto-transactions.</p>
<h2>Ethereum</h2>
<p>The existence of this staked money provides a novel threat to some proof-of-stake cryptocurrencies. We have focussed our attention on <a href="https://ethereum.org/en/">Ethereum</a>, a decentralised cryptocurrency that establishes a peer-to-peer network to securely execute and verify application code, known as a smart contract.</p>
<p>Ethereum is powered by the Ether (ETH) token that allows users to transact with each other through the use of these smart contracts. The Ethereum project was co-founded by Vitalik Buterin in 2013 to overcome shortcomings with Bitcoin. On September 15 2022, <a href="https://ethereum.org/en/roadmap/merge/">The Merge</a>, moved the Ethereum network from proof-of-work to proof-of-stake, making it one of the first prominent proof-of-stake cryptocurrencies.</p>
<p>The proof-of-stake consensus mechanism in Ethereum relies on “validators” to approve transactions. To set up a validator there needs to be a minimum stake of 32ETH, which is currently around US$60,000 (around £43,000). Validators can then earn a financial return on their stake from operating a validator in accordance with Ethereum rules. At the time of writing there are around <a href="https://beaconscan.com/statistics">850,000 validators</a>.</p>
<p>A lot of hope is being pinned on the “stake” solution of validation - but hackers are sure to be looking into how they can infiltrate the system.</p>
<p>In our project, which was funded by the Ethereum Foundation, we identified ways in which ransomware groups could exploit the new proof-of-stake mechanism for extortion. </p>
<h2>Slashing</h2>
<p>We found that attackers could exploit validators through a process called “slashing”. While validators receive rewards for obeying the rules, there are financial penalties for validators that are seen to act maliciously. The basic objective of penalties is to prevent exploitation of the decentralised blockchain.</p>
<p>There are two forms of penalties, the most severe of which is slashing. Slashing occurs for actions that should not happen by accident and could jeopardise the blockchain, such as proposing conflicting blocks are added to the blockchain, or trying to change history. </p>
<p>Slashing penalties are relatively severe with the validator losing a significant share of their stake, at least 1ETH. Indeed, in the most extreme case the validator could lose all of their stake (32ETH). The validator will also be forced to exit and no longer act as a validator. In short, if a validator is slashed there are big financial consequences.</p>
<p>To perform actions, validators are assigned unique signing keys, that, in essence, prove who they are to the network. Suppose that a criminal got hold of the signing key? Then, they could blackmail the victim into paying a ransom.</p>
<p><strong>Flow diagram showing just how complicated it gets when there is an extortion attack against proof-of-stake validators, such as Ethereum</strong></p>
<figure class="align-center ">
<img alt="Flow chart showing what happens when ransomware attacks infiltrate crypto." src="https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=604&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=604&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=604&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=759&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=759&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543232/original/file-20230817-21-qc11u7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=759&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Alpesh Bhudia</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<h2>A ‘smart contract’</h2>
<p>The victim may be reluctant to pay the ransom unless there is a guarantee that the criminals will not take their money and fail to return/release the key. After all, what is to stop the criminals asking for another ransom? </p>
<p>One solution we have found – which harks back to the fact that ransomware has in fact become a kind of business operated by criminals who want prove they have an “honest” reputation – is a smart contract.</p>
<p>This automated contract can be written so that the process only works if both sides “honour” their side of the bargain. So, the victim could pay the ransom and be confident that this will resolve the direct extortion threat. This is possible through the Ethereum because all the steps required are publicly observable on the blockchain – the deposit, the sign to exit, the absence of slashing, and the return of the stake. </p>
<p>Functionally, these smart contracts are an <a href="https://dictionary.cambridge.org/dictionary/english/escrow">escrow system</a> in which money may be held until pre-agreed conditions are met. For instance, if the criminals force slashing before the validator has fully exited, then the contract will ensure that the ransom amount is returned to the victim. Such contracts are, however, open to abuse, and there’s no guarantee that an attacker-authored contract can be trusted. There is potential for the contract to be automated in a fully trusted way, but we have yet to observe such behaviour and systems emerge.</p>
<h2>The staking pools threat</h2>
<p>This type of “pay and exit” strategy is an effective way for criminals to extort victims if they can obtain the validator signing keys. </p>
<p>So how much damage would a ransomware attack like this do to Ethereum? If a single validator is compromised then the slashing penalty – and so maximum ransom demand – would be in the region of 1ETH, which is around US$1,800 (about £1,400). To leverage larger amounts of money the criminals, therefore, need to target organisations or staking pools that are responsible for managing large numbers of validators.</p>
<p>Remember, that given the high entry costs for individual investors, most of the validating on Ethereum will be run under “staking pools” in which multiple investors can collectively stake money. </p>
<p>To put this in perspective, Lido is the largest staking pool in Ethereum with around 127,000 validators and 18% of the total stake; Coinbase is the second largest with 40,000 validators and 6% of the total stake. In total, there are 21 staking pools operating more than a 1,000 validators. Any one of these staking pools is responsible for tens of millions of dollars of stake and so viable ransom demands could also be in the millions of dollars. </p>
<p>Proof-of-stake consensus mechanisms are too young for us to know whether extortion of staking pools will become an active reality. But the general lesson of ransomware’s evolution is that the criminals tend to gravitate towards strategies that incentivise payment and increase their illicit gains.</p>
<p>The most straightforward way that investors and staking pool operators can mitigate the extortion threat we have identified is by protecting their signing keys. If the criminals cannot access the signing keys then there is no threat. If the criminals can only access some of the keys (for operators with multiple validators) then the threat may fail to be lucrative. </p>
<p>So staking pools need to take measures to secure signing keys. This would involve a range of actions including: partitioning validators so that a breach only impacts a small subset; step up cyber security to prevent intrusion, and robust internal processes to limit the insider threat of an employee divulging signing keys.</p>
<figure class="align-center ">
<img alt="Concept using blocks with locks and keys printed on them to show encryption keys being compromised." src="https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=405&fit=crop&dpr=1 600w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=405&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=405&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=509&fit=crop&dpr=1 754w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=509&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/543207/original/file-20230817-17-s3whx1.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=509&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">What happens when hackers gain access to secret keys?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/intruder-gains-access-secrets-hacker-hacking-2249792687">Shutterstock/Andrii Yalanskyi</a></span>
</figcaption>
</figure>
<p>The staking pool market for cryptocurrencies like Ethereum is competitive. There are many staking pools, all offering relatively similar services, and competing on price to attract investors. These competitive forces, and the need to cut costs, may lead to relatively lax security measures. Some staking pools may, therefore, prove a relatively easy target for criminals.</p>
<p>Ultimately, this can only be solved with regulation, greater awareness and for investors in staking pools to demand high levels of security to protect their stake.</p>
<p>Unfortunately, the history of ransomware suggests that high profile attacks will need to be seen before the threat is taken seriously enough. It is interesting to contemplate the consequences of a significant breach of a staking pool. The reputation of the staking pool would presumably be badly affected and so the staking pool’s viability in a competitive market is questionable. An attack may also have implications for the reputation of the currency.</p>
<p>At the most serious, it could lead to a currency collapsing. When that happens - as it did with <a href="https://www.bbc.co.uk/news/business-64313624">FTX in 2022</a> following another hacking attack, there are knock-on effects to the global economy.</p>
<h2>Here to stay</h2>
<p>Ransomware will be a challenge for years, if not decades, to come. </p>
<p>One potential vision of the future is that ransomware just becomes part of normal economic life with organisations facing the constant threat of attack, with few consequences for the largely anonymous gangs of cyber criminals behind the scams.</p>
<p>To preempt such negative consequences we need greater awareness of the threat. Then investors can make more informed decisions over which staking pools and currencies to invest in. It also makes sense to have a <a href="https://link.springer.com/chapter/10.1007/978-3-031-16035-6_9">market with many staking pools</a>, rather than a market dominated by just a few large ones, as this could insulate the currency from possible attacks.</p>
<p>Beyond crypto, preemption involves investment in cyber security across a range of forms – from staff training and an organisational culture that supports reporting of incidents. It also involves investment in recovery options, such as effective back-ups, in-house expertise, insurance and tried and tested contingency plans. </p>
<p>Unfortunately, cyber security practices are not improving as one might hope in many organisations and this is leaving the door open for cyber criminals. Essentially, everyone needs to get better at hiding, and protecting, their digital keys and sensitive information if we are to stand a chance against the next generation of ransomware attackers.</p>
<hr>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=112&fit=crop&dpr=1 600w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=112&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=112&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=140&fit=crop&dpr=1 754w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=140&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/313478/original/file-20200204-41481-1n8vco4.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=140&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><em>For you: more from our <a href="https://theconversation.com/uk/topics/insights-series-71218?utm_source=TCUK&utm_medium=linkback&utm_campaign=TCUKengagement&utm_content=InsightsUK">Insights series</a>:</em></p>
<ul>
<li><p><em><a href="https://theconversation.com/the-melting-arctic-is-a-crime-scene-the-microbes-i-study-have-long-warned-us-of-this-catastrophe-but-they-are-also-driving-it-207785">The melting Arctic is a crime scene. The microbes I study have long warned us of this catastrophe – but they are also driving it
</a></em></p></li>
<li><p><em><a href="https://theconversation.com/beatrix-potters-famous-tales-are-rooted-in-stories-told-by-enslaved-africans-but-she-was-very-quiet-about-their-origins-202274">Beatrix Potter’s famous tales are rooted in stories told by enslaved Africans – but she was very quiet about their origins
</a></em></p></li>
<li><p><em><a href="https://theconversation.com/invisible-windrush-how-the-stories-of-indian-indentured-labourers-from-the-caribbean-were-forgotten-206330">Invisible Windrush: how the stories of Indian indentured labourers from the Caribbean were forgotten
</a></em></p></li>
</ul>
<p><em>To hear about new Insights articles, join the hundreds of thousands of people who value The Conversation’s evidence-based news. <a href="https://theconversation.com/uk/newsletters/the-daily-newsletter-2?utm_source=TCUK&utm_medium=linkback&utm_campaign=TCUKengagement&utm_content=InsightsUK"><strong>Subscribe to our newsletter</strong></a>.</em></p><img src="https://counter.theconversation.com/content/211233/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alpesh Bhudia's research was funded by the Ethereum Foundation for the project “Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators” and “REVOKE: Consensus-layer mitigations for validator ransomware attacks”, from which this article derives some contributions.
The research team is scheduled to present their findings on August 30 at the ARES Conference. </span></em></p><p class="fine-print"><em><span>Anna Cartwright receives funding from The Ethereum Foundation, for the project "Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators", from which this article derives some contributions.</span></em></p><p class="fine-print"><em><span>Darren Hurley-Smith received funding from The Ethereum Foundation, for the REVOKE project, from which this article derives some theoretical contributions. </span></em></p><p class="fine-print"><em><span>Edward Cartwright receives funding from The Ethereum Foundation, for the project "Game theoretic modelling of a ransomware attack against Ethereum 2.0 validators", from which this article derives some contributions.</span></em></p>What will ransomware attackers focus on next?Alpesh Bhudia, Doctoral Researcher in Cyber Security, Royal Holloway University of LondonAnna Cartwright, Principal Lecturer in Accounting, Finance and Economics, Oxford Brookes UniversityDarren Hurley-Smith, Senior Lecturer in Information Security, Royal Holloway University of LondonEdward Cartwright, Professor of Economics, De Montfort UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1945162022-11-14T04:25:00Z2022-11-14T04:25:00ZAustralia is considering a ban on cyber ransom payments, but it could backfire. Here’s another idea<figure><img src="https://images.theconversation.com/files/495021/original/file-20221114-22-36d2ni.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C2955%2C1971&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>First Optus, now Medibank; in less than two months we’ve experienced two of the largest personal data breaches in Australia’s history. In both cases the hackers attempted, and failed, to extort a ransom in exchange for not releasing personal data. </p>
<p>So far the Optus hackers have released only a small sample of data, and claim to have <a href="https://theconversation.com/the-optus-hacker-claims-theyve-deleted-the-data-heres-what-experts-want-you-to-know-191494">deleted the rest</a>. On the other hand, the Medibank hackers have released the records of more than one million people – and have threatened to release more <a href="https://www.theguardian.com/australia-news/2022/nov/14/medibank-mental-health-data-posted-on-dark-web-as-russian-hackers-vow-to-keep-our-word">data on Friday</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/medibank-hackers-are-now-releasing-stolen-data-on-the-dark-web-if-youre-affected-heres-what-you-need-to-know-194340">Medibank hackers are now releasing stolen data on the dark web. If you're affected, here's what you need to know</a>
</strong>
</em>
</p>
<hr>
<p>With this looming threat, the Australian government is looking to bolster its cybersecurity defences — including through a taskforce set up <a href="https://www.sbs.com.au/news/article/elaines-data-was-stolen-in-the-medibank-hack-she-says-sorry-isnt-enough/4c7ktafnx">to retaliate against</a> the Medibank hackers. </p>
<p>Minister for Cyber Security Clare O'Neil has said the government is also considering making ransom payments <a href="https://au.finance.yahoo.com/news/australia-consider-banning-paying-ransoms-233202285.html">to cybercriminals illegal</a>. The idea has picked up steam – but would this cure be worse than the disease?</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1591591081526775809"}"></div></p>
<h2>The response to the Medibank hack</h2>
<p>The group behind the latest Medibank hack, currently being called “BlogXX”, has been linked to <a href="https://www.abc.net.au/news/2022-11-11/afp-reveal-more-information-on-medibank-hacker/101643794">Russian cybercriminal organisations</a> by the Australian Federal Police. It has known links to the notorious <a href="https://theconversation.com/what-do-we-know-about-revil-the-russian-ransomware-gang-likely-behind-the-medibank-cyber-attack-194337">REvil cyber gang</a> (which <a href="https://www.bbc.com/news/technology-59998925">was dismantled by</a> Russia’s Federal Security Service in January).</p>
<p>Large-scale cybercriminal gangs are able to extort high ransom payments from their victims. During <a href="https://www.bbc.com/news/technology-59998925">REvil’s arrest</a>, authorities seized the equivalent of A$12.8 million in cash, $7 million in crytpocurrency and 20 luxury cars. </p>
<p>There are multiple ways to decrease the profitability of data breaches for criminal organisations. The first is to make hacks more difficult, making it more time-consuming for the hackers to break into computers. </p>
<p>This could be achieved by increasing fines for organisations that fail to follow best practices in cybersecurity – a <a href="https://www.theguardian.com/australia-news/2022/oct/22/australian-companies-to-face-fines-of-50m-for-data-breaches">privacy reform that</a> was recently introduced in Australia and has passed through the lower house.</p>
<p>A second potential solution is to make ransomware payments illegal in Australia. Under some circumstances, it may <a href="https://www.homeaffairs.gov.au/cyber-security-subsite/files/tackling-ransomware-threat.pdf">already be illegal</a> for Australian organisations to pay a ransom, such as if the payment funds further criminal or terrorist activity of groups under sanction by the United Nations. </p>
<p>However, the <a href="https://www.wired.com/2016/12/hacker-lexicon-attribution-problem/">attribution of cyberattacks</a> is difficult, and it’s not always possible to know whether paying a particular group would be a crime. An organisation may pay a ransom, only to find out much later it has broken the law.</p>
<h2>When banning ransom payments works</h2>
<p>The idea of banning ransom payments isn’t new. In April, Nigeria criminalised <a href="https://www.aljazeera.com/news/2022/4/27/nigeria-outlaws-ransom-payments-abduction-punishable-by-death">ransom payments to kidnappers</a>. However, not paying kidnap ransoms in Nigeria has also resulted in deaths, which suggests this approach may end up <a href="https://theconversation.com/why-nigerian-kidnap-law-banning-families-from-paying-ransoms-may-do-more-harm-than-good-189427">punishing victims</a>. </p>
<p>Still, survey results show citizens and cybersecurity experts are generally in favour of banning ransomware payments. In a recent survey of UK residents by <a href="https://talion.net/wp-content/uploads/2021/06/RansomAware-press-release.pdf">security firm Talion</a>, 78% of respondents from the general public supported a ban, as did 79% of cybersecurity professionals.</p>
<p>A ban on ransom payments could quickly reduce the profits racked up by criminal gangs targeting Australia. </p>
<p>In cases like the recent Optus and Medibank hacks, where the ransom was demanded to “not leak” sensitive information, banning ransom payments may be a good idea. It could take the burden of making a decision away from the organisation targeted, and mitigate the public’s judgment of that decision. </p>
<p>It would also reduce (but not entirely remove) the possibility of criminals receiving ransom payments – and therefore make their operations less profitable. </p>
<h2>The problems with a ban</h2>
<p>However, unlike the Optus and Medibank breaches, many ransoms are paid to unlock encrypted computers. Some ransomware attacks involve the hackers encrypting all of the computers, data and backups a company has. Failing to restore those data can, in many cases, cause the business to collapse. </p>
<p>In such instances, banning ransom payments may discourage organisations from declaring breaches. They may pay the ransom to be able to move on with business – even if it is a crime. Should this happen, it would reduce the overall transparency of reporting on breaches, and could lead to hackers blackmailing victims to not divulge the hack.</p>
<p>This particular concern has led the US Federal Bureau of Investigation to recommend to the US Senate Judiciary Committee to not <a href="https://edition.cnn.com/2021/07/27/politics/senate-judiciary-ransomware-hearing/index.html">ban all ransom payments</a>.</p>
<p>For a ban on ransom payments to be effective, the penalties for paying the ransom would need to be more severe than the impact of the ransom itself. If the penalties are inadequate, organisations may simply pay the ransom and deal with the legal consequences so they can move on with normal operations.</p>
<h2>An alternative solution</h2>
<p>Cyberinsurance policies often provide reimbursement for ransomware payments. In fact, it’s a common tactic for cybercriminals to demand a ransom equivalent to <a href="https://www.homeaffairs.gov.au/cyber-security-subsite/files/tackling-ransomware-threat.pdf">the insurance reimbursement</a>. While this means the organisation suffers fewer losses, the cybercriminals still profit.</p>
<p>A more nuanced approach may be to ban cyberinsurance reimbursements for ransom payments, which would reduce the overall percentage of breaches that result in a payment. This could reduce profits for criminal gangs, while still allowing a company to salvage its operations under the worst-case scenarios. </p>
<p>The decision to ban or not to ban ransomware payments is complicated, and a blanket ban is likely to cause more problems than it fixes. We need change, but the best solution would be a case-by-case approach. </p>
<p>In the end, these kinds of cybercrimes are unlikely to be eradicated by any single policy change. They will require a wide range of policies, laws and regulations that each chip away at specific problems. If we do this, eventually the cost to criminals could outweigh the profits.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/budget-2022-9-9-billion-towards-cyber-security-aims-to-make-australia-a-key-offensive-cyber-player-180321">Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/194516/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Banning cyber ransom payments might help ward off attacks, but there are some cases where organisations feel intense pressure to pay up.Jeffrey Foster, Associate Professor in Cyber Security Studies, Macquarie UniversityJennifer J. Williams, PhD Candidate, Department of Security Studies and Criminology, Macquarie UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1898422022-11-11T17:00:58Z2022-11-11T17:00:58ZCybercrime insurance is making the ransomware problem worse<figure><img src="https://images.theconversation.com/files/483557/original/file-20220908-9399-yew7dm.jpg?ixlib=rb-1.1.0&rect=0%2C29%2C5000%2C3285&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Many businesses simply choose to pay a ransom than suffer the consequences of a cyber attack</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/young-asian-male-frustrated-confused-headache-709192198">Zephyr_p/Shutterstock</a></span></figcaption></figure><p>Cybercrime insurance is making the ransomware problem worse
During the COVID-19 pandemic, there was another <a href="https://www.bleepingcomputer.com/news/security/finalsite-ransomware-attack-shuts-down-thousands-of-school-websites/">outbreak in cyberspace</a>: a digital epidemic <a href="https://onlinelibrary.wiley.com/doi/full/10.1002/itl2.247">driven by ransomware</a>.</p>
<p>Several organisations worldwide fell victim to cyber-extortionists who stole data either to sell to other criminals or held it as a ransom for a profit. The sheer number of attacks indicates that cyber security and anti-ransomware defences did not work or have limited effectiveness.</p>
<p>Businesses are turning to cyberinsurance companies in <a href="https://www.wired.com/story/ransomware-insurance-payments/">desperation to protect themselves from attack</a>. But the growth of the <a href="https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cyber-insurers-could-risk-being-held-for-ransom-as-extortion-attacks-escalate-55329254">cyberinsurance market</a> is only encouraging criminals to target companies that have extortion insurance. </p>
<p>A 2021 study from the <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3908159">University of Leeds</a> found there was a massive acceleration in major cyber-attacks on organisations during the pandemic. The paper also showed a “shift in offender tactics which scale up levels of fear in victims … such tactics include a shift towards naming and shaming victims, the theft of commercially sensitive data and attacks targeting organisations which provide services to other organisations.” </p>
<p>A report by <a href="https://www.sophos.com/en-us/press-office/press-releases/2022/04/ransomware-hit-66-percent-of-organizations-surveyed-for-sophos-annual-state-of-ransomware-2022">global cybersecurity firm Sophos</a> found that 66% of organisations surveyed, from across 31 countries, were hit with ransomware in 2021, up from 37% in 2020. The average ransom paid increased <a href="https://www.cybersecuritydive.com/news/ransomware-attacks-payouts-2021/622784/#:%7E:text=Ransomware%20hit%2066%25%20of%20mid,with%20%24170%2C000%20the%20prior%20year">nearly fivefold to US$812,360 (£706,854)</a>. Insurance companies often opt to pay the ransoms that cybercriminals demand – 82% of UK companies <a href="https://www.meartechnology.co.uk/2022/03/04/ransomware-study-most-uk-firms-pay/">pay up</a>. </p>
<h2>Where are the attacks coming from</h2>
<p>According to US think tank the <a href="https://www.cfr.org/cyber-operations/">Council on Foreign Relations</a> 22 countries are suspected of <a href="https://blogs.thomsonreuters.com/answerson/state-sponsored-cyberattacks/">sponsoring cyberattacks</a>, including the United States.</p>
<p>And a <a href="https://cybernews.com/security/crimeware-as-a-service-model-is-sweeping-over-the-cybercrime-world/">new black market</a> in which cybercriminals provide products and services to other cybercriminals is <a href="https://www.avertium.com/blog/crimeware-as-a-service-explained">flourishing and driving the surge</a> in ransomware attacks. So-called ransomware allows everyone from teenagers to skilled amateurs to professional criminals to rent malware, encryption tools, and even Bitcoin wallets. </p>
<p>It is like a criminal renting a gun from another criminal who manufactured it. </p>
<p>In July 2020, <a href="https://www.theguardian.com/technology/2020/jul/31/twitter-hack-arrests-florida-uk-teenagers">three teenagers hacked Twitter</a>. The attack resulted in the hijacking of 130 accounts – some of which included high-profile targets including Joe Biden, Barack Obama, Apple, Elon Musk and Bill Gates. The bitcoin accounts associated with their ransomware scam received more than 400 transfers <a href="https://krebsonsecurity.com/2020/07/three-charged-in-july-15-twitter-compromise/">totalling over US$100,000</a> (£87,000).</p>
<figure class="align-center ">
<img alt="Woman stares at computer screen in shock" src="https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=256&fit=crop&dpr=1 600w, https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=256&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=256&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=322&fit=crop&dpr=1 754w, https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=322&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/483556/original/file-20220908-9722-c2wy2x.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=322&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Ransomware can devastate a business.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/ransomware-business-computer-malware-privacy-breach-1925465261">Andrey Popov/Shutterstock</a></span>
</figcaption>
</figure>
<h2>What’s the problem with insurance?</h2>
<p>The past few years have seen a surge in <a href="https://www.gao.gov/blog/rising-cyberthreats-increase-cyber-insurance-premiums-while-reducing-availability">specialist cybercrime insurance policies</a>. The global cybercrime insurance market is <a href="https://www.abi.org.uk/news/blog-articles/2022/02/cyber-insurance-growing-the-market-to-meet-the-global-threat/">predicted to grow</a> from US$7 billion in gross written premiums (GWP) in 2020 to US$20.6 billion by 2025. </p>
<p>Insurers need to do more to <a href="https://eiopa.europa.eu/Publications/Reports/EIOPA%20Understanding%20cyber%20insurance.pdf">discourage incompetent security practices</a>. Car drivers must pass theory and practical driving tests. But cyberinsurance policies rarely audit the IT security of an organisation before the policy is finalised.</p>
<p>A <a href="https://www.softkraft.co/software-development-standards/">standardised ISO norm</a> (quality management standards internationally agreed by experts) for software did not exist until 2015. It means customers have no way of judging the security standards of anything produced before 2015. Even now, some of the <a href="https://www.sciencedirect.com/science/article/pii/S1877050921002799">risk assessments</a> a software would go through in its lifetime could be less rigorous than for the kettle in our home. And ISO testing is voluntary. </p>
<p>The market lacks understanding of large-scale, sophisticated, cyber-attacks. The insurance sector works by determining the probability of an incident happening and the impact it would have. The cyberinsurance market struggles to forecast the likelihood of cyber-attacks because changes in digital technology can be so unpredictable. Attackers’ capabilities and intentions shift rapidly. </p>
<p>Most insurers currently have <a href="https://ieeexplore.ieee.org/document/9139703">no long-term data</a> for cyberincidents or ransomware. This has led to underfunded cyberinsurance programs, which rely heavily on <a href="https://intpolicydigest.org/2019/04/03/virulent-ransomware-strains-trust-in-cyber-insurance/">optimistic financial models</a>. </p>
<p>As a result it is getting more difficult to secure cyberinsurance as the growing number of claims is forcing valuers to be more discerning in the clients they accept. Lloyds of London <a href="https://techmonitor.ai/technology/cybersecurity/cost-of-cyber-insurance-lloyds-market-association">released new rules</a> in December 2021 stating that underwriters will no longer cover damage caused by “war or a cyberoperation that is carried out in the course of the war”. </p>
<p>Insurance premiums <a href="https://www.securitymagazine.com/articles/96549-the-rising-tide-of-cyber-insurance-premiums-in-the-age-of-ransomware">increased by 22%</a> in 2020 and a <a href="https://www.itpro.co.uk/security/cyber-security/360131/cyber-insurance-premiums-increased-by-a-third-in-the-last-12-months">further 32% in 2021</a> across 38 countries. The cost incurred by the business gets <a href="https://www.theregister.com/2022/07/29/ibm_data_inflation/">passed on to customers</a>. The ransomware demand will contribute to the overall rise in living costs as <a href="https://www.bleepingcomputer.com/news/security/school-district-reports-a-334-percent-hike-in-cybersecurity-%20insurance-costs/">ransomware costs</a> are being passed on to the customers. </p>
<p>As part of my work with the <a href="https://northerncloudcrimecentre.org/about/">Northern Cloud Crime Centre</a>, I looked at the
effectiveness of laws in the UK to regulate criminal activity in the Cloud. I found the cybercrime legislation in the UK has failed to keep pace with technological and market developments over the past 30 years. The Computer Misuse Act 1990 needs updating to make it more effective at policing cybercrime. If we cannot fix the situation, it will threaten jobs and investment in the UK.</p>
<h2>What is the solution</h2>
<p>Ransomware attacks are so effective because they <a href="https://expertinsights.com/insights/how-to-stop-ransomware-attacks/">exploit human weaknesses</a> and organisations’ lack of technological defences.</p>
<p>Law enforcement authorities advise ransomware victims <a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/ico-and-%20ncsc-stand-together-against-ransomware-payments-being-made/">not to pay the ransom</a> because it encourages further attacks and fuels a <a href="https://therecord.media/ransomware-group-demands-500000-from-british-schools-citing-cyber-insurance-policy/">vicious cycle</a>. </p>
<p>But prevention is the best solution. Organisations need to put more effort into developing security measures such as a multifactor authentication system. Managers also need to carry out penetration testing, where a cybersecurity expert searches for vulnerabilities in a computer system. </p>
<p>Businesses are legally obliged to have a fire plan in place. The time has come for
mandatory ransomware and phishing resilience testing. The insurance industry needs to set minimum security requirements as part of the risk assessment. Organisations need greater transparency regarding what security they do and do not have in place. </p>
<p>Consensus is growing among researchers that solid cybersecurity can’t be achieved with technology alone because a human errors are to blame for a huge amount of incidents. The UK government is <a href="https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience">proposing new laws</a> to regulate cybersecurity standards. But these laws won’t work if it doesn’t invest in public education about phishing threats. </p>
<p>Cybercrime insurance can help minimise business disruption, provide financial protection, and even help with legal and regulatory actions after a cyberincident. But it will not solve the problems that created the vulnerability to an attack in the first place.</p><img src="https://counter.theconversation.com/content/189842/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Part of the research for this article was carried out as Co-I of EPSRC funded CRITiCaL - Combatting cRiminals In The Cloud (EPSRC) June 2015 - May 2022.
<a href="https://northerncloudcrimecentre.org/">https://northerncloudcrimecentre.org/</a>
<a href="https://essl.leeds.ac.uk/education-social-sciences-law/dir-record/research-projects/350/critical-combatting-criminals-in-the-cloud">https://essl.leeds.ac.uk/education-social-sciences-law/dir-record/research-projects/350/critical-combatting-criminals-in-the-cloud</a></span></em></p>In a viscous cycle, it’s also becoming harder to get cyberinsurance.Subhajit Basu, Associate Professor in Cyberlaw; Editor-in-Chief International Review of Law Computers and Technology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1943372022-11-11T05:35:35Z2022-11-11T05:35:35ZWhat do we know about REvil, the Russian ransomware gang likely behind the Medibank cyber attack?<p>Australian Federal Police Commissioner Reece Kershaw on Friday <a href="https://www.abc.net.au/news/2022-11-11/afp-reveal-more-information-on-medibank-hacker/101643794">confirmed</a> police believe the criminal group behind the recent Medibank cyber attack is from Russia. Kershaw said their intelligence points to a</p>
<blockquote>
<p>group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world.</p>
</blockquote>
<p>Kershaw stopped short of naming any individuals or groups.</p>
<p>But experts suspect the attackers belong to, or have <a href="https://www.afr.com/technology/the-clues-that-may-reveal-the-medibank-hacker-20221110-p5bx2c">close links to</a>, the Russian-based ransomware crime group, REvil.</p>
<p>The attack so far involves a multimillion-dollar ransom demand made to the medical insurer for data on individual clients stolen in the earlier stages of the attack. The attackers originally threatened to release sensitive personal medical records, and then on Wednesday <a href="https://www.theguardian.com/australia-news/2022/nov/10/abortion-data-from-medibank-hack-posted-on-dark-web-as-clare-oneil-pledges-to-pursue-scumbags">released hundreds of records onto the dark web</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1590558397568806912"}"></div></p>
<p>Such attacks cause enormous personal stress for those whose data is exposed, as well as considerable reputational damage to the entities holding the data.</p>
<p>At the time the Medibank attack was publicly announced, Home Affairs Minister Clare O’Neil <a href="https://www.canberratimes.com.au/story/7949205/dog-act-medibank-hack-details-revealed/">described</a> the illegal action as a “dog act”.</p>
<p>Since then, our cyber security agencies, including the Australian Federal Police and the Australian Cyber Security Centre, have been scrambling to respond. </p>
<p>Gaining a better understanding of the groups behind these activities is therefore vital, but challenging.</p>
<p>So what do we know about REvil?</p>
<h2>Hackers for hire</h2>
<p>The group’s name is said to be a contraction of the words “ransom” and “evil”. It’s based in Russia, although its network of “affiliates” extends into Eastern Europe. </p>
<p>The view that the attack is the work of REvil is based partly on links observed between existing REvil sites on the dark web and <a href="https://www.afr.com/companies/healthcare-and-fitness/dark-web-threat-to-release-medibank-data-in-24h-20221108-p5bwck">the extortion site</a> now hosting some of the stolen Medibank data. Further information will undoubtedly come to light in the coming weeks to confirm or alter this assessment.</p>
<p>But the nature of this attack is consistent with the approach and motivations shown previously by REvil.</p>
<p>The group emerged in early 2019, having evolved from an earlier “ransomware as a service” (RaaS) group known as GandCrab.</p>
<p><a href="https://analyst1.com/file-assets/History-of-REvil.pdf">According to</a> one scholar, Jon DiMaggio, under the RaaS model REvil relied on</p>
<blockquote>
<p>hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups and infect victim systems with ransomware for a share of the profits.</p>
</blockquote>
<p>As we have also seen in the Medibank case, another tactic of this group is to engage in double extortion, whereby failure to pay the ransom leads to the stolen data being leaked or sold in underground forums on the dark web.</p>
<p>REvil was particularly active in 2021. This included the highly damaging ransomware attack in the United States on Kaseya, a managed services provider. REvil posted a <a href="https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=53e4256657c0">ransom of US$70 million</a> for a universal decryption key to restore victims’ data.</p>
<p>Australia was also touched by REvil in 2021. The group <a href="https://www.bleepingcomputer.com/news/security/jbs-paid-11-million-to-revil-ransomware-225m-first-demanded/">attacked JBS Foods</a>, a major producer with operations in Australia as well as Brazil. The impact on Australian meatworks operated by JBS seems not to have affected supplies of meat, thus drawing less public attention than we have seen in the Medibank case.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1590553667047825408"}"></div></p>
<h2>Unstable and slippery</h2>
<p>Shortly after the Kaseya attack, in late 2021, REvil appeared to shut up shop, following leakages of information from their hacked data site and increased pressure from law enforcement.</p>
<p>However ransomware groups such as REvil are notoriously unstable and slippery. Various factors contribute to this instability, including law enforcement pressure and greed. There’s little honour among this species of cyber “thieves” when personal survival and enrichment are at stake. The RaaS model also relies upon loose networks of associates that inevitably change over time.</p>
<p>Further evidence REvil was in retreat came in January 2022, just a month before Russia’s invasion of Ukraine. Russian law enforcement authorities announced they had <a href="https://www.washingtonpost.com/world/2022/01/14/russia-hacker-revil/">arrested some 14 alleged members of REvil</a>.</p>
<p>For a brief time, Western observers hoped the Russian action might be effective in constraining future ransomware attacks by the group.</p>
<p>But since the invasion in February this year, any pretence of cross-border cooperation in tackling these Russian groups has evaporated. Moreover, those arrested are <a href="https://therecord.media/researchers-warn-of-revil-return-after-january-arrests-in-russia/">believed</a> now to likely be <a href="https://us.macmillan.com/books/9780374603304/theransomwarehuntingteam">free and back in business</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-world-to-ransom-the-top-5-most-dangerous-criminal-organisations-online-right-now-163977">Holding the world to ransom: the top 5 most dangerous criminal organisations online right now</a>
</strong>
</em>
</p>
<hr>
<p>Russian ransomware groups have close informal links to Russian security agencies such as FSB, the Russian internal security agency. These links provide the group (and other Russian cybercrime groups) a degree of licence to carry on their activities on the strict understanding their targets must lie outside Russia.</p>
<p>In some cases, although not so clearly in the case of REvil, these groups have expressed geopolitical motivations, directing cyber attacks against Ukrainian targets and those of countries seen to be supporting Ukraine. The Conti ransomware group is an example here of a group that publicly <a href="https://www.wired.com/story/conti-ransomware-russia/">declared its support for Russia</a> <a href="https://securitybrief.com.au/story/what-we-can-learn-from-the-leaked-conti-ransomware-group-chats">over Ukraine</a>.</p>
<p>In the Medibank example, the group behind it appears simply driven by financial gain. Medical facilities such as hospitals have proven popular targets for ransomware groups because of their sensitive information holdings and hence vulnerability to pressure to pay.</p>
<p>It seems REvil, or at least a close genetic descendant, is back in business. What we’re currently seeing is consistent with prior experience with this group: appearing, disappearing and reappearing, sometimes in a slightly altered shape. </p>
<p>Dealing with it is difficult, a bit like a game of whack a mole – the offenders all too easily disappear and then pop up somewhere else.</p>
<p>The root causes of ransomware today can be political as well as economic, making effective inter-country cooperation against Russian-affiliated groups almost impossible.</p>
<hr>
<p><em>This article draws upon work undertaken with my colleague David Wall (University of Leeds) examining the weaponisation of ransomware in relation to the Russia/Ukraine conflict. This work is currently in draft report form with the sponsoring organisation, the Global Initiative against Transnational Crime, Vienna and Geneva.</em></p><img src="https://counter.theconversation.com/content/194337/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Goldsmith receives funding from the Australian Research Council.</span></em></p>In late 2021, REvil appeared to shut up shop. But it seems the group, or at least a close genetic descendant, is back in business.Andrew Goldsmith, Matthew Flinders Distinguished Emeritus Professor, Flinders UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1930152022-10-26T19:04:06Z2022-10-26T19:04:06ZWhy are there so many data breaches? A growing industry of criminals is brokering in stolen data<figure><img src="https://images.theconversation.com/files/491781/original/file-20221025-20571-letjy7.jpg?ixlib=rb-1.1.0&rect=53%2C485%2C5937%2C3296&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/HeyFNqApSLQ"> Fili Santillán/Unsplash</a></span></figcaption></figure><p>New details have emerged on <a href="https://www.abc.net.au/news/2022-10-26/medibank-hack-criminals-access-hack-data/101578438">the severity of the Medibank hack</a>, which has now affected all users. Optus, Medibank, Woolworths, and, last Friday, electricity provider Energy Australia are all now among the <a href="https://www.theguardian.com/australia-news/2022/oct/21/energyaustralia-latest-to-be-hit-by-cyber-attack-as-details-of-hundreds-of-customers-exposed">household names</a> that have fallen victim to a data breach.</p>
<p>If it seems like barely a week goes by without news of another incident like this, you would be right. Cybercrime is on the rise – <a href="https://www.news.com.au/technology/online/hacking/are-data-breaches-becoming-more-frequent-a-digital-security-expert-explains/news-story/dbc55d96ca3be3106c2ae4f903286568">seven major Australian businesses</a> were affected by data breaches in the past month alone. </p>
<p>But why now? And who is responsible for this latest wave of cyber attacks?</p>
<p>In large part, the increasing number of data breaches is being driven by the growth of a global illicit industry that trades in your data. In particular, hackers known as “initial access brokers” specialise in illegally gaining access to victim networks and then selling this access to other cyber criminals. </p>
<h2>The cyber crime ecosystem</h2>
<p>Hackers and initial access brokers are just one part of a complex and diversifying <a href="https://www.sciencedirect.com/science/article/pii/S026736491830308X?casa_token=VrhGRxbgQYUAAAAA:Jxgrxbk-cJiO4OzAKoZeNA7A3R6tTRZl9zdftuqRbKzlGYaUW0PKHJeqpVSLTbt9szPfRGCqBhg">cyber crime ecosystem</a>. This ecosystem contains various cyber criminal groups who increasingly specialise in one particular aspect of online crime and then work together to carry out the attacks. </p>
<p>For example, one of the fastest-growing and most damaging forms of cyber crime – ransomware attacks – involves malicious software that paralyses a victim’s device or system until a decryption key is provided following payment of a ransom.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-ransomware-and-how-to-protect-your-precious-files-from-it-54048">What is ransomware and how to protect your precious files from it</a>
</strong>
</em>
</p>
<hr>
<p>Ransomware attacks are big business. In 2021 alone, they earned cyber criminals more than <a href="https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-ransomware/">US$600 million</a>. The huge amounts of money to be made in ransomware, and the rich abundance of targets from all around the world are fostering the development of a vast ransomware industry.</p>
<p>Ransomware attacks are complex, involving up to <a href="https://eprints.whiterose.ac.uk/180680/1/Published%20version%20-%20Final.pdf">nine different stages</a>. These include gaining access to a victim’s network, stealing data, encrypting a victim’s network, and issuing a ransom demand.</p>
<h2>Specialist criminals</h2>
<p>Increasingly, these attacks are carried out not by lone cyber criminal groups, but rather by networks of different cyber crime groups, each of which specialises in a different stage of the attack. </p>
<p>Initial access brokers will often carry out the first stage of a ransomware attack. Described by <a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/">Google’s Threat Analysis Group</a> as “the opportunistic locksmiths of the security world”, it’s their job to gain access to a victim’s network.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1576248468087009280"}"></div></p>
<p>Once they have compromised a victim’s network, they typically sell this access to other groups who will then steal data and deploy the ransomware that paralyses the victim’s computer systems.</p>
<p>There is a massive and growing underground market for this type of crime. Dozens of online marketplaces on both the dark web and <a href="https://www.kaspersky.com.au/blog/deep-web-dark-web-darknet-surface-web-difference/28852/">surface web</a> offer services from initial access brokers.</p>
<p>Their access to companies can be purchased for <a href="https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf">as little as US$10</a>, although more privileged, administrator-level access to larger companies often commands prices of <a href="https://www.digitalshadows.com/blog-and-research/initial-access-brokers-in-2021-an-ever-expanding-threat/">several thousands of dollars</a> or more. </p>
<h2>Responding to the growing cyber threat</h2>
<p>Over the past month, we have seen <a href="https://www.theguardian.com/technology/2022/oct/24/medibank-hack-started-with-theft-of-staff-members-credentials-investigation-suggests">several instances</a> of cyber criminals forgoing actual ransomware. Instead, they sought to directly extort companies by threatening to publicly release any data they have stolen.</p>
<p>While not as devastating as a ransomware attack, data breaches can cause serious financial and reputational damage to an organisation (just ask <a href="https://www.smh.com.au/culture/celebrity/brutal-reality-of-life-at-the-top-of-the-corporate-ladder-20220927-p5blb9.html">Optus chief executive Kelly Bayer Rosmarin</a>), not to mention major problems for any customers or clients who now have their private information released online.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ive-given-out-my-medicare-number-how-worried-should-i-be-about-the-latest-optus-data-breach-191575">I've given out my Medicare number. How worried should I be about the latest Optus data breach?</a>
</strong>
</em>
</p>
<hr>
<p>In the final six months of 2021, <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021">more than 460 data breaches</a> were reported to government authorities. Even more worryingly, this number is almost certainly an underestimate.</p>
<p>While companies with a turnover of more than AU$3 million are required by law to report data breaches involving personal information, most small businesses are not subject to mandatory reporting laws. Therefore, they have little incentive to report a data breach that could scare off customers and damage their brand. </p>
<h2>Taking action against cyber crime</h2>
<p>So what can we do about it? In the first instance, companies need to rethink their approach to data. Data should be treated not simply as an asset that can be freely held and traded in, but also as a liability that needs to be carefully protected.</p>
<p><a href="https://www.sbs.com.au/news/article/optus-faces-a-customer-exodus-calls-for-compensation-amid-anger-over-leaked-data/mw79n7avs">Some experts</a> are calling for Australia to follow the European Union’s approach and to introduce stricter corporate regulations that better protect consumer data. </p>
<p>This week the federal government also <a href="https://www.smh.com.au/politics/federal/companies-face-hundred-million-dollar-fines-for-privacy-breaches-20221021-p5brt7.html">introduced plans to fine companies</a> that do not maintain sufficient cyber security and suffer repeated data breaches.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/after-the-optus-data-breach-australia-needs-mandatory-disclosure-laws-192612">After the Optus data breach, Australia needs mandatory disclosure laws</a>
</strong>
</em>
</p>
<hr>
<p>Reforms like this could help, particularly in preventing relatively unsophisticated data breaches, like the one that <a href="https://thenewdaily.com.au/finance/finance-news/2022/09/27/optus-hack-childs-play/">recently affected Optus</a>.</p>
<p>On the other hand, punitive fines towards victims could further strengthen the hand of entrepreneurial cyber criminals – they could try to leverage these fines to further extort their victims.</p>
<p>There is no silver bullet to solving the threats posed by cyber criminals. At a minimum, both government and industry must continue to work together to improve our cyber defences and resilience. Through research, we must also work to better understand the global cyber crime ecosystem as it continues to evolve.</p><img src="https://counter.theconversation.com/content/193015/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>James Martin receives funding from the Australian Institute of Criminology and the Cyber Security Cooperative Research Centre. </span></em></p><p class="fine-print"><em><span>Chad Whelan receives funding from sources for related work, including the Australian Institute of Criminology and the Cyber Security Cooperative Research Centre.</span></em></p>The cybercrime ecosystem is vast and complex – and increasingly littered with specialists who will cheaply sell your data.James Martin, Senior Lecturer in Criminology, Deakin UniversityChad Whelan, Professor of Criminology, Deakin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1886772022-08-17T18:08:16Z2022-08-17T18:08:16ZBefore paying a ransom, hacked companies should consider their ethics and values<figure><img src="https://images.theconversation.com/files/479427/original/file-20220816-1877-maolbq.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C7360%2C4902&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Ransomware attacks are increasing in frequency.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 100px; border: none; position: relative; z-index: 1;" allowtransparency="" allow="clipboard-read; clipboard-write" src="https://narrations.ad-auris.com/widget/the-conversation-canada/before-paying-a-ransom--hacked-companies-should-consider-their-ethics-and-values" width="100%" height="400"></iframe>
<p>The recent cyberattacks in August on <a href="https://www.itworldcanada.com/article/canadian-recreational-vehicle-maker-brp-ontario-cannabis-store-dealing-with-cyber-attacks/497252">Bombardier Recreational Products and the Ontario Cannabis Store</a> highlight the continuing scourge of cyber criminals and ransomware. </p>
<p>Ransomware is a piece of malware — malicious software — code that gets into an information system and blocks access to the computer or its files until the victim pays to obtain a key, or password. Ransomware was a term that did not enter the popular lexicon until about 10 years ago <a href="https://www.washingtontimes.com/news/2018/jan/31/ransomware-added-to-oxford-english-dictionary-in-l/">(and it was added to the Oxford English Dictionary in 2018)</a>. </p>
<p>It has now evolved, and in 2021, <a href="https://www.hsgac.senate.gov/imo/media/doc/HSGAC%20Majority%20Cryptocurrency%20Ransomware%20Report.pdf">there were 3,729 ransomware complaints registered, with losses of US$49.2 million in designated critical infrastructures alone</a>. The average ransomware payment climbed 82 per cent to hit a record US$570,000 in the first half of 2021.</p>
<p>And it’s only going to get worse. The FBI’s <a href="https://www.ic3.gov/">Internet Crime Complaint Centre</a> reported 2,084 ransomware complaints from January to July 31, 2021 – a 62% year-over-year increase.</p>
<p>For any organization, cyberattacks are not a matter of “if,” but “when”: A cyberattack is inevitable. This forces leaders to ask: Do we pay the ransom or not?</p>
<p>Roughly <a href="https://blog.knowbe4.com/ransomware-predicted-to-cost-20-billion-in-damages-globally-by-2021">half of all organizations opt to pay ransom</a>. But that also means that roughly half do not. What makes this an especially wicked problem is that there is no correct answer or clear structure. So the question becomes: Under what conditions should a ransom be paid? And what factors can help leaders make this decision?</p>
<h2>Blocking access</h2>
<p>There are four core actions that ransomware can execute, embodied in the acronym LEDS: Lock, Encrypt, Delete or Steal. Ransomware can lock, or prevent access to data or an information system, requiring a key to unlock. Similarly, it can allow access, but the data are gibberish as they have been encrypted in place, again requiring a decryption key to make legible. Data can be deleted in place (erased) or sold to the highest bidder. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="computer screen with the words SYSTEM HACKED displayed" src="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=413&fit=crop&dpr=1 600w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=413&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=413&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=519&fit=crop&dpr=1 754w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=519&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=519&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Ransomware removes or prevents access to companies’ data.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>What makes today’s ransomware attacks especially harmful and insidious is that they often deploy more than one of these effects.</p>
<p>Once malware is embedded in an organization’s system, <a href="https://www.zdnet.com/article/ransomware-an-executive-guide-to-one-of-the-biggest-menaces-on-the-web/">the criminals contact the victim</a>, usually through an anonymous email, or through the malware itself (pop-up window) demanding immediate payment of a ransom in cryptocurrency, and typically threatening further harm. </p>
<p>Paying the ransom may lead to a decryption key being provided, which, when entered on the pop-up window immediately unlocks the system and anything that has been encrypted.</p>
<h2>Considerations before payment</h2>
<p>There are two dimensions to be considered when deciding to pay a ransom: the business decision and the ethical one.</p>
<p>Law enforcement authorities, including <a href="https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware">the FBI</a> and <a href="https://www.rcmp-grc.gc.ca/en/prevent-ransomware">the RCMP</a>, adamantly advise against paying ransom, ever. They do so for two good reasons: first, it rewards and encourages criminal activity. Second, it may further endanger the organization when it becomes known in hacker circles that this is an organization willing to pay. </p>
<p>In other words, it may not make the crime go away and may make you even more of a target.</p>
<p>If the criminals are not a known terrorist organization, then payment of a ransom is not a crime. This might change, as some countries, notably the United States, are proposing enactment of Sanctions Compliance Laws criminalizing all cyber-ransom payments. It might be difficult to attribute the attack, which is why the hackers often identify themselves to their victims. </p>
<h2>An honest crime</h2>
<p>There is a compelling business case to be made for paying a ransom demand. The crime works because, if you will, it is an honest one. That is, <a href="https://www.proofpoint.com/us/resources/threat-reports/state-of-phish">70 per cent of the time</a>, paying a ransom will result in a valid decryption key being provided. </p>
<p>This makes sense. For criminals to profit from this endeavor, they must show good faith and deliver on their promise.</p>
<p>Criminals also know this. Targeted campaigns see attackers spending on average nearly six months inside a company’s network before enacting ransom malware. They do so to ensure that their malware has infected as many systems as possible, including backups; to identify and extract the items of greatest value; to ensure they do not leave traces; and to garner any business intelligence (such as incident response plans or insurance policies). This allows them to determine the maximum amount of ransom to demand.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="padlocks represented digitally, all are blue with the exception of a red one which is broken open" src="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For ransomware to be a lucrative endeavor for criminals, they have to release the data once they have received payment.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>This is the essence of the business case decision. Suppose, for example, that the cost of a ransom event is estimated to be $500,000 (based on the size of the database, time to recover, data validation upon recovery and other expenses). A ransom demand of $250,000 is clearly a better alternative because it is not only cheaper, but faster than the alternative. </p>
<p>Organizations can calculate the cost of various incidents and determine, in principle, their willingness to pay for each possible ransom scenario. This leads to the development of what is referred to as a ransomware payment matrix for the organization.</p>
<h2>Moral dimensions</h2>
<p>However, there is also a moral, or ethical dimension to this decision. Payments to criminals might not be consistent with the organization’s core values, culture or code of ethics. Even if they are, this might not sit well with the company’s employees, clients and other stakeholders. </p>
<p>There are many frameworks and theories dealing with ethics in the workplace, and leaders need to avail themselves of one or more. This will help them make a decision regarding paying a ransom because, while it may make great business sense to pay a ransom, it may not be the right thing to do for the organization. </p>
<p>Instead, the organization may choose to invest funds that would otherwise go to ransom payments into training, cyber-protection and upgrading and patching systems.</p>
<p>Whatever the decision, it is critical to explore all options well before any cyberattacks occur. This includes holding discussions with employees, customers and other stakeholders. It also includes insurers (who are increasingly loath to insure against ransomware events) and law enforcement authorities.</p>
<p>Accepting the inevitability of a cyberattack and thoroughly exploring different scenarios will have the dual effect of not only preparing for the attack, but allowing for a more effective response when it occurs.</p><img src="https://counter.theconversation.com/content/188677/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michael Parent does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cyberattacks demanding ransoms for the release of information are on the rise. To determine if they should pay, businesses need to think about how they would react in such a scenario.Michael Parent, Professor, Management Information Systems, Simon Fraser UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1875892022-08-08T12:21:01Z2022-08-08T12:21:01ZRise of precision agriculture exposes food system to new threats<figure><img src="https://images.theconversation.com/files/477469/original/file-20220803-13-8yd7pe.jpg?ixlib=rb-1.1.0&rect=0%2C4%2C3224%2C2234&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Agriculture is becoming increasingly dependent on technology.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/usdagov/50238208213">U.S. Department of Agriculture Photo by Lance Cheung</a></span></figcaption></figure><p>Farmers are <a href="https://ag.purdue.edu/commercialag/home/sub-articles/2021/03/adoption-of-precision-agriculture-technologies/">adopting precision agriculture</a>, using data collected by GPS, satellite imagery, internet-connected sensors and other technologies to farm more efficiently. While these practices could help increase crop yields and reduce costs, the technology behind the practices is creating opportunities for extremists, terrorists and adversarial governments to attack farming machinery, with the aim of disrupting food production.</p>
<p>Food producers around the world have been under increasing pressure, a problem <a href="https://www.nbcnews.com/news/world/russia-ukraine-war-grain-blockade-global-food-crisis-rcna25910">exacerbated by the war in Ukraine</a> and rising fuel and fertilizer costs. Farmers are trying to produce more food but with fewer resources, pushing the food production system <a href="https://www.washingtonpost.com/world/2021/12/15/global-food-crisis-pandemic/">toward its breaking point</a>.</p>
<p>In this environment, it’s understandable that many U.S. farmers are <a href="https://doi.org/10.1016/j.gfs.2016.07.005">turning to modern information technologies</a> to support decision-making and operations in managing crop production. These precision agriculture practices lead to more efficient use of land, water, fuel, fertilizer and pesticides so that farmers can grow more, reduce costs and <a href="https://www.ars.usda.gov/oc/utm/benefits-and-evolution-of-precision-agriculture/">minimize their impact on the environment</a>. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="rows of plants growing out of black plastic bags, some with metal poles and wires holding white plastic devices attached to the plants" src="https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=407&fit=crop&dpr=1 600w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=407&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=407&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=511&fit=crop&dpr=1 754w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=511&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/477746/original/file-20220804-5517-5r07f2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=511&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Precision agriculture can include sensors that monitor crops, such as these avocado plants.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:Avocado_plant_monitoring_Precision_Agriculture.png">Simple loquat/Wikimedia</a></span>
</figcaption>
</figure>
<p>As researchers in <a href="https://scholar.google.com/citations?hl=en&user=_VNMFmgAAAAJ&view_op=list_works&sortby=pubdate">cybersecurity</a> and <a href="https://scholar.google.com/citations?hl=en&user=CH2XK2wAAAAJ&view_op=list_works&sortby=pubdate">national security</a> at the <a href="https://www.unomaha.edu/ncite/index.php">National Counterterrorism Innovation, Technology, and Education Center</a>, we see cause for concern. The advent of precision farming comes at a time of significant upheaval in the global supply chain and as the number of foreign and domestic hackers with the ability to <a href="https://www.govtech.com/security/agriculture-industry-on-alert-after-string-of-cyber-attacks">exploit this technology</a> continues to grow.</p>
<h2>New opportunities for exploitation</h2>
<p>Cyberattacks against agricultural targets are not some far-off threat; they are already happening. For example, in 2021 a ransomware attack forced a fifth of the beef processing plants in the U.S. to shut down, with one company paying nearly $11 million to cybercriminals. REvil, a Russia-based group, <a href="https://investigatemidwest.org/2021/10/13/fbi-says-ransomware-attacks-on-food-and-agriculture-industry-are-increasing/">claimed responsibility for the attack</a>. </p>
<p>Similarly, a grain storage cooperative in Iowa was targeted by a Russian-speaking group called BlackMatter, who claimed that they had <a href="https://www.reuters.com/technology/iowa-farm-services-company-reports-cybersecurity-incident-2021-09-20/">stolen data from the cooperative</a>. While previous attacks have targeted larger companies and cooperatives and aimed to extort the victims for money, individual farms could be at risk, too.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="three squat cylindrical structures with conical tops connected by a pipe stand in a row perpendicular to a cluster of narrower, taller vertical cylindrical structures topped by a catwalk" src="https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=392&fit=crop&dpr=1 600w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=392&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=392&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=493&fit=crop&dpr=1 754w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=493&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/477748/original/file-20220804-23-ffc4lt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=493&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">This grain storage facility is run by New Cooperative, a farm cooperative in Iowa that was hit by a ransomware attack in 2021.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:NEW_Cooperative_facility_Knierim_Iowa_20211104.jpg">Jstuby/Wikimedia</a></span>
</figcaption>
</figure>
<p>The integration of technologies into farm equipment, from GPS-guided tractors to artificial intelligence, potentially increases the ability of hackers to attack this equipment. And though farmers might not be ideal targets for ransomware attacks, farms could be tempting targets for hackers with other motives, including terrorists.</p>
<p>For example, an attacker could look to exploit vulnerabilities within fertilizer application technologies, which could result in a farmer unwittingly applying too much or too little nitrogen fertilizer to a particular crop. A farmer could then end up with either a below-expected harvest, or a field that has been over fertilized, resulting in waste and long-term environmental ramifications.</p>
<h2>Slow to appreciate the threat</h2>
<p>Disruption to sensitive industries and infrastructure gives attackers higher returns for their efforts. This means that the increasing stress on the global food supply raises the stakes and creates a stronger motivation to disrupt the U.S. agriculture sector.</p>
<p>Unlike other critical industries such as <a href="https://www.aba.com/banking-topics/technology/cybersecurity">finance</a> and <a href="https://doi.org/10.3233/THC-161263">health care</a>, the farming industry has been slow to recognize cybersecurity risks and take steps to mitigate them. There are several possible reasons for this sluggishness. </p>
<p>One is that many farmers and agricultural providers haven’t viewed cybersecurity as a significant enough problem compared with other risks they face such as floods, fires and hail. A 2018 Department of Homeland Security <a href="https://www.cisa.gov/uscert/ncas/current-activity/2018/10/03/Cybersecurity-Threats-Precision-Agriculture">report</a> that surveyed precision agriculture farmers throughout the U.S. found that many did not fully understand the cyberthreats introduced by precision agriculture, nor did they take these cyber-risks seriously enough.</p>
<p>This lack of preparedness leads to another reason: limited oversight and regulation from government. In 2010, the U.S. Department of Agriculture classified cybersecurity as a low priority. <a href="https://isalliance.org/sectors/agriculture/">While this classification was upgraded in 2015</a>, the farming sector is likely to be playing catch-up for years. While other critical infrastructure industries have developed and published numerous <a href="https://doi.org/10.1016/j.diin.2017.07.006">countermeasures</a> and <a href="https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss">best practices</a> for cybersecurity, the same cannot be said for the farming sector. </p>
<p>The Biden administration has indicated that it is willing to <a href="https://www.wsj.com/video/events/agriculture-secretary-tom-vilsack-on-food-farming-and-climate-change/3D9C4481-4197-4672-B263-D0483DC007E3.html">help farmers take steps to protect their cyber infrastructure</a>, but as of this writing it has not released public guidelines to assist with this effort. </p>
<h2>All-hands approach</h2>
<p>In addition to the pressing need for policy guidance and resources from federal, state and local governments to prevent this type of cyberattack, there is room for academia and industry to step up. </p>
<p>From an academic research perspective, multidisciplinary efforts that bring together researchers from precision agriculture, robotics, cybersecurity and political science can help identify potential solutions. To this end, we and researchers at the University of Nebraska-Lincoln have launched the <a href="https://www.unomaha.edu/news/2022/06/grispos-cybersecurity-testbed.php">Security Testbed for Agricultural Vehicles and Environments</a>. </p>
<p>Farming equipment manufacturers and other industry organizations can help by designing and engineering equipment to account for cybersecurity considerations. This would lead to the manufacture of farming equipment that not only maximizes food production yields but also minimizes exposure to cyberattacks.</p><img src="https://counter.theconversation.com/content/187589/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Austin C. Doctor receives funding from the Department of Homeland Security. </span></em></p><p class="fine-print"><em><span>George Grispos does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Bringing advanced technologies to the ancient practice of farming could help feed the world’s growing population, but it could also open the door for people looking to disrupt the global food system.George Grispos, Assistant Professor of Cybersecurity, University of Nebraska OmahaAustin C. Doctor, Assistant Professor of Political Science, University of Nebraska OmahaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1863802022-07-06T19:55:47Z2022-07-06T19:55:47Z5 big trends in Australians getting scammed<figure><img src="https://images.theconversation.com/files/472737/original/file-20220706-16-4kib7q.jpg?ixlib=rb-1.1.0&rect=600%2C413%2C3987%2C1959&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Greed, desire, wishful thinking and naivety are lucrative markets for scam artists – and their age-old hustles are increasingly being supplemented by digital chicanery.</p>
<p>In 2021 Australians lost an estimated $2 billion to fraudsters, more than double that of 2020, according to the Australian Competition and Consumer Commission.</p>
<p>The consumer watchdog’s latest <a href="https://www.accc.gov.au/publications/targeting-scams-report-on-scam-activity/targeting-scams-report-of-the-accc-on-scams-activity-2021">scam report</a> details more than 20 different scam types, primarily based on reports made to its <a href="https://www.scamwatch.gov.au/">Scamwatch</a> agency. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australians-lost-2b-to-fraud-in-2021-this-figure-should-sound-alarm-bells-for-the-future-186459">Australians lost $2b to fraud in 2021. This figure should sound alarm bells for the future</a>
</strong>
</em>
</p>
<hr>
<p>Some scams are perennials. Topping Scamwatch’s list are investment scams, dating and romance scams, false billing, remote access scams (convincing you to allow access to your computer or phone), and threats or blackmail.</p>
<hr>
<p><iframe id="FiF12" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/FiF12/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<hr>
<p>This article is going to focus on the five scam types that have grown most in value from 2020. </p>
<p>These aren’t necessarily the scams anyone (including you) is most likely to fall for. But they provide a useful snapshot of how scam techniques that rely on human nature are increasingly being executed via technology.</p>
<h2>1. Ransomware and malware</h2>
<p>This type of scam has been on the wane due to the use of anti-malware protection. But in 2021 it roared back with a 1,482% rise in reported losses over 2020. </p>
<p>This was mostly due to 2020 numbers being much lower than 2019, but the reported costs per incident (about $21,704) are still worrying given how easily such scams can be spread.</p>
<p>They typically involve installing malicious software on your computer or phone to make files inaccessible or lock the device. This is done by sending a bogus email, text message or voicemail with an enticing message directing you to a link that automatically installs the malicious software when you open it. The scammer then demands a payment to “unlock” the system. </p>
<figure class="align-center ">
<img alt="Messages about deliveries are a common way to spread malware." src="https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=370&fit=crop&dpr=1 600w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=370&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=370&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=465&fit=crop&dpr=1 754w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=465&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/472733/original/file-20220706-21-826fz2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=465&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Messages about deliveries are a common way to spread malware.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>Contributing to ransomware’s resurgence was the Flubot scam, in which tens of thousands of Australians with Android phones received scam text messages about missed calls or deliveries. The malware could harvest banking details as well as use contact lists to spread to other devices. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/is-australia-a-sitting-duck-for-ransomware-attacks-yes-and-the-danger-has-been-growing-for-30-years-161818">Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years</a>
</strong>
</em>
</p>
<hr>
<h2>2. Pyramid schemes</h2>
<p>The pyramid scheme promises you riches by recruiting others to the scheme. While such recruitment is also a feature of multi-level marketing (also known as referral selling schemes), in an illegal pyramid scheme financial returns are entirely or substantially reliant on convincing other people to join.</p>
<p>In 2021 reported losses from pyramid schemes were 368% higher than in 2020. This was due, as with malware, to losses in 2020 being abnormally low. But even though the total number of reported cases was quite low (fewer than 500) the percentage of of those reports involving people losing money was one of the highest (44%), with an average loss of $6,239. </p>
<p>This suggests pyramid scams remain quite alluring to some people. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/1QkZcdCDJJg?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Pyramid and ponzi schemes explained in one minute.</span></figcaption>
</figure>
<h2>3. Identity theft</h2>
<p>Identity theft – using your personal information to steal money from you or someone else – is one of the most challenging scams to deal with. It may involve stealing money from your own account or using your identity for credit purchases, which you then have to untangle. </p>
<p>This is a true growth area. In 2021 there 22,354 identity theft reports, up from 20,939 in 2020. While only 951 of these cases (about 4%) reported losses, average losses more than doubled to about $10,683. The total losses ($10,159,930) were 230% higher than in 2020. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-cybercriminals-turn-paper-checks-stolen-from-mailboxes-into-bitcoin-173796">How cybercriminals turn paper checks stolen from mailboxes into bitcoin</a>
</strong>
</em>
</p>
<hr>
<h2>4. Investment scams</h2>
<p>Investment scams tempt victims with promises of large profits from share deals and crypto-currency opportunities. In 2021, 4,068 Australians reported losing more than $177 million on such scams – an average loss of about $45,350.</p>
<p>While investment scams come in many varieties, the Scamwatch report itemises three main types. Cryptocurrency scams accounted for $99 million of reported losses. The selling of fake high-yield corporate or government bonds accounted for $16 million. Ponzi schemes, which create the charade of investment success by paying dividends from the money of new victims, accounted for $8 million. </p>
<p>Ponzi schemes are named after Charles Ponzi, who in the 1920s promised to double people’s money in 45 days. One such scheme doing the rounds in 2021 was the <a href="https://www.abc.net.au/news/2021-08-26/qld-hope-business-investment-app-scam-pyramid-scheme/100396922">Hope Business</a> app, which promised windfall returns simply by paying money into an account. </p>
<p>Interestingly the consumer watchdog’s report says men were almost twice as likely to be victims of investment scams and reported double the losses of female victims.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/scams-and-cryptocurrency-can-go-hand-in-hand-heres-how-they-work-and-what-to-watch-out-for-182033">Scams and cryptocurrency can go hand in hand – here's how they work and what to watch out for</a>
</strong>
</em>
</p>
<hr>
<h2>5. Phishing</h2>
<p>Phishing, closely linked to identity theft, was the most reported scam in 2021 – with 71,308 cases, compared to 44,079 in 2020 and 25,168 in 2019. </p>
<p>These scams are usually seeking to obtain our credentials (passwords) to various services including email, online banking and government services such as MyGov.</p>
<p>That just 861 cases reported a direct financial loss suggests this is one of the most recognised scams. We’ve all had emails or SMS messages asking us to confirm our details or click a link to listen to a voicemail or receive a parcel.</p>
<p>Even so, a total of $4.3 million was reported lost from phishing scams in 2021 – 156% more than in 2020. The average loss was slightly more than $5,000. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/your-digital-footprints-are-more-than-a-privacy-risk-they-could-help-hackers-infiltrate-computer-networks-177123">Your digital footprints are more than a privacy risk – they could help hackers infiltrate computer networks</a>
</strong>
</em>
</p>
<hr>
<h2>How to avoid being scammed</h2>
<p>If something seems too good to be true, it probably is. If you have any inkling you may be being scammed, the best advice is to stop and think. </p>
<p>If you are being asked to move money, make an unexpected payment or send personal information to someone, stop. </p>
<p>If you are being asked to provide information or take some action, contact the organisation involved using a number you already have (bank statement, credit card etc) or find the number yourself.</p><img src="https://counter.theconversation.com/content/186380/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Scam techniques that rely on human nature are increasingly being executed via technology. Here are five that recorded big increases in 2021.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1820332022-06-21T11:47:15Z2022-06-21T11:47:15ZScams and cryptocurrency can go hand in hand – here’s how they work and what to watch out for<figure><img src="https://images.theconversation.com/files/469023/original/file-20220615-25-5sc87d.jpg?ixlib=rb-1.1.0&rect=17%2C26%2C5779%2C3966&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The anonymous nature of cryptocurrency transactions is ideal for con artists.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/hacker-stealing-password-and-identity-computer-royalty-free-image/992840396">seksan Mongkhonkhamsao/Moment via Getty Images</a></span></figcaption></figure><p>When one of our students told us they were going to drop out of college in August 2021, it wasn’t the first time we’d heard of someone ending their studies prematurely.</p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/scams-and-cryptocurrency-can-go-hand-in-hand-heres-how-they-work-and-what-to-watch-out-for-182033&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/us/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>What was new, though, was the reason. The student had become a victim of a cryptocurrency scam and had lost all their money – including a bank loan – leaving them not just broke, but in debt. The experience was financially and psychologically traumatic, to say the least.</p>
<p>This student, unfortunately, is not alone. Currently there are hundreds of millions of cryptocurrency owners, with <a href="https://assets.ctfassets.net/hfgyig42jimx/5i8TeN1QYJDjn82pSuZB5S/85c7c9393f3ee67e456ec780f9bf11e3/Cryptodotcom_Crypto_Market_Sizing_Jan2022.pdf">estimates predicting further rapid growth</a>.
As the number of people owning cryptocurrencies has increased, so has the number of scam victims. </p>
<p>We study <a href="https://scholar.google.com/citations?hl=en&user=tLkeURsAAAAJ">behavioral economics</a> and <a href="https://scholar.google.com/citations?hl=en&view_op=list_works&gmla=AJsN-F4Duqf9w-yRoxI_zWEQFHqsNVBbjyTuzE_DcB9qQZd43DA-MXVCyxnE5gPF2STCeZGNVUb9yS-Dw3pwJFdrL22oit3ZKA&user=NsBe-cYAAAAJ">psychology</a> – and recently published a <a href="https://www.routledge.com/A-Fresh-Look-at-Fraud-Theoretical-and-Applied-Perspectives/Hanoch-Wood/p/book/9780367861445">book about the rising problem of fraud, scams and financial abuse</a>. There are reasons why cryptocurrency scams are so prevalent. And there are steps you can take to reduce your chances of becoming a victim.</p>
<h2>Crypto takes off</h2>
<p>Scams are not a recent phenomenon, with <a href="https://www.routledge.com/A-Fresh-Look-at-Fraud-Theoretical-and-Applied-Perspectives/Hanoch-Wood/p/book/9780367861445">stories about them dating back to biblical times</a>. What has fundamentally changed is the ease by which scammers can reach millions, if not billions, of individuals with a press of a button. The internet and other technologies have simply changed the rules of the game, with cryptocurrencies coming to epitomize the leading edge of these <a href="https://consumer.ftc.gov/articles/what-know-about-cryptocurrency-and-scams">new cybercrime opportunities</a>. </p>
<p>Cryptocurrencies – which are <a href="https://www.coindesk.com/learn/what-is-cryptocurrency/">decentralized, digital currencies that use cryptography to create anonymous transactions</a> – were originally driven by “<a href="https://nakamoto.com/the-cypherpunks/">cypherpunks,” individuals concerned with privacy</a>. But they have expanded to capture the minds and pockets of everyday people and criminals alike, especially during the COVID-19 pandemic, when <a href="https://harbert.auburn.edu/news/is-cryptocurrency-going-mainstream-yes-but-theres-more-to-the-story.html">the price of various cryptocurrencies shot up and cryptocurrencies became more mainstream</a>. <a href="https://www.bitdefender.com/blog/hotforsecurity/fake-covid-19-cryptocurrency-emerges-promising-to-gain-value-with-each-death">Scammers capitalized on their popularity</a>. The pandemic also caused a disruption to mainstream business, <a href="https://doi.org/10.1016/j.frl.2021.102049">leading to greater reliance on alternatives such as cryptocurrencies</a>. </p>
<p>A January 2022 report by <a href="https://www.chainalysis.com/">Chainanalysis</a>, a blockchain data platform, suggests <a href="https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/">in 2021 close to US$14 billion was scammed</a> from investors using cryptocurrencies. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1408117635481485318"}"></div></p>
<p>For example, in 2021, two brothers from South Africa managed to <a href="https://www.bloomberg.com/news/articles/2021-06-23/s-african-brothers-vanish-and-so-does-3-6-billion-in-bitcoin">defraud investors of $3.6 billion</a> from a cryptocurrency investment platform. In February 2022, the FBI announced it had arrested a couple who used a fake cryptocurrency platform to <a href="https://www.euronews.com/next/2022/02/09/us-couple-arrested-for-alleged-fraud-after-3-6-billion-stolen-bitcoin-seized-in-a-record-h">defraud investors of another $3.6 billion</a> </p>
<p>You might wonder how they did it. </p>
<h2>Fake investments</h2>
<p>There are two main types of cryptocurrency scams that tend to target different populations. </p>
<p>One targets cryptocurrency investors, who tend to be <a href="https://doi.org/10.1093/rof/rfab034">active traders holding risky portfolios</a>. They are mostly younger investors, under 35, who <a href="https://blog.bitpanda.com/en/understanding-cryptocurrency-holders-in-europe">earn high incomes, are well educated and work in engineering, finance or IT</a>. In these types of frauds, scammers create fake coins or fake exchanges. </p>
<p><iframe id="3DI61" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/3DI61/4/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>A recent example is SQUID, a cryptocurrency coin named after the TV drama “Squid Game.” After the new coin skyrocketed in price, its creators <a href="https://www.cnn.com/2021/11/01/investing/squid-game-cryptocurrency-scam/index.html">simply disappeared with the money</a>. </p>
<p>A variation on this scam involves enticing investors to be among the first to purchase a new cryptocurrency – a process called an initial coin offering – with promises of large and fast returns. But unlike the SQUID offering, no coins are ever issued, and would-be investors are left empty-handed. In fact, <a href="https://research.bloomberg.com/pub/res/d28giW28tf6G7T_Wr77aU0gDgFQ">many initial coin offerings turn out to be fake</a>, but because of the complex and evolving nature of these new coins and technologies, even educated, experienced investors can be fooled. </p>
<p>As with all risky financial ventures, anyone considering buying cryptocurrency should follow the age-old advice to thoroughly research the offer. Who is behind the offering? What is known about the company? Is a white paper, an informational document issued by a company outlining the features of its product, available? </p>
<p>In the SQUID case, one warning sign was that investors who had bought the coins were unable to sell them. The SQUID website was also riddled with grammatical errors, which is typical of many scams. </p>
<h2>Shakedown payments</h2>
<p>The second basic type of cryptocurrency scam simply uses cryptocurrency as the payment method to transfer funds from victims to scammers. All ages and demographics can be targets. These include ransomware cases, romance scams, computer repair scams, sextortion cases, Ponzi schemes and the like. Scammers are simply capitalizing on the anonymous nature of cryptocurrencies to hide their identities and evade consequences.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Close-up of man's fingers typing an 'I love you' text message on a mobile phone." src="https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=376&fit=crop&dpr=1 600w, https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=376&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=376&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=473&fit=crop&dpr=1 754w, https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=473&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/469076/original/file-20220615-14-58glsr.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=473&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Romance frauds often result in requests for cryptocurrency.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/sending-i-love-you-text-message-with-mobile-phone-royalty-free-image/1158779123">Tero Vesalainen/iStock via Getty Images</a></span>
</figcaption>
</figure>
<p>In the recent past, scammers would request wire transfers or gift cards to receive money – as they are irreversible, anonymous and untraceable. However, such payment methods do require potential victims to leave their homes, where they might encounter a third party who can intervene and possibly stop them. Crypto, on the other hand, can be purchased from anywhere at any time. </p>
<p>Indeed, Bitcoin has become the most common currency requested in ransomware cases, <a href="https://blog.emsisoft.com/en/33977/is-ransomware-driving-up-the-price-of-bitcoin/#:%7E:text=Bitcoin%20accounted%20for%20about%2098,part%20of%20the%20ransomware%20model">being demanded in close to 98% of cases</a>. According to the U.K. National Cyber Security Center, sextortion scams often request individuals to <a href="https://www.ncsc.gov.uk/guidance/sextortion-scams-how-to-protect-yourself">pay in Bitcoin and other cryptocurrencies</a>. Romance scams targeting younger adults are <a href="https://www.ncsc.gov.uk/guidance/sextortion-scams-how-to-protect-yourself">increasingly using cryptocurrency</a> as part of the scam. </p>
<p>If someone is asking you to transfer money to them via cryptocurrency, you should see a giant red flag. </p>
<h2>The Wild West</h2>
<p>In the field of financial exploitation, more work has been done to study and educate elderly scam victims, because of the <a href="https://doi.org/10.1007/s11606-014-2946-2">high levels of vulnerability in this group</a>. Research has identified common traits that make someone especially vulnerable to scam solicitations. They include <a href="https://doi.org/10.1177/0963721421995489">differences in cognitive ability, education, risk-taking and self-control</a>.</p>
<p>Of course, younger adults can also be vulnerable and indeed are becoming victims, too. There is a clear need to broaden education campaigns to include all age groups, including young, educated, well-off investors. We believe authorities need to step up and employ new methods of protection. For example, the regulations that currently apply to financial advice and products could be extended to the cryptocurrency environment. Data scientists also need to better track and trace fraudulent activities. </p>
<p>Cryptocurrency scams are especially painful because the probability of retrieving lost funds is close to zero. For now, cryptocurrencies have no oversight. They are simply the Wild West of the financial world.</p><img src="https://counter.theconversation.com/content/182033/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>From initial coin offerings that are totally fake to fraudsters demanding payments in crypto, scams involving cryptocurrencies are on the rise. Two experts explain why – and how to protect yourself.Yaniv Hanoch, Associate Professor in Risk Management, University of SouthamptonStacey Wood, Professor of Psychology, Scripps CollegeLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1741992022-01-21T13:40:59Z2022-01-21T13:40:59ZHow the Biden administration is making gains in an uphill battle against Russian hackers<figure><img src="https://images.theconversation.com/files/441408/original/file-20220118-23-ta8go3.jpg?ixlib=rb-1.1.0&rect=48%2C0%2C5395%2C3577&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Shortly after taking office, President Biden declared that the the U.S. would no longer roll over in the face of Russian cyberattacks.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/Biden/29e09be03a1948fca6c2bc88ff5d40d5/photo">AP Photo/Evan Vucci</a></span></figcaption></figure><p>On Jan. 14, 2022, the FSB, Russia’s domestic intelligence service, announced that it had <a href="https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/">broken up the notorious Russia-based REvil</a> ransomware criminal organization. The FSB said the actions were taken in response to <a href="http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html">a request from U.S. authorities</a>. The move marks a <a href="https://www.wired.com/story/russia-revil-ransomware-arrests-ukraine/">dramatic shift in Russia’s response</a> to criminal cyberattacks launched against U.S. targets from within Russia, and comes at a time of heightened tensions between the two countries.</p>
<p>U.S. policy and actions in response to cyberattacks connected to Russia have changed distinctly since the Biden administration took office. President Joe Biden has openly confronted Russian President Vladimir Putin on his <a href="https://www.cnn.com/2021/07/09/politics/biden-putin-call-syria-ransomware/index.html">responsibility regarding international cyberattacks</a>, and the Biden administration has taken <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/">unprecedented steps to impose costs</a> on Russian cyber criminals and frustrate their efforts.</p>
<p>Upon taking office, Biden immediately faced difficult challenges from Russian intelligence operatives and criminals in headline-grabbing cyberattacks on private companies and critical infrastructure. As a <a href="https://scholar.google.com/citations?user=kmwlBpoAAAAJ&hl=en">scholar of Russian cyber operations</a>, I see that the administration has made significant progress in responding to Russian cyber aggression, but I also have clear expectations about what national cyber defense can and can’t do.</p>
<h2>Software supply chain compromise</h2>
<p>The <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">SolarWinds hack</a> carried out in 2020 was a successful attack on the global <a href="https://www.hackread.com/understanding-software-supply-chain-how-to-secure-it/">software supply chain</a>. The hackers used the access they gained to thousands of computers to spy on nine U.S. federal agencies and about 100 private-sector companies. U.S. security agencies said that a sophisticated hacking group, “<a href="https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html">likely Russian in origin</a>,” was responsible for the intelligence-gathering effort.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/jxTxGlE9X5s?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The SolarWinds hack explained.</span></figcaption>
</figure>
<p>On Feb. 4, 2021, Biden addressed Putin in a statement delivered at the State Department. Biden said that the days of the U.S. rolling over in the face of Russian cyberattacks and interference in U.S. elections “<a href="https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/02/04/remarks-by-president-biden-on-americas-place-in-the-world/">are over</a>.” </p>
<p>Biden vowed to “<a href="https://thehill.com/policy/cybersecurity/537436-biden-says-administration-launching-urgent-initiative-to-improve-nations">not hesitate to raise the cost on Russia</a>.” The U.S. government had not previously issued indictments or imposed sanctions for <a href="https://www.wsj.com/articles/massive-hack-blamed-on-russia-tests-limits-of-u-s-response-11608309198">cyber espionage</a>, in part out of concerns that they could result in reciprocal actions by Moscow against NSA and CIA hackers. Nevertheless, the U.S. Treasury Department <a href="https://home.treasury.gov/news/press-releases/jy0127">issued sanctions</a> against the Russian Foreign Intelligence Service, the SVR, on April 15, 2021. </p>
<p>Biden also signed an <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">executive order</a> to modernize federal government cybersecurity. He directed agencies to deploy systems that detect cyber incursions, like the one that spotted <a href="https://www.paloaltonetworks.com/blog/2020/12/solarwinds-statement-solarstorm/">SolarWinds activity at Palo Alto Networks</a>. In parallel, his security agencies <a href="https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-189a">published tools and techniques</a> used by the SVR and ransomware gangs to help organizations defend against them. </p>
<p>Economic sanctions and technical barriers, however, did not slow SVR efforts to gather intelligence on U.S. foreign policy. In May 2021, Microsoft revealed that hackers associated with Russia <a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium">exploited the mass-mailing service Constant Contact</a>. By masquerading as the U.S. Agency for International Development, they sent <a href="https://www.cnn.com/2021/05/28/tech/microsoft-solarwinds-russia-hack-intl-hnk/index.html">authentic-looking emails</a> with links to more than 150 organizations, which, when clicked, inserted a malicious file that allowed computer access. </p>
<h2>Ransomware attacks</h2>
<p>Also in May, the shutdown of the Colonial Pipeline by a ransomware attack by the Russian cyber gang <a href="https://www.washingtonexaminer.com/news/darkside-the-hacking-group-behind-the-colonial-pipeline-hack">DarkSide</a> halted the flow of <a href="https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html">nearly half the gas and jet fuel</a> to the Eastern Seaboard. <a href="https://www.dw.com/en/us-states-declare-emergency-over-gas-shortage-fears-following-cyberattack/a-57501414">Panicked drivers</a> rushed to fill up tanks while <a href="https://www.wsj.com/articles/u-s-gas-prices-hit-3-a-gallon-as-shortage-sets-in-amid-colonial-pipeline-shutdown-11620832180">prices soared</a>. A month later, consumers scrambled to find <a href="https://www.wsj.com/articles/meatpacker-jbs-hit-by-cyberattack-affecting-north-american-australian-operations-11622548864">meat alternatives</a> after <a href="https://www.foxbusiness.com/markets/fbi-russia-linked-revil-responsible-jbs-cyberattack">REvil infected beef and pork processer JBS USA</a> with ransomware. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Xes6ZgV1Iww?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Ransomware attacks explained.</span></figcaption>
</figure>
<p>Biden said Russia has “<a href="https://www.nbcnews.com/politics/white-house/biden-says-no-evidence-russian-government-was-involved-pipeline-hack-n1266866">some responsibility</a> to deal with this.” At a summit in Geneva in June, he handed Putin a list of <a href="https://www.nytimes.com/2021/07/07/us/politics/biden-ransomware-russia.html">off-limits critical infrastructure</a> that would merit a U.S. response if attacked. It is likely that Russian intelligence services and law enforcement have a <a href="https://www.recordedfuture.com/russian-state-connections-criminal-actors/">tacit understanding</a> with cybercriminals and can shut down their resources. </p>
<p>Though not counting on Putin to exert influence, the White House formed a <a href="https://www.politico.com/news/2021/07/14/white-house-ransomware-task-force-499723">ransomware task force</a> to go on the offense against the gangs. The first step was using a counterterrorism program to <a href="https://www.darkreading.com/attacks-breaches/state-dept-to-pay-up-to-$10m-for-information-on-foreign-cyberattacks/d/d-id/1341540">offer rewards</a> of up to US$10 million for information on hackers behind state-sanctioned breaches of critical infrastructure. </p>
<p>In close collaboration with international partners, the Justice Department announced <a href="https://www.wsj.com/articles/hackers-linked-to-ransomware-attacks-on-jbs-kaseya-arrested-in-romania-11636390527">the arrest</a> of a Ukrainian national in Poland, charged with the REvil ransomware attack against <a href="https://www.toolbox.com/it-security/threat-reports/news/is-revils-latest-exploit-against-kaseya-one-of-the-biggest-ransomware-attacks-ever/">Kaseya</a>, an information technology software supplier. The Justice Department also <a href="https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya">seized $6.1 million</a> in cryptocurrency from another REvil operator. Romanian authorities arrested two others involved in REvil attacks. </p>
<p>U.S. law enforcement seized $2.3 million <a href="https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside">paid in ransom</a> to DarkSide by Colonial Pipeline by using a private key to unlock bitcoin. And the Treasury Department <a href="https://home.treasury.gov/news/press-releases/jy0364">disrupted the virtual currency exchanges SUEX</a> <a href="https://home.treasury.gov/news/press-releases/jy0471">and Chatex</a> for laundering the proceeds of ransomware. Treasury Department sanctions blocked all of their property in the U.S. and prohibited U.S. citizens from conducting transactions with them.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a man with salt-and-pepper hair wearing a dark blue military uniform" src="https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Gen. Paul Nakasone, Director of the National Security Agency, testifying before the House Intelligence Committee on April 15, 2021.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/CongressWorldwideThreats/5c00ae96a70e486095feb844a4b10ec1/photo">Al Drago/Pool via AP</a></span>
</figcaption>
</figure>
<p>Additionally, the top U.S. cyberwarrior, Gen. Paul Nakasone, acknowledged for the first time in public that the U.S. military had taken <a href="https://www.cnet.com/tech/services-and-software/us-military-has-reportedly-acted-against-ransomware-groups/">offensive action</a> against ransomware groups. In October, U.S. Cyber Command <a href="https://www.washingtonpost.com/national-security/cyber-command-revil-ransomware/2021/11/03/528e03e6-3517-11ec-9bc4-86107e7b0ab1_story.html">blocked the REvil website</a> by redirecting traffic, which prevented the group from extorting victims. After REvil realized its server was compromised, it <a href="https://www.toolbox.com/it-security/cyber-risk-management/news/revil-ransomware-taken-down-again/">ceased operations</a>. </p>
<h2>Limits of US responses</h2>
<p>Russia <a href="https://www.wsj.com/articles/how-russias-info-warrior-hackers-let-kremlin-play-geopolitics-on-the-cheap-11609592401">conducts or condones cyberattacks</a> by state and criminal groups that take advantage of gaps in international law and avoid crossing national security lines. In October, the SVR stepped up attempts to <a href="https://www.wsj.com/articles/microsoft-solarwinds-hackers-continue-to-hit-technology-companies-11635145200">break into technology companies</a> to steal sensitive information. U.S. officials considered the operation to be <a href="https://www.nytimes.com/2021/10/25/us/politics/russia-cybersurveillance-biden.html">routine spying</a>. The reality that international law does not prohibit espionage per se prevents U.S. responses that could serve as strong deterrents. </p>
<p>Similarly, after cyber gang BlackMatter <a href="https://abcnews.go.com/Technology/wireStory/iowa-farm-cooperative-hit-ransomware-systems-offline-80136119">carried out a ransomwware attack</a> on an Iowa farm cooperative in September, the gang <a href="https://arstechnica.com/information-technology/2021/09/5-9-million-ransomware-attack-on-farming-co-op-may-cause-food-shortage/">claimed that the cooperative did not count</a> as critical infrastructure. The gang’s claim refers to cyberattack targets that would prompt a national response from the U.S. government.</p>
<p>Despite this ambiguity, the administration has unleashed the military to frustrate the efforts of ransomware groups, while law enforcement agencies have gone after their leaders and their money, and organizations in the U.S. have shored up their information systems defenses.</p>
<p>Though government-controlled hackers might persist, and criminal groups might disappear, rebuild and rebrand, in my view the high costs imposed by the Biden administration could hinder their success. Nevertheless, it’s important to bear in mind that <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">national cyber defense is an extremely challenging problem</a> and it’s unlikely that the U.S. will be able to eliminate the threat.</p>
<p>[<em><a href="https://memberservices.theconversation.com/newsletters/?nl=politics&source=inline-politics-important">Get The Conversation’s most important politics headlines, in our Politics Weekly newsletter</a>.</em>]</p><img src="https://counter.theconversation.com/content/174199/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Jasper does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The US has made a dent in Russian cyber criminal gangs. But tensions with Russia and the shadowy nature of hacking keep the threat level high.Scott Jasper, Senior Lecturer in National Security Affairs, Naval Postgraduate SchoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1738962021-12-22T13:12:26Z2021-12-22T13:12:26ZWhat is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what’s at stake<figure><img src="https://images.theconversation.com/files/438734/original/file-20211221-50538-11x1tn8.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3796%2C2475&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A vulnerability in Log4j, a humble but widespread piece of software, has put millions of computers at risk.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/in-this-photo-illustration-apache-log4j-logo-of-a-java-news-photo/1237323278">SOPA Images/LightRocket via Getty Images</a></span></figcaption></figure><p>Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems. </p>
<p>Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell the <a href="https://www.cnbc.com/video/2021/12/16/cisa-director-says-the-log4j-security-flaw-is-the-most-serious-shes-seen-in-her-career.html">most serious vulnerability</a> she’s seen in her career. There have already been hundreds of thousands, perhaps millions, of <a href="https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/">attempts to exploit the vulnerability</a>.</p>
<p>So what is this humble piece of internet infrastructure, how can hackers exploit it and what kind of mayhem could ensue?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a woman with long dark hair wearing eyeglasses speaks into a microphone" src="https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=421&fit=crop&dpr=1 600w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=421&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=421&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=529&fit=crop&dpr=1 754w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=529&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=529&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Cybersecurity & Infrastructure Security Agency director Jen Easterly called Log4Shell ‘the most serious vulnerability I’ve seen.’</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/jen-easterly-nominee-to-be-the-director-of-the-homeland-news-photo/1322884747">Kevin Dietsch/Getty Images News</a></span>
</figcaption>
</figure>
<h2>What does Log4j do?</h2>
<p>Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s <a href="https://www.businessinsider.com/what-is-open-source-software?op=1">open-source software</a> provided by the <a href="https://apache.org/">Apache Software Foundation</a>.</p>
<p>A common example of Log4j at work is when you type in or click on a bad web link and get a 404 error message. The web server running the domain of the web link you tried to get to tells you that there’s no such webpage. It also records that event in a log for the server’s system administrators using Log4j. </p>
<p>Similar diagnostic messages are used throughout software applications. For example, in the online game Minecraft, Log4j is used by the server to log activity like total memory used and user commands typed into the console.</p>
<h2>How does Log4Shell work?</h2>
<p>Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the person’s real name, if a separate server holds a directory linking user names and real names. To do so, the Log4j server has to communicate with the server holding the real names.</p>
<p>Unfortunately, this kind of code can be used for more than just formatting log messages. Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system and slipping malicious content to other users communicating with the affected server. </p>
<p>It is relatively simple to exploit Log4Shell. I was able to reproduce the problem in my copy of <a href="https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-j3xg-fc2p-4jc4">Ghidra</a>, a reverse-engineering framework for security researchers, in just a couple of minutes. There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it. </p>
<h2>Log4j is everywhere</h2>
<p>One of the major concerns about Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most software, which makes <a href="https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html">Log4j very widespread</a>. In addition to popular games like Minecraft, it’s used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide range of programs from <a href="https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)">software development tools</a> to <a href="https://github.com/NationalSecurityAgency/ghidra">security tools</a>. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/SpeDK1TPbew?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Open-source software like Log4j is used in so many products and tools that some organizations don’t even know which pieces of code are on their computers.</span></figcaption>
</figure>
<p>This means hackers have a large menu of targets to choose from: home users, service providers, source code developers and even security researchers. So while big companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, there are many more organizations that will take longer to patch their systems, and some that might not even know they need to.</p>
<h2>The damage that can be done</h2>
<p>Hackers are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions. </p>
<p>These instructions can create a <a href="https://www.acunetix.com/blog/web-security-zone/what-is-reverse-shell/">reverse shell</a>, which allows the attacking server to remotely control the targeted server, or they can make the target server part of a <a href="https://www.howtogeek.com/183812/htg-explains-what-is-a-botnet/">botnet</a>. Botnets use multiple hijacked computers to carry out coordinated actions on behalf of the hackers.</p>
<p>A <a href="https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications">large number of hackers</a> are already trying to abuse Log4Shell. These range from <a href="https://www.crn.com/news/security/ransomware-gang-hijacking-log4j-bug-to-hit-minecraft-servers">ransomware gangs locking down minecraft servers</a> to <a href="https://www.silentpush.com/blog/log4shell-a-threat-intelligence-perspective">hacker groups trying to mine bitcoin</a> and hackers associated with <a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/">China and North Korea</a> trying to gain access to sensitive information from their geopolitical rivals. The Belgian ministry of defense reported that its computers were being <a href="https://www.wsj.com/articles/hackers-exploit-log4j-flaw-at-belgian-defense-ministry-11640020439">attacked using Log4Shell</a>.</p>
<p>Although the vulnerability first came to widespread attention on Dec. 10, 2021, people are still identifying <a href="https://www.theregister.com/2021/12/17/cisa_issues_emergency_directive_to/">new ways</a> to cause harm through this mechanism.</p>
<h2>Stopping the bleeding</h2>
<p>It is hard to know whether Log4j is being used in any given software system because it is often <a href="https://deps.dev/maven/org.apache.logging.log4j%3Alog4j-core/2.16.0">bundled as part of other software</a>. This requires system administrators to inventory their software to identify its presence. If some people don’t even know they have a problem, it’s that much harder to eradicate the vulnerability.</p>
<p>Another consequence of Log4j’s diverse uses is there is no one-size-fits-all solution to patching it. Depending on how Log4j was incorporated in a given system, the fix will require different approaches. It could require a wholesale system update, as done for <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd#vp">some Cisco routers</a>, or updating to a new version of software, as done in <a href="https://www.minecraft.net/en-us/article/minecraft-java-edition-1-18-1">Minecraft</a>, or removing the vulnerable code manually for those who can’t update the software.</p>
<p>Log4Shell is part of the software supply chain. Like physical objects people purchase, software travels through different organizations and software packages before it ends up in a final product. When something goes wrong, rather than going through a recall process, software is generally “<a href="https://www.techopedia.com/definition/24537/patch">patched</a>,” meaning fixed in place. </p>
<p>However, given that Log4j is <a href="https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/#affected-software">present in various ways in software products</a>, propagating a fix requires coordination from Log4j developers, developers of software that use Log4j, software distributors, system operators and users. Usually, this introduces a delay between the fix being available in Log4j code and people’s computers actually closing the door on the vulnerability. </p>
<p>[<em>Over 140,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-140ksignup">Sign up today</a>.]</p>
<p>Some estimates for time-to-repair in software generally range from <a href="https://www.rapid7.com/blog/post/2018/08/22/whats-going-on-in-production-application-security-2018/">weeks to months</a>. However, if past behavior is indicative of future performance, it is likely the Log4j vulnerability <a href="https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability/">will crop up for years to come</a>.</p>
<p>As a user, you are probably wondering what can you do about all this. Unfortunately, it is hard to know whether a software product you are using includes Log4j and whether it is using vulnerable versions of the software. However, you can help by heeding the common refrain from computer security experts: Make sure all of your software is up to date.</p><img src="https://counter.theconversation.com/content/173896/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Santiago Torres-Arias does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Log4Shell is the latest hacker exploit rocking the internet, and it’s arguably the worst yet. The vulnerability is in an obscure piece of software used on millions of computers.Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, Purdue UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1701912021-10-24T12:25:34Z2021-10-24T12:25:34ZCyberattacks to critical infrastructure threaten our safety and well-being<figure><img src="https://images.theconversation.com/files/427826/original/file-20211021-15-y4vdon.jpg?ixlib=rb-1.1.0&rect=30%2C10%2C6679%2C3983&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Our critical infrastructures are growing increasingly complex as the number of devices and connections in these systems continues to grow.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 175px; border: none; position: relative; z-index: 1;" allowtransparency="" src="https://narrations.ad-auris.com/widget/the-conversation-canada/cyberattacks-to-critical-infrastructure-threaten-our-safety-and-well-being" width="100%" height="400"></iframe>
<p>What would happen if you could no longer use the technological systems that you rely on every day? I’m not talking about your smart phone or laptop computer, but all those systems many of us often take for granted and don’t think about. </p>
<p>What if you could not turn on the lights or power your refrigerator? What if you could not get through to emergency services when you dial 911? What if you could not access your bank account, get safe drinking water or even flush your toilet? </p>
<p>According to Canada’s <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">National Strategy for Critical Infrastructure</a>, critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of the public and the effective functioning of government.</p>
<p>Disruptions to these kinds of systems, especially those caused by cyberattacks, can have devastating consequences. That’s why these systems are called critical infrastructure.</p>
<h2>A string of attacks</h2>
<p>Over the past six months, the fragility of critical infrastructure has been given plenty of attention. This has been driven by a string of notable cyberattacks on several critical infrastructure sectors.</p>
<p>It was revealed that in late March 2021, CNA Financial Corp., one of the largest insurance companies in the United States was <a href="https://www.insurancebusinessmag.com/ca/news/cyber/cna-concludes-investigation-into-cyberattack-260688.aspx">victim to a ransomware attack</a>. As a result, the company faced disruptions of their systems and networks.</p>
<p>In May 2021, <a href="https://www.bbc.com/news/business-57050690">a ransomware attack on Colonial Pipeline halted plant operations for six days</a>. The attack led to a fuel crisis and increased prices in the eastern U.S.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/3YrerKldYPM?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">MSNBC looks at the cybersecurity concerns raised by the attack on Colonial Pipeline.</span></figcaption>
</figure>
<p>Weeks later, in June 2021, a <a href="https://www.vox.com/recode/2021/6/1/22463179/jbs-foods-ransomware-attack-meat-hackers">ransomware attack hit JBS USA Holdings, Inc.</a>, one of the world’s largest meat producers. This attack brought about supply chain turmoil in Canada, the U.S. and Australia.</p>
<p>Also in June 2021, the <a href="https://www.cnn.com/2021/06/02/business/steamship-authority-ransomware-attack/index.html">Martha’s Vineyard and Nantucket Steamship Authority was victim of a ransomware attack</a> that disrupted ferry services and caused service delays.</p>
<h2>Fragile infrastructures</h2>
<p>On Oct. 14, 2021, hot on the heels of cyberattacks targeting the financial, gas, food and transportation sectors, the U.S. Cybersecurity and Infrastructure Security Agency <a href="https://us-cert.cisa.gov/ncas/alerts/aa21-287a">released Alert AA21-287</a>.</p>
<p>The alert turns attention to the fragility of yet another critical infrastructure sector. It warns of “ongoing malicious cyberactivity” targeting water and wastewater facilities. These activities include exploits of internet-connected services and outdated operating systems and software, as well as <a href="https://cyber.gc.ca/en/glossary">spear phishing and ransomware attacks</a> – something we have seen a lot in recent cyberattacks.</p>
<p>According to the alert, these cyberthreats could impact the ability of water and wastewater facilities to “provide clean, potable water to, and effectively manage the wastewater of, their communities.”</p>
<h2>Vulnerability factors</h2>
<p>The need for combating cyberthreats to critical infrastructure is well recognized. However, the infrastructure today is far from secure. This is due to a many interrelated factors that create a perfect storm of exposures.</p>
<p>First, many of our most critical systems are extremely complex. This complexity is rapidly increasing as the number of devices and connections in these systems continues to grow.</p>
<p>Second, many of these systems involve a mix of insecure, outdated legacy systems and new technologies. These new technologies promise features like advanced analytics and automation. However, they are sometimes connected and used in insecure ways that the original designers of the legacy systems could not have imagined.</p>
<p>Taken together, these factors mean that these systems are too complex to be completely understood by a person, a team of people or even a computer model. This makes it very difficult to identify weak spots that if exploited — accidentally or intentionally — could lead to system failures.</p>
<h2>Analyzing real-world complexities</h2>
<p>In the <a href="https://carleton.ca/cybersea/">Cyber Security Evaluation and Assurance (CyberSEA) Research Lab</a> at Carleton University, we are developing solutions to address the fragility of critical infrastructure. The goal is to improve security and resilience of these important systems.</p>
<p>The complexities of critical infrastructure can lead to unexpected or unplanned interactions among system components, known as <a href="https://doi.org/10.1109/TR.2017.2665164">implicit interactions</a>.</p>
<p>Exploitation of implicit interactions has the potential to impact the safety, security and reliability of a system and its operations. For example, implicit interactions can enable system components to interact in unintended — and often undesirable — ways. This leads to unpredictable system behaviours that can allow attackers to damage or disrupt the system and its operations.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A diagram of a complex system with many nodes" src="https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Infrastructure systems become increasingly complex as new connections and devices are added to critical infrastructure with updates in technologies.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>We recently conducted a cybersecurity analysis at CyberSEA on a real-world municipal wastewater treatment system, where we identified and measured characteristics of implicit interactions in the system. This was part of our <a href="https://ciri.illinois.edu/events/implicit-interactions-case-study">ongoing research</a>, conducted in partnership with the <a href="https://ciri.illinois.edu/">Critical Infrastructure Resilience Institute</a> at the University of Illinois at Urbana-Champaign.</p>
<p>Our analysis found a significant proportion of implicit interactions present in the system, and <a href="https://doi.org/10.1007/978-3-030-64330-0_3">approximately 28 per cent of these identified vulnerabilities showed signs of being ripe for attackers to exploit and cause damage or disruption in the system</a>.</p>
<h2>A glimmer of hope</h2>
<p>Our study showed that implicit interactions exist in real-world critical infrastructure systems. Feedback from the operators of the wastewater system in our case study stated that <a href="https://ciri.illinois.edu/newsNew-CIRI-tool-helps-critical-infrastructure-operators-identify-risks-from-implicit-interactions">our approaches and tools are useful for identifying potential security issues and informing mitigation efforts when designing critical systems</a>.</p>
<p>This may be a glimmer of hope in the fight against cyberthreats to critical infrastructure. Continued development of rigorous and practical approaches to address increasingly critical issues in designing, implementing, evaluating and assuring the safe, secure and reliable operation of these systems is needed. </p>
<p>A more robust infrastructure will lead to fewer threats to our security and access to services, ensuring our well-being and the effective functioning of our governments and society.</p><img src="https://counter.theconversation.com/content/170191/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jason Jaskolka receives funding from the U.S. Department of Homeland Security Grant 2015-ST-061-CIRC01 and the Natural Sciences and Engineering Research Council of Canada (NSERC) grant RGPIN-2019-06306.</span></em></p>An increasing number of cyberattacks threaten critical infrastructures. These attacks exploit weaknesses in outdated and insecure systems.Jason Jaskolka, Assistant Professor, Systems and Computer Engineering, Carleton UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1676192021-09-15T12:16:34Z2021-09-15T12:16:34ZCybercriminals use pandemic to attack schools and colleges<figure><img src="https://images.theconversation.com/files/420885/original/file-20210913-23-tp5yu2.jpg?ixlib=rb-1.1.0&rect=10%2C21%2C7243%2C4709&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Vulnerable devices and systems are targets.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/illuminated-laptop-computer-in-the-dark-royalty-free-image/521369998?adppopup=true">EThamPhoto/Getty Images</a></span></figcaption></figure><p>Cyberattacks have hit schools and colleges harder than any other industry during the pandemic. In 2020, including the costs of downtime, repairs and lost opportunities, the average ransomware attack cost educational institutions <a href="https://edscoop.com/ransomware-education-institutions-sophos/">$2.73 million</a>. That is $300,000 more than the next-highest sector – distributors and transportation companies.</p>
<p>From Aug. 14 to Sept. 12, 2021, educational organizations were the target of over <a href="https://www.microsoft.com/en-us/wdsi/threats">5.8 million malware attacks</a>, or <a href="https://www.microsoft.com/en-us/wdsi/threats">63%</a> of all such attacks.</p>
<p>Ransomware attacks alone impacted <a href="https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/">1,681 U.S. schools, colleges and universities</a> in 2020. Globally <a href="https://edscoop.com/ransomware-education-institutions-sophos/">44% of educational institutions were targeted</a> by such attacks.</p>
<p>I <a href="https://scholar.google.com/citations?user=g-jALEoAAAAJ&hl=en&oi=ao">study</a> <a href="https://www.springer.com/gp/book/9783642115219">cybercrime</a> and <a href="https://doi.org/10.1016/j.telpol.2017.09.003">cybersecurity</a>. In my <a href="https://utpdistribution.com/9781487523626/cybersecurity-management/">forthcoming book</a> – set to be published in November 2021 – I look at how the shift to remote learning during the pandemic has posed new cybersecurity challenges.</p>
<p>I see six important ways the pandemic has created new opportunities for cybercriminals to attack schools and colleges. </p>
<h2>1. Unsafe devices</h2>
<p>Devices that were loaned to students during the pandemic often lack <a href="https://www.riskbasedsecurity.com/2020/08/14/saved-by-the-bell-insecure-student-devices-must-be-addressed/">security updates</a>. This is a serious issue since in 2020 alone, <a href="https://www.beyondtrust.com/resources/whitepapers/microsoft-vulnerability-report">1,268 vulnerabilities were discovered in Microsoft products</a>. One such vulnerability can enable hackers to <a href="https://www.healthcareitnews.com/news/report-windows-had-most-security-vulnerabilities-any-microsoft-product-last-year">gain higher-level privileges</a> on a system or network, which can be used to steal data and install malware. </p>
<p>As students, teachers and administrators return to school with devices that haven’t been patched in a while, a large number of vulnerable devices are likely to be reconnected to school networks.</p>
<h2>2. Distracted cybersecurity staff</h2>
<p>The shift to remote learning has also distracted the attention of limited cybersecurity staff from important security issues. In at least one case, persons responsible for cybersecurity were assigned to <a href="https://www.wsj.com/articles/hackers-smell-blood-as-schools-grapple-with-virtual-instruction-11603099802">investigate bad online behavior</a>, such as name-calling, that teachers and administrators handled before.</p>
<p>For most schools, cybersecurity has had to compete with other urgent issues created by the pandemic, such as <a href="https://dailyorange.com/2021/09/covid-19-mental-health-syracuse-city-school-district/">mental health</a>, <a href="https://thehill.com/policy/cybersecurity/568821-schools-colleges-brace-for-cyberattacks-as-students-return">vaccines and mask mandates</a>. </p>
<h2>3. Victims more likely to comply</h2>
<p>In 2020, 77 ransomware attacks on U.S. schools and colleges affected more than 1.3 million students and resulted in <a href="https://www.comparitech.com/blog/information-security/school-ransomware-attacks/#How_does_2020_compare_to_previous_years">531 days of downtime</a>. This downtime was <a href="https://www.comparitech.com/blog/information-security/school-ransomware-attacks/#How_does_2020_compare_to_previous_years">estimated to cost $6.6 billion</a> in economic terms.</p>
<p>The economic impact was based on an estimated <a href="https://www.fortherecordmag.com/archives/1117p24.shtml">average cost of $8,662 per minute</a>. Some cyberattacks during the pandemic <a href="https://thehill.com/policy/cybersecurity/553506-school-districts-struggle-to-defend-against-rising-ransomware-attacks">completely shut down major school districts</a> for many days.</p>
<p>At the same time, public schools faced <a href="https://www.nytimes.com/2020/11/19/nyregion/schools-closing.html">political and social pressure</a> to ensure students’ access to learning opportunities during the pandemic. The pressure to quickly restore networks can make victims <a href="https://buffalonews.com/news/local/experts-say-ransomware-attack-on-buffalo-public-schools-should-have-been-anticipated/article_60a77598-8446-11eb-8b6b-d3137700ab43.html">desperate and willing to comply with criminals’ demands</a>. For instance, the Judson Independent School District in Texas <a href="https://edscoop.com/texas-school-paid-547k-ransomware-jam/">paid $547,000</a> to ransomware attackers in the summer of 2021 in order to regain access to its systems and stop student and staff data from being published. In 2020, the Athens Independent School District in Texas paid a <a href="https://www.arnettechnologies.com/athens-school-district-paid-ransom/">$50,000 ransom</a>.</p>
<h2>4. Vulnerable platforms</h2>
<p>When the pandemic forced schools to use online platforms to conduct classes and evaluate students, it created new entry points for cybercriminals to target.</p>
<p>These platforms include video chat programs <a href="https://www.wired.com/story/schools-already-struggled-cybersecurity-then-came-covid-19/">such as Zoom and Microsoft Teams</a>, as well as providers of curricula, technology and services, <a href="https://www.stridelearning.com/learning-solutions/online-education-technology.html">such as K12, recently renamed as Stride</a>. They also include online proctoring services, such as <a href="https://theconversation.com/remote-education-is-rife-with-threats-to-student-privacy-148955">ProctorU and Proctorio</a>. </p>
<p>Collectively, such platforms were targeted in <a href="https://www.edtechdigest.com/2021/06/16/stopping-the-growing-k-12-cyberattack-threat/">three-quarters of the data breaches </a> in school districts that involved personal information.</p>
<p>In November 2020, online education vendor K12 reported that some students’ information on its system <a href="https://searchsecurity.techtarget.com/news/252492978/Online-education-vendor-K12-hit-with-ransomware-pays-ransom">could have been stolen</a> during a ransomware attack, even though the company paid the ransom. </p>
<p>Likewise, in July 2020, hackers stole sensitive personal information from <a href="https://www.bleepingcomputer.com/news/security/proctoru-confirms-data-breach-after-database-leaked-online/">444,000 students</a> – including their names, email addresses, home addresses, phone numbers and passwords – by hacking online proctoring service ProctorU. This data became available for sale in online hacker forums.</p>
<h2>5. More baiting opportunities</h2>
<p>Cybercriminals increasingly turned to <a href="https://utpdistribution.com/9781487523626/cybersecurity-management/">social engineering attacks</a> during the pandemic. These are attacks in which the cybercriminals use emotional appeals to things such as fear, pity or excitement to bait people into providing sensitive information. For example, cybercriminals have launched phishing campaigns in which they <a href="https://www.washingtonpost.com/technology/2021/08/24/covid-vaccine-proof-scam-email/">pose as human resources staff</a> and ask recipients to submit information about their COVID-19 vaccination status.</p>
<p>Victims may be lured to give their credentials, click malicious links or download files containing malware. Fear and uncertainty – such as that created by the pandemic – make <a href="https://dl.acm.org/doi/abs/10.1145/1231047.1231062?casa_token=Wwbjjxi9FRYAAAAA:8OQXT8-WFBSJTpKwL-5BZBCxwgpbEr-8arlklSDXv2Xp-ebKjkzBX53DI5mbSD0Oq-PHj6eRL1HLYA">individuals more susceptible to social engineering attacks</a>.</p>
<p>An analysis of 3.5 million social engineering attacks from June to September 2020 found that <a href="https://www.techrepublic.com/article/how-phishing-attacks-are-targeting-schools-and-colleges/">more than 1,000 schools and universities were targeted</a>. Educational institutions were also <a href="https://www.techrepublic.com/article/how-phishing-attacks-are-targeting-schools-and-colleges/">more than twice as likely as other institutions to be victimized by such attacks</a>.</p>
<p>Many of the emails have COVID in the subject line.</p>
<p>In May 2020, the Federal Trade Commission posted a <a href="https://www.consumer.ftc.gov/blog/2020/05/covid-19-scams-targeting-college-students">message on its website with a screenshot of a social engineering attack email</a>. The message warned college students that the emails about COVID-19 economic stimulus checks claiming to be from their universities’ “Financial Department” could be from scammers. </p>
<h2>6. COVID resources have created new targets</h2>
<p>Colleges have been designated to distribute COVID-19 relief funds – and criminals caught on to this. In May 2021, the U.S. Department of Education made more than <a href="https://www.ed.gov/news/press-releases/us-department-education-makes-available-36-billion-american-rescue-plan-funds-support-students-and-institutions">$36 billion in emergency grants</a> available for students and colleges under the American Rescue Plan Act.</p>
<p>In California, more than <a href="https://edsource.org/2021/covid-relief-to-california-community-college-students-depends-on-which-school-they-attend/659769">$1.6 billion in such grants</a> were available to community college students alone. This explains why, not long afterward, more than <a href="https://www.dailymail.co.uk/news/article-9955463/Over-65-000-fake-students-California-apply-financial-aid-bot-driven-community-college-scam.html">65,000 fake students</a> applied to California community colleges for such aids and loans.</p>
<p>[<em>Over 100,000 readers rely on The Conversation’s newsletter to understand the world.</em> <a href="https://theconversation.com/us/newsletters/the-daily-3?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=100Ksignup">Sign up today</a>.]</p>
<p>Most two-year institutions <a href="https://www.nytimes.com/2021/09/01/education/california-college-financial-aid-fraud.html">don’t have resources to vet applicants</a>. The lack of a requirement for identity verification and other documentation to get COVID-19 relief grants from community colleges also attracted attention from criminals overseas. Many of the fake student applications in the California community college system <a href="https://www.sacbee.com/article253899703.html">were from foreign countries</a>.</p>
<p>Officials have been <a href="https://californianewstimes.com/california-community-colleges-flag-broad-attempted-aid-scam/509375/">silent about whether these fake students got any money</a>.</p>
<p>The bottom line for schools and colleges is that as they continue to confront the challenges of the pandemic, cybersecurity cannot be placed on the back burner. Ignoring threats to cybersecurity now can be quite costly in the future.</p><img src="https://counter.theconversation.com/content/167619/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>As schools and colleges confront the challenges of COVID-19, cybercriminals exploit weaknesses in the computer networks and online systems.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1640912021-07-21T09:27:19Z2021-07-21T09:27:19ZCyber-attacks: what is hybrid warfare and why is it such a threat?<figure><img src="https://images.theconversation.com/files/412106/original/file-20210720-27-1h86rnd.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3840%2C2160&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Novikov Aleksey via Shutterstock</span></span></figcaption></figure><p>Washington and Moscow are <a href="https://thehill.com/policy/cybersecurity/561781-new-cyberattacks-ramp-up-tensions-with-russia">engaged in a war of words</a> over a spate of ransomware attacks against organisations and businesses in the US and other countries. These increasingly sophisticated cyber-attacks represent a new type of warfare aimed at disorganising and even destroying a nation’s economy.</p>
<p>This has been called “<a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/647776/dar_mcdc_hybrid_warfare.pdf">hybrid warfare</a>”. It’s a mixture of conventional and unconventional methods used against a much stronger adversary that aims to achieve political objectives that would not be possible with traditional warfare. </p>
<p>The problem is often identifying the culprits. In <a href="https://www.dhs.gov/sites/default/files/publications/ia/ia_geopolitical-impact-cyber-threats-nation-state-actors.pdf">hybrid warfare</a> the state responsible for the actions will often use non-state actors, which allows it to deny responsibility. But over the past two decades, many cyber-attacks targeting western state institutions and businesses have been far more sophisticated than a couple of tech-savvy individuals operating as “lone wolves” and bear the hallmarks of actions taken with the support or approval of a hostile government. </p>
<p>The scale of <a href="https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents">cyber-attacks conducted at a military level</a> signals the involvement of state actors behind the scenes to organise or encourage these attacks. Russia <a href="https://www.rand.org/topics/cyber-warfare.html">has emerged</a> as one of the international actors that has developed a sophisticated cyberwarfare strategy.</p>
<p>So what do we know about the way Russia pursues hybrid warfare via cyber-attacks? Russia’s cyberwarfare doctrine, or “<em><a href="https://www.files.ethz.ch/isn/195405/fp_24.pdf">gibridnaya voyna</a></em>” (hybrid war), was shaped by political scientists such as Alexandr Dugin – a Russian philosopher dubbed"<a href="https://theconversation.com/alexander-dugin-eurasianism-and-the-american-election-87367">Putin’s Rasputin</a>“ or ”<a href="https://bigthink.com/paul-ratner/the-dangerous-philosopher-behind-putins-strategy-to-grow-russian-power-at-americas-expense">Putin’s brain</a>“. He is also a sociology professor at Moscow State University and was targeted by US sanctions following Russia’s takeover of Crimea in 2014. </p>
<p>Another key thinker in this area is <a href="https://aninjusticemag.com/the-panarin-nightmare-442cf75692e8?gi=f16b0339c5ce">Igor Panarin</a>, a senior adviser to Putin with a PhD in psychology. Senior military figures include Valery Gerasimov, chief of Russia’s general staff and the author of the "Gerasimov Doctrine”, which, <a href="https://carnegieendowment.org/2019/06/05/primakov-not-gerasimov-doctrine-in-action-pub-79254">according to the Carnegie Foundation</a>, is “a whole of government concept that fuses hard and soft power across many domains and transcends boundaries between peace- and wartime”. </p>
<p>Thinkers such as these have long advocated that Russia pursue its political objectives via information warfare rather than by military force. </p>
<h2>Sharing for security</h2>
<p>Cyberspace is often shown as having a physical layer (hardware), a logical layer (how and where the data is distributed and processed) and a human layer (users). Mostly it is managed by private organisations rather than state actors. So cyber-attacks are in a grey area when it comes to who should be responsible for prevention. There is also the question of who is mounting the attacks and whether they are criminal enterprises or backed by a state agency. </p>
<p>This confusion for the responsibility to protect plays in the hands of the Russian government. It can hurt its adversaries, no matter how large or strong, without having to wage a military campaign.</p>
<p>In recent years, cyber-attacks perpetrated by Russian crime groups have targeted <a href="https://www.nytimes.com/2021/05/28/us/politics/russia-hack-usaid.html">hospitals, energy grids and industrial facilities</a>. The Kremlin has described allegations of its involvement as <a href="https://news.sky.com/story/vladimir-putin-where-is-the-proof-russia-is-waging-a-cyber-war-against-the-united-states-12332296">“groundless”</a>. But even though there might not be a direct connection between the government and whoever is mounting the attacks, Russia <a href="https://www.wiley.com/en-us/Cybersecurity%3A+Politics%2C+Governance+and+Conflict+in+Cyberspace-p-9781509528097">knowingly allows</a> these groups to <a href="https://www.publicaffairsbooks.com/titles/john-p-carlin/dawn-of-the-code-war/9781541773813/">operate from its territory</a>. </p>
<p>Russia’s state agencies have <a href="https://www.reuters.com/technology/russian-security-chief-says-moscow-will-cooperate-with-us-against-hackers-report-2021-06-23/">offered their services</a> in tracking down these criminal groups. But this is a familiar pledge over the years and nothing has come of it – something that is thrown into sharp relief when compared with their enthusiasm to tackle activist groups operating domestically.</p>
<p>Many countries have intensified their efforts to develop strategies to counter cybercrime. These initiatives include <a href="https://ec.europa.eu/health/sites/default/files/preparedness_response/docs/2018_hybridthreatsexercise_en.pdf">hybrid warfare defence exercises</a> in 24 EU member states, wargaming an orchestrated cyber-attack against EU military and cybersecurity infrastructure. </p>
<p>The EU <a href="https://ec.europa.eu/commission/presscorner/detail/en/IP_19_2788">has also established</a> what it calls a “hybrid fusion cell” to provide strategic analysis to EU decision-makers in its bid to deter and respond to cyber-attacks. The group of analysts within the EU Intelligence and Situation Centre (<a href="https://www.statewatch.org/media/documents/analyses/no-223-eu-intcen.pdf">EU Intcen</a>) is analysing intelligence coming from the EU and various national institutions such as the GCHQ, MI5 and police intelligence agencies in the UK and providing a risk assessment for policymakers to shape their domestic policy. </p>
<p>Both <a href="https://www.consilium.europa.eu/en/press/press-releases/2021/05/17/cyber-attacks-council-prolongs-framework-for-sanctions-for-another-year/">the EU</a> and the <a href="https://home.treasury.gov/news/press-releases/jy0127">US</a> have imposed sanctions on Russian individuals and entities for their harmful activities targeting cyber infrastructure. But tackling such a threat from tightly disciplined and rigidly hierarchical state-sponsored groups is not easy. </p>
<p>As fast as western intelligence can develop new initiatives to tackle hybrid tactics, cybercriminals seem able to develop new means of attack. So an agile governance model is needed to efficiently use public and private resources to tackle the threat from hybrid warfare threat.</p>
<p>The <a href="https://eucter.net/about/">EUCTER network</a>, led by the International Centre for Policing and Security at the University of South Wales with 13 partners across Europe and Israel is developing a range of innovative models that you can read about in detail on our website.</p>
<p>Hybrid warfare is a vast, complex and fast-moving threat – which requires a proportionate response if nations are going to defend themselves against.</p><img src="https://counter.theconversation.com/content/164091/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ethem Ilbiz receives funding from European Union's Horizon 2020 research and innovation programme under the Marie
Sklodowska-Curie grant agreement No. 886141.</span></em></p><p class="fine-print"><em><span>Christian Kaunert receives funding from the European Commission under the Jean Monnet Lifelong learning programme, as well as Marie Curie funding under the Horizon 2020 programme.</span></em></p>Hybrid warfare is becoming increasingly sophisticated. Governments and vulnerable organisations need to adapt quickly to respond to the threat.Ethem Ilbiz, Marie Curie Senior Research Fellow in the International Centre for Policing and Security, University of South WalesChristian Kaunert, Professor of Policing and Security, University of South WalesLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1647712021-07-20T01:18:26Z2021-07-20T01:18:26ZCalling out China for cyberattacks is risky — but a lawless digital world is even riskier<figure><img src="https://images.theconversation.com/files/412027/original/file-20210719-13-agmeql.jpg?ixlib=rb-1.1.0&rect=17%2C0%2C3817%2C2126&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">www.shutterstock.com</span></span></figcaption></figure><p>Today’s multi-country <a href="https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks">condemnation of cyber-attacks</a> by Chinese state-sponsored agencies was a sign of increasing frustration at recent behaviour. But it also masks the real problem — international law isn’t strong or coherent enough to deal with this growing threat.</p>
<p>The coordinated announcement by several countries, including the US, UK, Australia and New Zealand, echoes the most <a href="https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf">recent threat assessment</a> from the US intelligence community: cyber threats from nation states and their surrogates will remain acute for the foreseeable future.</p>
<p>Joining the chorus against China may be <a href="https://www.rnz.co.nz/news/national/447255/nz-in-position-of-vulnerability-over-china-hacking-accusations">diplomatically risky</a> for New Zealand and others, and China has already described the claims as “groundless and irresponsible”. But there is no doubt the problem is real.</p>
<p>The latest <a href="https://www.gcsb.govt.nz/assets/GCSB-Annual-Reports/2020-GCSB-Annual-Report.pdf">report</a> from New Zealand’s Government Communications Security Bureau (GCSB) recorded 353 cyber security incidents in the 12 months to the middle of 2020, compared with 339 incidents in the previous year.</p>
<p>Given the focus is on potentially high-impact events targeting organisations of national significance, this is likely only a small proportion of the total. But the GCSB estimated state-sponsored attacks accounted for up to 30% of incidents recorded in 2019-20.</p>
<p>Since that report, more serious incidents have occurred, including attacks on the <a href="https://www.bbc.com/news/53918580">stock-exchange</a> and <a href="https://www.stuff.co.nz/national/health/125235676/waikato-dhb-scrambles-to-contain-cyber-attack-safety-of-patient-data-unclear">Waikato hospital</a>. The attacks are becoming <a href="https://www.rnz.co.nz/national/programmes/checkpoint/audio/2018802677/gcsb-boss-warns-cyber-attacks-getting-more-sophisticated">more sophisticated</a> and inflicting greater damage.</p>
<p>Globally, there are warnings that a major cyberattack could be as deadly as a <a href="https://www.sciencealert.com/a-major-cyber-attack-could-be-just-as-damaging-as-a-nuclear-weapon">weapon of mass destruction</a>. The need to de-escalate is urgent.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417183449845157911"}"></div></p>
<h2>Global solutions missing</h2>
<p>New Zealand would be relatively well-prepared to cope with domestic incidents using <a href="https://www.legislation.govt.nz/act/public/1961/0043/latest/DLM330415.html?search=sw_096be8ed81a1107c_cyber_25_se&p=1">criminal</a>, <a href="https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html">privacy</a> and even <a href="https://www.legislation.govt.nz/act/public/2015/0063/latest/whole.html">harmful digital communications</a> laws. But most cybercrime originates overseas, and global solutions don’t really exist.</p>
<p>In theory, the attacks can be divided into two types — those by criminals and those by foreign governments. In reality, the line between the two is blurred.</p>
<p>Dealing with foreign criminals is slightly easier than combating attacks by other governments, and Prime Minister Jacinda Ardern has recognised the need for a <a href="https://www.stuff.co.nz/national/politics/125470096/prime-minister-jacinda-ardern-says-global-effort-needed-to-confront-cyber-attacks">global effort</a> to fight this kind of cybercrime.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/with-cyberattacks-growing-more-frequent-and-disruptive-a-unified-approach-is-essential-162219">With cyberattacks growing more frequent and disruptive, a unified approach is essential</a>
</strong>
</em>
</p>
<hr>
<p>To that end, the government recently announced <a href="https://www.beehive.govt.nz/release/new-zealand-join-council-europe-convention-cybercrime">New Zealand was joining</a> the <a href="https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680081561">Council of Europe’s Convention on Cybercrime</a>, a global regime signed by <a href="https://www.coe.int/en/web/cybercrime/parties-observers">66 countries</a> based on shared basic legal standards, mutual assistance and extradition rules.</p>
<p>Unfortunately, some of the countries most often suspected of allowing international cybercrime to be committed from within their borders have not signed, meaning they are not bound by its obligations.</p>
<p>That includes Russia, China and North Korea. Along with several other countries <a href="https://www.hrw.org/news/2021/01/19/proposed-un-cybercrime-treaty-could-undermine-human-rights">not known for their tolerance</a> of an <a href="https://www.cfr.org/blog/new-un-cybercrime-treaty-way-forward-supporters-open-free-and-secure-internet">open, free and secure</a> internet, they are trying to create an alternative international cybercrime regime, now entering a <a href="https://www.un.org/press/en/2021/ga12328.doc.htm">drafting process through the United Nations</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417257839077203974"}"></div></p>
<h2>Cyberattacks as acts of war</h2>
<p>Dealing with attacks by other governments (as opposed to criminals) is even harder.</p>
<p>Only broad principles exist, including that countries <a href="https://legal.un.org/repertory/art2/english/rep_supp7_vol1_art2_4.pdf">refrain from the threat or use of force</a> against the territorial integrity or political independence of any state, and that they should <a href="https://www.un.org/ruleoflaw/files/3dda1f104.pdf">behave in a friendly</a> way towards one another. If one is attacked, it has an inherent <a href="https://www.un.org/en/about-us/un-charter/full-text">right of self-defence</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/improving-cybersecurity-means-understanding-how-cyberattacks-affect-both-governments-and-civilians-163261">Improving cybersecurity means understanding how cyberattacks affect both governments and civilians</a>
</strong>
</em>
</p>
<hr>
<p>Malicious state-sponsored cyber activity involving espionage, ransoms or breaches of privacy might qualify as unfriendly and in bad faith, but they are not acts of war.</p>
<p>However, cyberattacks directed by other governments could amount to acts of war if they cause death, serious injury or significant damage to the targeted state. Cyberattacks that meddle in foreign elections may, depending on their impact, dangerously undermine peace.</p>
<p>And yet, despite these extreme risks, there is no international convention governing state-based cyberattacks in the ways the <a href="https://www.icrc.org/en/doc/war-and-law/treaties-customary-law/geneva-conventions/overview-geneva-conventions.html">Geneva Conventions</a> cover the rules of warfare or <a href="https://www.armscontrol.org/treaties">arms control conventions</a> limit weapons of mass destruction.</p>
<figure class="align-center ">
<img alt="Vladimir Putin shaking hands with Joe Biden" src="https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/412034/original/file-20210720-21-13uy45q.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Drawing a red line on cybercrime: US President Joe Biden meets Russian President Vladimir Putin in Geneva in June.</span>
<span class="attribution"><span class="source">GettyImages</span></span>
</figcaption>
</figure>
<h2>Risks of retaliation</h2>
<p>The latest condemnation of Chinese-linked cyberattacks notwithstanding, the problem is not going away.</p>
<p>At their recent meeting in Geneva, US President Joe Biden told his Russian counterpart, Vladimir Putin, the US would <a href="https://www.theguardian.com/us-news/2021/jun/16/biden-to-meet-putin-at-highly-anticipated-summit-in-geneva">retaliate</a> against any attacks on its <a href="https://www.cisa.gov/critical-infrastructure-sectors">critical infrastructure</a>. A new US agency aimed at countering ransomware attacks would respond in “<a href="https://thehill.com/policy/cybersecurity/563121-biden-administration-stepping-up-efforts-to-respond-to-ransomware">unseen and seen ways</a>”, according to the administration.</p>
<p>Such responses would be legal under international law if there were no alternative means of resolution or reparation, and could be argued to be necessary and proportionate.</p>
<p>Also, the response can be unilateral or collective, meaning the US might call on its friends and allies to help. New Zealand has said it is <a href="https://dpmc.govt.nz/publications/application-international-law-state-activity-cyberspace">open to the proposition</a> that victim states can, in limited circumstances, request assistance from other states to apply proportionate countermeasures against someone acting in breach of international law.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ransomware-data-breach-cyberattack-what-do-they-have-to-do-with-your-personal-information-and-how-worried-should-you-be-162404">Ransomware, data breach, cyberattack: What do they have to do with your personal information, and how worried should you be?</a>
</strong>
</em>
</p>
<hr>
<h2>A drift towards lawlessness</h2>
<p>But only a month after Biden drew his red line with Putin, <a href="https://edition.cnn.com/2021/07/02/tech/ransomware-cybersecurity-attack-kaseya/index.html">another massive ransomware attack</a> crippled hundreds of service providers across <a href="https://www.nzherald.co.nz/world/scale-details-of-massive-kaseya-ransomware-attack-emerge/KWI34JA7GV6U3VHU4X66ZCXT6M/">17 countries</a>, including New Zealand <a href="https://www.rnz.co.nz/news/national/446225/kaseya-ransomware-attack-hits-new-zealand-kindergartens">schools and kindergartens</a>.</p>
<p>The Russian-affiliated ransomware group REvil that was probably behind the attacks mysteriously <a href="https://edition.cnn.com/2021/07/13/tech/revil-ransomware-disappears/index.html">disappeared</a> from the internet a few weeks later.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyber-cold-war-the-us-and-russia-talk-tough-but-only-diplomacy-will-ease-the-threat-163171">Cyber Cold War? The US and Russia talk tough, but only diplomacy will ease the threat</a>
</strong>
</em>
</p>
<hr>
<p>Things are moving fast and none of it is very reassuring. In an interconnected world facing a growing threat from cyberattacks, we appear to be drifting away from order, stability and safety and towards the darkness of increasing lawlessness. </p>
<p>The coordinated condemnation of China by New Zealand and others has considerably upped the ante. All parties should now be seeking a rules-based international solution or the risk will only grow.</p><img src="https://counter.theconversation.com/content/164771/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alexander Gillespie does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>With little international law governing state-sponsored cybercrime, the risk of retaliation and even war is growing.Alexander Gillespie, Professor of Law, University of WaikatoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1632612021-07-19T14:33:16Z2021-07-19T14:33:16ZImproving cybersecurity means understanding how cyberattacks affect both governments and civilians<figure><img src="https://images.theconversation.com/files/409810/original/file-20210706-13-1qz219h.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5800%2C3400&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cybersecurity is a growing global threat.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>For nearly two years, <a href="https://www.un.org/disarmament/open-ended-working-group/">68 United Nations member states</a> — along with private enterprises, non-governmental organizations, technical communities and academics — participated in an open-ended working group on developments in information and telecommunications in international security (Cyber OEWG). The working group deliberated on responsible state behaviour in cyberspace. </p>
<p>In March 2021, the working group produced a <a href="https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf">final report</a>. The report comes at a critical time in light of the high-profile cyberattacks on <a href="https://theconversation.com/the-solarwinds-hack-was-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-and-what-can-be-done-about-it-153084">SolarWinds</a> and <a href="https://theconversation.com/security-flaws-in-microsoft-email-software-raise-questions-over-australias-cybersecurity-approach-156864">Microsoft Exchange Server</a>, as well as ransomware attacks on critical civilian infrastructures and <a href="https://www.wsj.com/articles/cyberattacks-cost-hospitals-millions-during-covid-19-11614346713">essential public services</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyber-attacks-can-shut-down-critical-infrastructure-its-time-to-make-cyber-security-compulsory-160991">Cyber attacks can shut down critical infrastructure. It's time to make cyber security compulsory</a>
</strong>
</em>
</p>
<hr>
<h2>Multi-stakeholder inclusion</h2>
<p>The Cyber OEWG was established in 2018. It was tasked to <a href="https://undocs.org/A/RES/73/27">continue cybersecurity negotiations in a more democratic, inclusive and transparent way</a>. The process is <a href="https://dig.watch/processes/un-gge">open to all interested member states</a>. </p>
<p>The Cyber OEWG publicly consults with non-state organizations over concerns about new threats posed by communications technologies. These include online interference in electoral processes, cyberattacks on supply chains and infrastructure and ransom attacks on medical facilities. </p>
<p>Civil society organizations have raised concerns with Cyber OEWG about <a href="https://front.un-arm.org/wp-content/uploads/2020/10/joint-civil-society-groups-feedback-on-oewg-norms-proposals.pdf">the potential humanitarian consequences of malicious activities related to information and communications technologies (ICT)</a>. They demand considering the societal impacts of cyber threats in favour of merely focusing on the economic and political impacts.</p>
<h2>Impacts of malicious cyber activities</h2>
<p>Increasingly, rampant cyberattacks target critical civilian infrastructures, including <a href="https://theconversation.com/australian-hospitals-are-under-constant-cyber-attack-the-consequences-could-be-deadly-150164">health facilities</a>, <a href="https://theconversation.com/colonial-pipeline-forked-over-4-4m-to-end-cyberattack-but-is-paying-a-ransom-ever-the-ethical-thing-to-do-161383">pipelines</a>, <a href="https://edition.cnn.com/2021/02/13/us/florida-hack-remote-access/index.html">water plants</a> and <a href="https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490">food supply chains</a>. Attacks on <a href="https://www.cbc.ca/news/world/cyberattack-ransomware-kaseya-1.6089578">technology firms</a> have also become commonplace.</p>
<p>These cyber incidents have impacted <a href="https://www.businessinsider.com/microsoft-exchange-hack-us-organizations-krebs-thousands-2021-3">organizations of all sizes</a>, including those with less awareness and capacity to defend themselves, such as <a href="https://www.accessnow.org/who-is-shutting-down-the-internet-in-2021/">civil society organizations</a> and <a href="https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf">small businesses</a>. Civilians may also be affected through ensuing <a href="https://www.bloomberg.com/news/articles/2021-03-07/hackers-breach-thousands-of-microsoft-customers-around-the-world">personal data breaches</a> and <a href="https://www.washingtonpost.com/technology/2021/07/08/ransomware-human-impact/">disrupted public services</a>.</p>
<p>Harm to individuals resulting from a data breach can be <a href="https://www.theguardian.com/world/2015/aug/24/toronto-suicides-ashley-madison-hack">physical</a>, <a href="https://www.cnbc.com/2018/12/06/this-map-shows-where-in-the-us-cyber-crime-costs-people-the-most.html">financial</a>, <a href="https://www.bbc.com/news/technology-54692120">emotional</a> or reputational. Disrupted public services have also resulted in death by <a href="https://www.wired.co.uk/article/ransomware-hospital-death-germany">delaying treatment</a>.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/nhzAlPotXB8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">In Dec. 2019, millions of Canadians had their personal information breached after an attack on LifeLabs.</span></figcaption>
</figure>
<h2>Centering civilian security</h2>
<p>People experience cyber threats, incidents and harms <a href="https://citizenlab.ca/2020/08/threats-facing-women-activists-in-colombia-and-costa-rica/">differently</a> depending on their gender identity, ethnicity, race and other social and cultural hierarchies. Those who are in vulnerable and marginalized positions may be <a href="https://www.accessnow.org/who-is-shutting-down-the-internet-in-2021/">disproportionately harmed</a> by cyberattacks. </p>
<p>Organizations such as <a href="https://unidir.org/publication/gender-approaches-cybersecurity">the UN Institute for Disarmament Research</a> and <a href="https://www.apc.org/en/pubs/why-gender-matters-international-cyber-security">the Association for Progressive Communications</a> examine these uneven aspects of cybersecurity. Addressing these inequalities in cybersecurity requires human-centric and inclusive approaches to cybersecurity.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/with-cyberattacks-growing-more-frequent-and-disruptive-a-unified-approach-is-essential-162219">With cyberattacks growing more frequent and disruptive, a unified approach is essential</a>
</strong>
</em>
</p>
<hr>
<p>A <a href="https://doi.org/10.1017/S0892679418000618">human-centric approach</a> to cyber-security prioritizes people when assessing cybersecurity threats, incidents, technologies and practices. It recognizes that people’s intersecting identities shape their cybersecurity needs and experience of cyber incidents. Consequently, cybersecurity measures and instruments should be designed to address structural inequalities which lead to insecurity.</p>
<p>Disaggregated data by socio-economic factors on people’s participation in cybersecurity fields and on victims of cyber incidents need to be collected. Efforts to increase underrepresented and minority groups’ participation in cybersecurity workforce should go beyond providing access to education and skills development. Further, cybersecurity skills-building should be tailored to the specific needs and capabilities of targeted population groups, including people with disabilities, the elderly and children.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/A3DDrrbMGBQ?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The UN warns that civilians must also remain vigilant in dealing with cybersecurity.</span></figcaption>
</figure>
<h2>Building a cyber-resilient society</h2>
<p>The exploitation of vulnerabilities in ICT systems and their weakening of encryption standards can undermine trust and confidence in cyberspace overall. When any one sector or state is more secure, we all reap the benefits. On the other hand, enabling <a href="https://theconversation.com/insecure-by-design-lessons-from-the-meltdown-and-spectre-debacle-90629">insecurity by design</a> and <a href="https://www.washingtonpost.com/national-security/russia-us-un-cyber-norms/2021/06/12/9b608cd4-866b-11eb-bfdf-4d36dab83a6d_story.html">malicious ICT acts</a> degrade the entire security of the cyber ecosystem.</p>
<p>Threats to cybersecurity can emanate from any sector within society, due to human error, natural disaster, technical issues or cyberattacks. The effect can cascade across sectors and levels in unanticipated ways — as demonstrated in the cyberattacks targeted at <a href="https://theconversation.com/security-flaws-in-microsoft-email-software-raise-questions-over-australias-cybersecurity-approach-156864">giant tech firms</a>. </p>
<p>To address the origins and systemic effect of cybersecurity threats, we need to build societal cyber resilience. This would require equal distribution of the resources needed to build cyber capacity and the broad, participation of all affected stakeholders — governmental, private sector and civil society — to shape cybersecurity research, policy and practice. </p>
<p>While <a href="https://www.cfr.org/blog/eliminating-blind-spot-effect-cyber-conflict-civil-society">facing the same persistent cyber threats</a> experienced by states and private entities, civil society organizations are equipped with far fewer resources to defend themselves. Addressing such cross-sectoral cybersecurity resource inequalities could be done through establishing cyber-incident response teams that cater to the need of all affected stakeholders, not just firms operating critical infrastructures. </p>
<p>Cybersecurity funding for <a href="https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_Politically_Vulnerable_Organizations_Online.pdf">financially constrained</a> sectors, such as civil society organizations and small businesses, is also needed. It is crucial to provide cyber skills building programs for employees in these organizations, including awareness of cyber threats, the importance of cyber hygiene habits and how to respond to cyber incidents.</p>
<p>Good practices at the national level include <a href="https://collections.unu.edu/view/UNU:7760">formalizing civil society organizations’ participation</a> in shaping cybersecurity-related legislation and policies. This would include developing measures to deter cyberattacks, designing cyber capacity building programs and sharing information about cyber threats. </p>
<p>States have started to embrace this inclusive approach to cybersecurity. Several Asia-Pacific countries, including Australia, the Philippines and Sri Lanka, <a href="https://collections.unu.edu/view/UNU:7760">have established national cyber incident response teams that accept reporting from civilians</a>. </p>
<p>Recently, Canada, Australia, New Zealand, the United Kingdom and the United States — <a href="https://www.publicsafety.gc.ca/cnt/ntnl-scrt/fv-cntry-mnstrl-en.aspx">an intelligence alliance knows as the Five Eyes</a> — <a href="https://www.beehive.govt.nz/sites/default/files/2021-04/Five%20Country%20Ministerial%20Statement%20Regarding%20the%20Threat%20of%20Ransomware.pdf">committed to develop a collective response against the threat of ransomware</a>.</p>
<p>The UN is making incremental progress towards multi-stakeholder inclusion and prioritizing civilian security in cybersecurity negotiations. However, much work still needs to be done to follow up on the Cyber OEWG’s proposed actions. Future cybersecurity discussions must establish an accountability mechanism for states’ cyber operations and resolve how international law applies to cyberspace.</p><img src="https://counter.theconversation.com/content/163261/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Debora Irene Christine is a researcher for the Smart Citizens Cyber Resilience project at the United Nations University Institute in Macau funded by the Science and Technology Development Fund of Macau (FDCT). </span></em></p>A UN working group on cybersecurity is making incremental progress in highlighting the importance of including and protecting civilians.Debora Irene Christine, Researcher, United Nations University Insitute in Macau (UNU-CS), United Nations UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1618182021-07-13T20:10:05Z2021-07-13T20:10:05ZIs Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years<figure><img src="https://images.theconversation.com/files/410991/original/file-20210713-19-1st57cj.jpg?ixlib=rb-1.1.0&rect=3%2C499%2C2261%2C1619&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Massimo Botturi/Unsplash</span>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Australian organisations are a soft target for ransomware attacks, say experts who yesterday <a href="https://www.abc.net.au/news/2021-07-13/ransomeware-report-cyber-security-hacking-jbs-nine/100287278">issued a fresh warning</a> that the government needs to do more to stop agencies and businesses falling prey to cyber-crime. But in truth, the danger has been growing worldwide for more than three decades.</p>
<p>Despite being a relatively new concept to the public, ransomware has roots in the late 1980s and has evolved significantly over the past decade, reaping billions of dollars in ill-gotten gains.</p>
<p>With names like Bad Rabbit, Chimera and GoldenEye, ransomware has established a mythical quality with an allure of mystery and fascination. Unless, of course, you are the target. </p>
<p>Victims have few options available to them; refusing to pay the ransom depends on having good enough backup practices to recover the corrupted or stolen data.</p>
<p>According to a <a href="https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate">study by security company Coveware</a>, 51% of businesses surveyed were hit with some type of ransomware in 2020. More concerningly still, typical ransom demands are climbing dramatically, from an average of US$6,000 in 2018, to US$84,000 in 2019, and a staggering US$178,000 in 2020.</p>
<h2>A brief history of ransomware</h2>
<p>The first known example of ransomware dates back to 1988-89. Joseph Popp, a biologist, distributed floppy disks containing a survey (the “AIDS Information Introductory Diskette”) to determine AIDS infection risks. Some 20,000 of them were reportedly distributed at a World Health Organization conference and via postal mailing lists. Unbeknown to those receiving the disks, it contained a virus of its own. The <a href="https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware/">AIDS Trojan</a> lay dormant on systems before locking users’ files and demanding a “licence fee” to restore access.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=285&fit=crop&dpr=1 600w, https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=285&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=285&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=358&fit=crop&dpr=1 754w, https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=358&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/404787/original/file-20210607-28232-1yroxrh.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=358&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The 1989 AIDS Trojan (PC Cyborg) ransom demand.</span>
<span class="attribution"><span class="source">Joseph L. Popp, AIDS Information Trojan author, Public domain, via Wikimedia Commons</span></span>
</figcaption>
</figure>
<p>Although the malware was <a href="https://www.virusbulletin.com/uploads/pdf/magazine/1990/199001.pdf">inelegant and easily undone</a>, it drew media attention at the time as a new type of cyber threat. The demand for payment (by cheque to a PO box in Panama) was primitive by comparison with modern approaches, which call for funds to be transferred electronically, often in cryptocurrencies.</p>
<p>It was well over a decade before ransomware truly began to proliferate. In the mid-2000s, stronger encryption allowed for more effective ransom campaigns with the use of asymmetric cryptography (in which two keys are used: one to encrypt, and a second, kept secret by the criminals, to decrypt), which meant even skilled systems administrators could no longer extract the keys from the malware.</p>
<p>In 2013, CryptoLocker malware rose to global dominance, partly supported by the <a href="https://www.knowbe4.com/gameover-zeus">GameOver Zeus botnet</a>. Cryptolocker encrypted users’ files, sending the unlock key to a server controlled by the criminals with a three-day deadline before the key was destroyed. The network was shut down in 2014, thanks to a major global law enforcement effort called <a href="https://www.fireeye.com/blog/threat-research/2014/07/operation-tovar-the-latest-attempt-to-eliminate-key-botnets.html">Operation Tovar</a>. It is estimated to have impacted more than <a href="https://www.zdnet.com/article/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin/">250,000 victims and potentially garnered 42,000 Bitcoin</a>, worth around US$2 billion at today’s valuation.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=467&fit=crop&dpr=1 600w, https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=467&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=467&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=587&fit=crop&dpr=1 754w, https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=587&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/404789/original/file-20210607-28202-1pf32vl.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=587&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">CryptoLocker ransom demand.</span>
<span class="attribution"><span class="source">Nikolai Grigorik, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons</span></span>
</figcaption>
</figure>
<p>In 2016 there were several high-profile incidents involving the Petya ransomware, which prevented users from accessing their hard drives. It was one of the first significant examples of <a href="https://www.upguard.com/blog/what-is-ransomware-as-a-service">Ransomware as a Service</a>, whereby criminal gangs “sell” their ransomware tools as a managed service.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=354&fit=crop&dpr=1 600w, https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=354&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=354&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=445&fit=crop&dpr=1 754w, https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=445&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/404790/original/file-20210607-50508-zhyfzk.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=445&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Petya ransom demand.</span>
<span class="attribution"><span class="source">Unknown criminal. Notify the authorities, in case of discovery. Public domain, via Wikimedia Commons</span></span>
</figcaption>
</figure>
<p>The following year saw arguably the most notorious ransomware attack of all time: the WannaCry attack. It struck hundreds of thousands of computers, including an estimated 70,000 systems at the <a href="https://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-cyberattack/">UK National Health Service</a>. The global impact of WannaCry has been <a href="https://www.kaspersky.com.au/resource-center/threats/ransomware-wannacry">estimated at up to US$4 billion</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=453&fit=crop&dpr=1 600w, https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=453&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=453&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=569&fit=crop&dpr=1 754w, https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=569&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/404792/original/file-20210607-21-phl39a.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=569&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Wannacry ransom demand with integrated multi-language support.</span>
<span class="attribution"><span class="source">Screenshot of a WannaCry ransomware attack on Windows 8. Public domain, via Wikimedia Commons</span></span>
</figcaption>
</figure>
<p>More recent still was the <a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/">Ryuk</a> ransomware, which targeted local councils and national government agencies. But cyber-criminals have also attacked specific private companies, including the United States’ largest refined oil distribution network, <a href="https://www.abc.net.au/news/2021-05-20/colonial-pipeline-ceo-confirms-company-paid-ransom-darkside/100151094">Colonial Pipeline</a>, the multinational meat processor <a href="https://www.bbc.com/news/world-us-canada-57318965">JBS Foods</a>, and Australia’s <a href="https://www.cybersecurity-insiders.com/australia-channel-9-tv-ransomware-cyber-attack/">Channel Nine network</a>.</p>
<h2>Is all ransomware the same?</h2>
<p>There are hundreds of types of ransomware, but they fit into a few broad categories:</p>
<p><strong>Crypto ransomware</strong></p>
<p>In modern crypto ransomware attacks, the malware encrypts users’ files (“locking” the files to make them unreadable) and will typically involve a “key” to unlock the files being stored on a remote server controlled by the cyber-criminals. Early variants would require the victim to buy software to unlock the files.</p>
<p><strong>Locker ransomware</strong></p>
<p>Locker ransomware is usually a more complex type of malware that targets a user’s entire operating system (such as Windows, macOS or Android), hampering their ability to use their device. Examples can include preventing the computer from booting, or forcing a ransom demand window to appear in the foreground and preventing interaction with the other applications.</p>
<p>Although files are not encrypted, the system is typically unusable by most users (as you would likely need another system or software to extract the files). In some cases the ransom demands refer to government agencies with threats of investigations relating to tax fraud, possession of child abuse materials, or terrorist activities.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/404785/original/file-20210607-27-1nt2r8j.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A fake FBI ‘seize’ notice designed to convince victims to pay the ‘fine’.</span>
<span class="attribution"><span class="source">Motormille2, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons</span></span>
</figcaption>
</figure>
<p><strong>Leakware</strong></p>
<p>In a leakware attack, the data are not encrypted but instead are stolen from the victim and held by cyber-criminals. It is the threat of public release alone that is used to secure a ransom payment. From 2020 to 2021, <a href="https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf">reported occurrences of non-encrypted ransoms have doubled</a>.</p>
<p><strong>Double extortion</strong></p>
<p>Double extortion is an alarming development whereby not only is a payment required to secure release of encrypted organisation data, but there is the added threat of public release.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=800&fit=crop&dpr=1 600w, https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=800&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=800&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1005&fit=crop&dpr=1 754w, https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1005&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/404786/original/file-20210607-25-1qxvzm9.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1005&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Screenshots from Cl0p leaks website providing access to stolen Transport NSW files (web version is not redacted).</span>
<span class="attribution"><span class="source">Author provided</span></span>
</figcaption>
</figure>
<p>This approach typically involves data being stolen from the organisation during the malware infection process, then sent to servers run by the cyber-criminals. To encourage payment, extracts may be posted on public-facing websites to prove possession of the data – coupled with threats to publish the remaining data.</p>
<p><strong>Ransomware as a Service (RaaS)</strong></p>
<p>Early ransomware was developed by individuals but, as with all software, ransomware has come of age. It is now a multibillion-dollar industry (an <a href="https://pentestmag.com/ransomware-statistics-trends-and-facts-for-2020-and-beyond/">estimated US$20 billion in 2020</a>) and is every bit as well designed and implemented as any commercial software.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Kgx_teNOo-U?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Ransomware as a Service is here - and cheaper than you may think!</span></figcaption>
</figure>
<p>Just as Microsoft’s Office 365 has developed into a service, where instead of buying the software, you pay a monthly or yearly subscription, so has ransomware. <a href="https://www.upguard.com/blog/what-is-ransomware-as-a-service">Ransomware as a Service</a> (RaaS) allows criminals to obtain services, typically in return for a <a href="http://www.zdnet.com/article/ransomware-as-a-service-for-allows-wannabe-hackers-to-cash-in-on-cyber-extortion/">cut of the ransom</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-news-to-ransom-what-we-know-so-far-about-the-channel-9-cyber-attack-158069">Holding the news to ransom? What we know so far about the Channel 9 cyber attack</a>
</strong>
</em>
</p>
<hr>
<h2>To pay, or not to pay?</h2>
<p>Most law enforcement agencies recommend against ransom payments (just as many governments will not negotiate with terrorists), because it is likely to encourage future attacks. But many organisations nevertheless do pay up. Interestingly, the public sector hands over up to <a href="https://statescoop.com/ransomware-local-government-pays-10-times-more/">ten times more money</a> to release their files than victims in the private sector.</p>
<p>Paying a ransom is frequently seen as the lesser of two evils, particularly for smaller organisations that would otherwise be shut down entirely by the disruption to their systems. Or, if you are lucky, the malware will already have a publicly available antidote.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"363279911793856514"}"></div></p>
<p>But paying the ransom doesn’t guarantee you’ll get all your data back. By one <a href="https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf">estimate</a>, an average of 65% of data was typically recovered after paying the ransom, and only 8% of organisations managed to restore all of it.</p>
<p>With criminal groups now reaping <a href="https://www.zdnet.com/article/ryuk-gang-estimated-to-have-made-more-than-150-million-from-ransomware-attacks/">multimillion-dollar profits</a>, ransomware attacks are likely to target larger organisations where the rewards are richer, perhaps focusing on holders of valuable intellectual property such as the health-care and medical research sectors. The Internet of Things (IoT) will likely be a <a href="https://techcrunch.com/2016/10/02/what-makes-iot-ransomware-a-different-and-more-dangerous-threat/">target for cyber-criminals</a>, with global networks of connected devices held to ransom.</p>
<p>While big organisations are likely to have appropriate technical safeguards, user education is still key - a lapse of judgement from a single person can still bring an organisation to its knees. For smaller companies, seeking (and following) cyber advice is crucial.</p>
<p>Given the huge scale on which cyber-criminals are now operating, we have to hope law enforcement and software security engineers can stay one step ahead.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-world-to-ransom-the-top-5-most-dangerous-criminal-organisations-online-right-now-163977">Holding the world to ransom: the top 5 most dangerous criminal organisations online right now</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/161818/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The first ransomware attack, in 1988, was a crude effort involving virus-laden floppy disks. But in the decades since, the sophistication of malware, and the money reaped by criminals, has skyrocketed.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityAndrew Woodward, Executive Dean of Science, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1639772021-07-07T06:09:00Z2021-07-07T06:09:00ZHolding the world to ransom: the top 5 most dangerous criminal organisations online right now<figure><img src="https://images.theconversation.com/files/410078/original/file-20210707-27-16ysofm.jpeg?ixlib=rb-1.1.0&rect=62%2C44%2C5928%2C3943&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p><em>On the internet, nobody knows you’re a dog!</em></p>
<p>These words from Peter Steiner’s <a href="https://www.washingtonpost.com/blogs/comic-riffs/post/nobody-knows-youre-a-dog-as-iconic-internet-cartoon-turns-20-creator-peter-steiner-knows-the-joke-rings-as-relevant-as-ever/2013/07/31/73372600-f98d-11e2-8e84-c56731a202fb_blog.html">famous cartoon</a> could easily be applied to the recent <a href="https://www.nzherald.co.nz/nz/worldwide-ransomware-attack-st-peters-college-and-10-other-schools-hit-by-us-cyber-attack/JACHAD3OPGUOF7ZIF4PJXDPICA/">ransomware attack</a> on Florida-based software supplier Kaseya.</p>
<p>Kaseya provides software services to thousands of clients around the world. It’s estimated between <a href="https://www.itnews.com.au/news/kaseya-boss-says-up-to-1500-businesses-affected-by-ransomware-attack-566942">800 and 1,500 medium to small businesses</a> may be impacted by the attack, with the hackers demanding US$50 million
(<a href="https://thewest.com.au/news/crime/ransomware-hackers-lower-demand-to-us50m-c-3320330">lower than the previously reported US$70 million</a>) in exchange for restoring access to data being held for ransom.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1412336467490209796"}"></div></p>
<p>The global ransomware attack has been <a href="https://www.cbsnews.com/news/kaseya-atttack-biggest-known-ransomware/">labelled</a> the biggest on record. Russian cybercriminal organisation REvil is the alleged culprit. </p>
<p>Despite its notoriety, nobody really knows what REvil is, what it’s capable of or why it does what they does — apart from the immediate benefit of huge sums of money. Also, ransomware attacks often involve vast distributed networks, so it’s not even certain the individuals involved would <a href="https://theconversation.com/inside-a-ransomware-attack-how-dark-webs-of-cybercriminals-collaborate-to-pull-them-off-163015">know each other</a>.</p>
<p>Ransomware attacks are <a href="https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490">growing exponentially</a> in size and ransom demand — changing the way we operate online. Understanding who these groups are and what they want is critical to taking them down.</p>
<p>Here, we list the top five most dangerous criminal organisations currently online. As far as we know, these rogue groups aren’t backed or <a href="https://cybernews.com/editorial/the-worlds-most-dangerous-state-sponsored-hacker-groups/">sponsored by any state</a>.</p>
<h2>DarkSide</h2>
<p>DarkSide is the group behind the <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">Colonial Pipeline</a> ransom attack in May, which shut down the US Colonial Pipeline’s fuel distribution network, triggering gasoline shortage concerns.</p>
<p>The group seemingly first emerged in August last year. It targets <a href="https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/">large companies</a> that will suffer from any disruption to their services — a key factor, as they’re then more likely to pay ransom. Such companies are also more likely to have <a href="https://www.reuters.com/technology/after-colonial-attack-energy-companies-rush-secure-cyber-insurance-2021-05-28/">cyber insurance</a> which, for criminals, means easy moneymaking. </p>
<p>DarkSide’s business model is to offer a <a href="https://securityboulevard.com/2021/05/darkside-offered-ransomware-as-a-service-before-pipeline-attack/">ransomware service</a>. In other words, it carries out ransomware attacks on behalf of other, hidden perpetrator/s so they can lessen their liability. The executor and perpetrator then share profits. </p>
<p>Groups that offer cybercrime-as-a-service also provide online forum communications to support others who may want to improve their cybercrime skills. </p>
<p>This might involve teaching someone how to combine <a href="https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/">distributed denial-of-service (DDoS) and ransomware</a> attacks, to put extra pressure on negotiations. The ransomware would prevent a business from working on past and current orders, while a DDoS attack would block any new orders. </p>
<h2>REvil</h2>
<p>The ransomware-as-a-service group REvil is currently making headlines due to the ongoing Kaseya incident, as well as another recent attack on <a href="https://www.zdnet.com/article/fbi-attributes-jbs-ransomware-attack-to-revil/">global meat processing company JBS</a>. This group has been particularly active in 2020-2021. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=281&fit=crop&dpr=1 600w, https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=281&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=281&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=354&fit=crop&dpr=1 754w, https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=354&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/409893/original/file-20210706-25-cdxsbk.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=354&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">REvil’s HappyBlog web site showing US$70m ransom demand.</span>
<span class="attribution"><span class="source">Author provided</span></span>
</figcaption>
</figure>
<p>In April, REvil stole technical data on unreleased Apple products from Quanta Computer, a Taiwanese company that assembles Apple laptops. A <a href="https://www.theguardian.com/technology/2021/apr/22/ransomware-hackers-steal-plans-upcoming-apple-products">ransom of US$50 million</a> was demanded to prevent public release of the stolen data. It hasn’t been revealed whether or not this money was paid.</p>
<h2>Clop</h2>
<p>The ransomware <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/">Clop</a> was created in 2019 by a financially-motivated group responsible for yielding <a href="https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/">half a billion US dollars</a>. </p>
<p>The Clop group’s speciality is “double-extortion”. This involves targeting organisations with ransom money in exchange for a decryption key that will restore the organisation’s access to stolen data. However, targets will then have to pay extra ransom to not have the data released publicly.</p>
<p>Historical examples reveal that organisations which pay a ransom once are more likely to pay again in the future. So hackers will tend to target the same organisations again and again, asking for more money each time. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=563&fit=crop&dpr=1 600w, https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=563&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=563&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=708&fit=crop&dpr=1 754w, https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=708&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/409895/original/file-20210706-13-1ammbxm.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=708&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">ClopLeaks website showing directly downloadable ransom files.</span>
<span class="attribution"><span class="source">Author provided</span></span>
</figcaption>
</figure>
<h2>Syrian Electronic Army</h2>
<p>Far from a typical cybercrime gang, the Syrian Electronic Army has been launching online attacks since 2011 to promote political propaganda. With this motive, they have been dubbed a <a href="https://www.akamai.com/uk/en/resources/syrian-electronic-army.jsp">hactivist</a> group.</p>
<p>While the group has <a href="https://opennet.net/emergence-open-and-organized-pro-government-cyber-attacks-middle-east-case-syrian-electronic-army">links</a> with Bashar al-Assad’s regime, it’s more likely made up of <a href="https://cvir.st-andrews.ac.uk/articles/10.15664/jtr.1294/">online vigilantes</a> trying to be <a href="https://opencanada.org/new-face-syrian-electronic-army/">media auxiliary</a> for the Syrian army.</p>
<p>Their technique is to distribute <a href="https://www.bbc.com/news/world-middle-east-22287326">fake news</a> through reputable sources. In 2013, a single tweet sent by them from the official account of the Associated Press, the world’s leading news agency, had the effect of <a href="https://www.washingtonpost.com/news/worldviews/wp/2013/04/23/syrian-hackers-claim-ap-hack-that-tipped-stock-market-by-136-billion-is-it-terrorism/">wiping billions</a> from the stock market. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=301&fit=crop&dpr=1 600w, https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=301&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=301&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=378&fit=crop&dpr=1 754w, https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=378&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/409836/original/file-20210706-13-w5mk2t.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=378&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The fake AP tweet from the Syrian Electronic Army.</span>
<span class="attribution"><span class="source">www.theatlantic.com/</span></span>
</figcaption>
</figure>
<p>The Syrian Electronic Army exploits the fact that most people online have a tendency to interpret and react to content with an implicit sense of trust. And they’re a prime example of how the <a href="https://www.tandfonline.com/doi/full/10.1080/17440572.2012.759508?casa_token=8oYWCR5Hos4AAAAA%3Adkm-B8CSG9cg9d6GrvxHY0uGqzzxuD9jeSX43_DsIGkcAz1y-iStjCkWjTipxFcaNO0X9vldSJZLfoQ">boundaries</a> between crime and terror groups online are less distinct than in the physical world.</p>
<h2>FIN7</h2>
<p>If this list could contain a “super villain”, it would be FIN7. Another Russian-based group, FIN7 is arguably the most <a href="https://www.wired.com/story/fin7-carbanak-hacking-group-behind-a-string-of-big-breaches/">successful</a> online criminal organisation of all time. Operating since 2012, it mainly works as a <a href="https://geminiadvisory.io/fin7-syndicate-hacks-saks-fifth-avenue-and-lord-taylor/">business</a>. </p>
<p>Many of its operations have been undetected for years. Its data breaches have exploited <a href="https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html">cross-attack</a> scenarios, wherein the data breach serves multiple purposes. For example, it may enable extortion through ransom while also allowing the attacker to use data against victims, such as by reselling it to a third party. </p>
<p>In early 2017, FIN7 was alleged to be behind an attack targeting <a href="https://www.scmagazine.com/home/security-news/network-security/fin7-spearphishing-campaign-targets-sec-filings/">companies providing filings</a> to the US Security and Exchange Commission. This confidential information was exploited and used to obtain ransom which was then invested on the stock exchange. </p>
<p>As such, the groups made huge sums of money by trading on confidential information. The <a href="https://www.amf-france.org/sites/default/files/2020-02/study-stock-market-cybercrime-_-definition-cases-and-perspectives.pdf">insider trading</a> scheme facilitated by hacking went on for many years — which is why it’s not possible to quantify the exact amount of economic damage. But it’s estimated to be well over US$1 billion.</p>
<h2>Organised crime vs organised criminals</h2>
<p>When it comes to complex criminal organisations, <a href="https://attack.mitre.org/techniques/enterprise/">techniques</a> <a href="https://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti">evolve</a> and <a href="https://link.springer.com/article/10.1007/s12117-018-9342-y">motives</a> vary.</p>
<p>The way they organise themselves and commit crimes online is <a href="https://link.springer.com/article/10.1007/s12117-020-09397-5">very different</a> from your local offline gang. Ransomware can be launched from anywhere in the world, so it’s very difficult to prosecute these criminals. Matters are made even more complicated when several parties coordinate across borders.</p>
<p>It’s no wonder the challenge for law enforcement agencies is significant. It’s crucial that authorities investigating an attack are sure it was indeed perpetrated by who they suspect. But to know this, they need all the help they can get. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/nothing-like-the-mafia-cybercriminals-are-much-like-the-everyday-poorly-paid-business-worker-150953">Nothing like the mafia: cybercriminals are much like the everyday, poorly paid business worker</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/163977/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The recent attack on software supplier Kaseya has been labelled as the biggest global ransomware attack on record.Roberto Musotto, Research fellow, Edith Cowan UniversityBrianna O'Shea, Lecturer, Ethical Hacking and Defense, Edith Cowan UniversityPaul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1622192021-06-29T20:38:53Z2021-06-29T20:38:53ZWith cyberattacks growing more frequent and disruptive, a unified approach is essential<figure><img src="https://images.theconversation.com/files/408907/original/file-20210629-13-1epba76.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6000%2C3428&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyberwarfare will require new defensive measures by government and corporations.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>Cyberwarfare consists of co-ordinated <a href="https://www.jstor.org/stable/43995904">attacks of mass disruption (AMD)</a>. In the June summit between U.S. and Russian presidents Joe Biden and Vladimir Putin, cyberwarfare was a topic of discussion. While the Biden-Putin summit appears to be “<a href="https://www.washingtonpost.com/politics/2021/06/16/biden-putin-live-updates/">quite constructive</a>,” cyberwarfare remains perplexing to politicians. </p>
<p>Attacks of mass disruption are similar to the latest ransomware attacks on <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">SolarWinds and Colonial Pipeline</a> — imagine several co-ordinated similar attacks. For the time being, organizations should prepare for increasing disruptions and data losses caused by ransomware.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable – why national cyber defense is a 'wicked' problem</a>
</strong>
</em>
</p>
<hr>
<p>Attacks of mass disruption may not cause massive casualties, but nations could lose their ability to function and respond to adversaries, economies can be crippled and governments may be undermined. The <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">2015 cyberattack on Ukraine</a> presented a scenario of grounding a nation using a well co-ordinated <a href="https://ieeexplore.ieee.org/document/7752958">cyberattack</a>.</p>
<p>The <a href="https://doi.org/10.1016/j.tej.2017.02.006">lessons are clear</a> — the impact of cyberattacks is too serious to ignore and pre-planned contingencies may be the only thing that works to address them.</p>
<h2>Cyberattack losses</h2>
<p>In 2020, <a href="https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/">IBM estimated US$1.5 billion losses in known observed cyberattacks</a>.</p>
<p>Over the past two decades, two factors have contributed to the possibility of cyberwarfare. First is the <a href="https://www.pewresearch.org/internet/2019/10/28/5-leading-concerns-about-the-future-of-digital-life/">increased reliance</a> on digital infrastructure and systems. Second is the continuous <a href="https://theconversation.com/growth-in-data-breaches-shows-need-for-government-regulations-127600">increase in damages</a> inflicted by criminal or state-based cyberattacks. </p>
<p>These provide sufficient justification for experts to <a href="https://www.dni.gov/files/PE/Documents/6---2017-AEP_The-Future-of-Ransomware-and-Social-Engineering.pdf">sound the alarm</a> <a href="https://www.belfercenter.org/publication/strategic-advantage-why-america-should-care-about-cybersecurity">on cybersecurity</a>.</p>
<p>Other factors increase the risks even more. The complexity of the modern economy and its supply chains create an environment of highly impactful disruptions. Attacks of mass disruption on seemingly irrelevant but well-selected entities — like infrastructure companies — could trigger a domino effect that causes disruptions and economic losses far beyond the scale of the target.</p>
<p>Russia used U.S. cyberinfrastructure to <a href="https://www.cfr.org/backgrounder/russia-trump-and-2016-us-election">influence the 2016 election</a>. In May 2021, there were attacks on <a href="https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html">software developer SolarWinds Inc.</a>, <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">oil infrastructure company Colonial Pipeline</a> and <a href="https://www.bbc.com/news/world-us-canada-57318965">JBS, the world’s largest meat supplier</a>.</p>
<p>Currently, most cyberattacks originating from Russia use known tactics like email phishing, <a href="https://www.cisa.gov/ransomware-alerts-and-tips">ransomware-as-a-service</a> and poor password practices.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Xes6ZgV1Iww?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The Wall Street Journal looks at how the U.S. can protect itself against cyberattacks.</span></figcaption>
</figure>
<h2>Treaty challenges</h2>
<p>A <a href="https://csrc.nist.gov/glossary/term/zero_day_attack">zero-day vulnerability</a> occurs the first time the vulnerability is exploited, like when the malicious program Stuxnet was <a href="https://ieeexplore.ieee.org/document/9390103">successfully used as a digital “dirty bomb” to curb Iranian nuclear ambition</a>. </p>
<p>The U.S. is known to exploit hardware vulnerabilities through highly sophisticated, maintaining the the upper hand in the ability to perform silent attacks.</p>
<p>Calls to bring governments together to <a href="https://www.wilsoncenter.org/sites/default/files/media/documents/publication/arms_control_in_cyberspace.pdf">sign a treaty similar to other arms-control treaties</a> have mounted lately. To address the complexities of cyberwarfare, <a href="https://www.belfercenter.org/publication/world-needs-arms-control-treaty-cybersecurity">political scientist Joseph Nye</a> and <a href="https://www.washingtonpost.com/opinions/the-world-needs-an-arms-control-treaty-for-cybersecurity/2015/10/01/20c3e970-66dd-11e5-9223-70cb36460919_story.html">others have proposed a nuclear-like treaty</a>, in particular, due to the ability of nuclear treaties to precisely spell out details.</p>
<p>Most efforts to control attacks of mass disruption have either led to <a href="https://thediplomat.com/2018/08/did-the-obama-xi-cyber-agreement-work/">limited scope agreements</a>, or completely fallen apart before they were signed.</p>
<p>Unfortunately, cyberattacks do not use observable weapons that can be monitored for compliance. Further, the fine line between criminal and state-based attacks could be hard to distinguish. An attack on a gas pipeline or a meat-packing facility may appear criminal, but can trigger serious chain events beyond the immediate targets. </p>
<p>The rapid technological changes and advances in cyberattacks make it hard to predict the strategies of future attacks of mass disruption in order to address them in a treaty.</p>
<h2>Protecting against attacks</h2>
<p>Most attacks of mass disruption exploit vulnerabilities that are easy to fix by maintaining <a href="https://www.nist.gov/blogs/taking-measure/identify-protect-detect-respond-and-recover-nist-cybersecurity-framework">normal digital hygiene</a> and a vigilant attitude to email phishing and password management. </p>
<p>Organizations need to get serious about those practices because, like COVID-19, vigilant proactive precautions can lessen the problem to a great extent.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="four government officials seated in front of a row of flags" src="https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/408927/original/file-20210629-28-pdiswm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Government officials provided an update on the cyberattacks that affected the Canada Revenue Agency in August 2020.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Sean Kilpatrick</span></span>
</figcaption>
</figure>
<p>Protective measures can be imposed through national legislation. A national debate is required to develop consensus on the level of government intervention and the levels of protections for different data types. This should result in a call for strong legislation forcing organizations to maintain high levels of security like off-site backups and <a href="https://www.europeanleadershipnetwork.org/wp-content/uploads/2020/06/Cyber-arms-control.pdf">other protective measures</a>.</p>
<p>Deep vulnerabilities embedded deep into hardware and operating systems, on the other hand, cannot be mitigated by normal digital hygiene. The U.S. has the upper hand on those vulnerabilities, hence, the cybersecurity arms balance is tilted in favour of the U.S.</p>
<p>Historically, nations do not settle arms race until a <a href="https://www.britannica.com/topic/mutual-assured-destruction">mutual assured destruction situation</a> presents itself. Russian cyberattacks could be viewed as an attempt to reach this point. Until we get <a href="https://www.state.gov/wp-content/uploads/2020/10/T-paper-series-Cybersecurity-Format-508.pdf">closer to the mutual assured destruction point</a>, do not expect an international treaty anytime soon. Instead, expect more cyberattacks and data losses. Organizations and governments need to get serious and buckle up — it’s going to be a rough ride.</p><img src="https://counter.theconversation.com/content/162219/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Yasser Morgan receives funding from NSERC-DG</span></em></p>Co-ordinated cyberattacks can create massive disruptions to infrastructure and supply chains. New treaties are needed to prevent cyberwarfare, but it’s challenging to predict technological advances.Yasser Morgan, Professor, Engineering, University of ReginaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1624042021-06-24T12:11:47Z2021-06-24T12:11:47ZRansomware, data breach, cyberattack: What do they have to do with your personal information, and how worried should you be?<figure><img src="https://images.theconversation.com/files/408030/original/file-20210623-13-1spz03x.jpg?ixlib=rb-1.1.0&rect=0%2C15%2C3360%2C2045&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Credit bureau Equifax announced in 2017 that the personal information of 143 million Americans – about three-quarters of all adults – had been exposed in a major data breach.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/CongressEquifaxDataBreach/5911edac571e40b48f562110ebfbc782/photo">AP Photo/Mike Stewart</a></span></figcaption></figure><p>The headlines are filled with news about <a href="https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html">ransomware attacks</a> tying up organizations large and small, <a href="https://www.kaspersky.com/resource-center/definitions/data-breach">data breaches</a> at major brand-name companies and <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">cyberattacks</a> by shadowy hackers associated with Russia, China and North Korea. Are these threats to your personal information? </p>
<p>If it’s a ransomware attack on a pipeline company, probably not. If it’s a hack by foreign agents of a government agency, <a href="https://abcnews.go.com/US/exclusive-25-million-affected-opm-hack-sources/story?id=32332731">maybe</a>, particularly if you’re a government employee. If it’s a data breach at a credit bureau, social media company or major retailer, very likely.</p>
<p>The bottom line is that your online data is not safe. Every week <a href="https://www.gearbrain.com/data-breach-cybersecurity-latest-hacks-2633724298.html">a new major data breach is reported</a>, and most Americans <a href="https://www.pewresearch.org/internet/2017/01/26/1-americans-experiences-with-data-security/">have experienced some form of data theft</a>. And it could hurt you. What should you do? </p>
<h2>Mildly annoyed or majorly aggrieved</h2>
<p>First, was the latest digital crime a <a href="https://www.techrepublic.com/article/infographic-ransomware-attacks-by-industry-continent-and-more/">ransomware attack</a> or was it a <a href="https://www.lifelock.com/learn-data-breaches-data-breaches-need-to-know.html">data breach</a>? Ransomware attacks <a href="https://www.cloudflare.com/learning/ssl/what-is-encryption/">encrypt</a>, or lock up, your programs or data files, but your data is usually not exposed, so you probably have nothing to worry about. If the target is a company whose services you use, you might be inconvenienced while the company is out of commission.</p>
<p>If it was a data breach, find out if your information has been exposed. You may have been <a href="https://privacyrights.org/consumer-guides/what-do-when-you-receive-data-breach-notice">notified</a> that your personal data was exposed. U.S. laws require companies to tell you if your data was stolen. But you can also check for yourself at <a href="https://haveibeenpwned.com/">haveibeenpwned.com</a>.</p>
<p>A data breach could include theft of your online <a href="https://www.pcmag.com/encyclopedia/term/login-credentials">credentials</a>: your user name and password. But hackers might also steal your bank account or credit card numbers or other sensitive or protected information, such as your personal health information, your email address, phone number, street address or Social Security number. </p>
<p>Having your data stolen from a company can be scary, but it is also an opportunity to take stock and apply some common-sense measures to protect your data elsewhere. Even if your data has not been exposed yet, why not take the time now to protect yourself?</p>
<h2>How bad is it?</h2>
<p>As a <a href="http://www.misprofessor.us/">cybersecurity scholar</a>, I suggest that you make a <a href="https://www.researchgate.net/publication/352520422_Information_System_Security_and_Privacy">risk assessment</a>. Ask yourself some simple questions, then take some precautions.</p>
<p>If you know your data was stolen, the most important question is what kind of data was stolen. Data thieves, just like car thieves, want to steal something valuable. Consider how attractive the data might be to someone else. Was it highly sensitive data that could harm you if it were in the wrong hands, like financial account records? Or was it data that couldn’t really cause you any problems if someone got hold of it? What information is your worst-case vulnerability if it were stolen? What could happen if data thieves take it?</p>
<p>Many e-commerce sites retain your purchase history, but not your credit card number, so ask yourself, did I authorize them to keep it on file? If you make recurring purchases from the site, such as at hotel chains, airlines and grocery stores, the answer is probably yes. Thieves don’t care about your seat preferences. They want to steal your credit card info or your loyalty rewards to <a href="https://theconversation.com/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it-158934">sell on the black market</a>.</p>
<h2>What to do</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A hand holds a smartphone showing a text message on the screen" src="https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=558&fit=crop&dpr=1 600w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=558&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=558&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=702&fit=crop&dpr=1 754w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=702&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/407989/original/file-20210623-4659-2txc7b.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=702&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Two-factor authentication, which typically involves receiving a code in a text message, provides an extra layer of security in case your password is stolen.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/192004829@N02/51019543372/">The Focal Project/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span>
</figcaption>
</figure>
<p>If you haven’t already, set up two-factor authentication with all websites that store your valuable data. If data thieves stole your password, but you use <a href="https://authy.com/what-is-2fa/">two-factor authentication</a>, then they can’t use your password to access your account. </p>
<p>It takes a little effort to enter that single-use code sent to your phone each time, but it does protect you from harm when the inevitable breach occurs. Even better, use an <a href="https://www.pcmag.com/picks/the-best-authenticator-apps">authentication app</a> rather than texting for two-factor authentication. This is especially critical for your bank and brokerage accounts. If you think your health-related information is valuable or sensitive, you should also take extra precautions with your health care provider’s website, your insurance company and your pharmacy.</p>
<p>If you used a <a href="https://www.webroot.com/us/en/resources/tips-articles/how-do-i-create-a-strong-password">unique password</a> instead of reusing a <a href="https://theconversation.com/a-secure-relationship-with-passwords-means-not-being-attached-to-how-you-pick-them-110557">favorite password</a> you’ve used elsewhere, hackers can’t successfully use your <a href="https://www.pcmag.com/encyclopedia/term/login-credentials">credentials</a> to access your other accounts. One-third of users are vulnerable because they <a href="https://www.digicert.com/blog/3-reasons-for-strong-password-policy">use the same password for every account</a>. </p>
<p>Take this opportunity to change your passwords, especially at banks, brokerages and any site that retains your credit card number. You can record your unique passwords on a piece of paper hidden at home or in an encrypted file you keep in the cloud. Or you can download and install a good <a href="https://www.wsj.com/articles/what-keeps-people-from-using-password-managers-11623086700">password manager</a>. Password managers encrypt passwords on your devices before they’re sent into the cloud, so your passwords are protected even if the password manager company is hacked.</p>
<p>If your credit card number was exposed, you should notify your bank. Now is a good time to set up <a href="https://www.thebalance.com/mobile-banking-alerts-everyone-should-activate-4178499">mobile banking alerts</a> to receive notifications of unusual activity, big purchases and so on. Your bank may want to issue new cards with new numbers to you. That’s considerably less of a hassle than <a href="https://www.identitytheft.gov/steps">experiencing identity theft</a>. </p>
<p>You should also consider closing old unused accounts so that the information associated with them is no longer available. Do you have a loyalty account with a hotel chain, restaurant or airline that you haven’t used in years and won’t use again? Close it. If you have a credit card with that company, make sure they report the account closure to the credit reporting agencies.</p>
<p>Now is a great time to check your credit reports from all three credit bureaus. Do you rarely apply for new credit and want to protect your identity? If so, <a href="https://www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts">freeze your credit</a>. Make sure to generate unique passwords and record them at home in case you need to unfreeze your credit later to apply for a loan. This will help protect you from some of the worst consequences of identity theft.</p><img src="https://counter.theconversation.com/content/162404/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Merrill Warkentin does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>If an organization that has your data gets hacked, your vulnerability depends on the kind of attack and the kind of data. Here’s how you can assess your risk and what to do to protect yourself.Merrill Warkentin, James J. Rouse Endowed Professor of Information Systems, Mississippi State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1630152021-06-18T14:17:13Z2021-06-18T14:17:13ZInside a ransomware attack: how dark webs of cybercriminals collaborate to pull them off<figure><img src="https://images.theconversation.com/files/407209/original/file-20210618-26-d4o3ua.jpeg?ixlib=rb-1.1.0&rect=17%2C8%2C5973%2C3197&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/insecure-network-several-red-platforms-connected-530465965">BeeBright/Shutterstock</a></span></figcaption></figure><p>In their Carbis Bay communique, the G7 <a href="https://www.g7uk.org/wp-content/uploads/2021/06/Carbis-Bay-G7-Summit-Communique-PDF-430KB-25-pages-5.pdf">announced</a> their intention to work together to tackle <a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">ransomware groups</a>. Days later, US president Joe Biden met with Russian president Vladimir Putin, where an <a href="https://www.ft.com/content/81c644d4-811f-4d9c-b4ac-bb0ee1038526">extradition process</a> to bring Russian cybercriminals to justice in the US was discussed. Putin reportedly agreed in principle, but insisted that extradition be <a href="https://www.telegraph.co.uk/news/2021/06/14/putin-says-open-prisoner-swap-russia-us/">reciprocal</a>. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited – and what for? </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/inside-a-ransomware-attack-how-dark-webs-of-cybercriminals-collaborate-to-pull-one-off-163015&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/uk/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>The problem for <a href="https://doi.org/10.1016/j.cose.2019.101568">law enforcement</a> is that ransomware – a form of malware used to steal organisations’ data and hold it to ransom – is a very slippery fish. Not only is it a blended crime, including different offences across different bodies of law, but it’s also a crime that straddles the remit of <a href="https://theconversation.com/how-cities-can-fight-back-against-ransomware-attacks-132782">different policing agencies</a> and, in many cases, <a href="https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html">countries</a>. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.</p>
<p>So it’s important to look at these attacks in detail to understand how the US and the G7 might go about tackling the <a href="https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490">increasing number</a> of ransomware attacks we’ve seen during the pandemic, with at least <a href="https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-may-2021-116-million-records-breached">128 publicly disclosed incidents</a> taking place globally in May 2021. </p>
<p>What we find when we connect the dots is a professional industry far removed from the organised crime playbook, which seemingly takes its inspiration straight from the pages of a <a href="https://link.springer.com/article/10.1007%2Fs12117-020-09397-5">business studies manual</a>.</p>
<p>The ransomware industry is responsible for a huge amount of disruption in today’s world. Not only do these attacks have a crippling economic effect, costing <a href="https://blog.emsisoft.com/en/38426/the-cost-of-ransomware-in-2021-a-country-by-country-analysis/">billions of dollars</a> in damage, but the <a href="https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-may-2021-116-million-records-breached">stolen data</a> acquired by attackers can continue to <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3429958">cascade down</a> through the crime chain and fuel other cybercrimes. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">Ransomware gangs are running riot – paying them off doesn't help</a>
</strong>
</em>
</p>
<hr>
<p>Ransomware attacks are also changing. The criminal industry’s business model has shifted towards providing ransomware <a href="https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/">as a service</a>. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the “<a href="https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/">brand</a>”. But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks. </p>
<p>This has resulted in an extensive distribution of criminal labour, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.</p>
<figure class="align-center ">
<img alt="A hooded hacker" src="https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Even a lone hacker draws upon the criminal capabilities of others.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/cybercriminal-hood-without-face-sits-dark-1576054075">trambler58/Shutterstock</a></span>
</figcaption>
</figure>
<h2>How do ransomware attacks work?</h2>
<p>There are <a href="https://conference.cepol.europa.eu/media/cepol-online-conference-2021/submissions/DBR7WE/resources/Wall_Cybercrime_and_Covid_CEPO_Zx0nGyn.pdf">several stages</a> to a ransomware attack, which I have teased out after analysing over 4,000 attacks from between 2012 and 2021.</p>
<p>First, there’s the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining “initial access”, using log-in credentials bought on the dark web or obtained through deception.</p>
<p>Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organisational data that will cause the victim the most pain when stolen and held to ransom. This is why <a href="https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html?campaign_id=158&emc=edit_ot_20210429&instance_id=29942&nl=on-tech-with-shira-ovide&regi_id=95633146&segment_id=56818&te=1&user_id=b427913b60c799d875886038d08ae44e">hospital medical records</a> and <a href="https://www.databreaches.net/threat-actors-claim-to-have-attacked-city-of-dade-city-florida/?campaign_id=158&emc=edit_ot_20210429&instance_id=29942&nl=on-tech-with-shira-ovide&regi_id=95633146&segment_id=56818&te=1&user_id=b427913b60c799d875886038d08ae44e">police records</a> are often the target of ransomware attacks. This key data is then extracted and saved by criminals – all before any ransomware is installed and activated.</p>
<p>Next comes the victim organisation’s first sign that they’ve been attacked: the ransomware is deployed, locking organisations from their key data. The victim is quickly <a href="https://www.databreachtoday.com/maze-promotes-other-gangs-stolen-data-on-its-darknet-site-a-14386?highlight=true">named and shamed</a> via the ransomware gang’s leak website, located on the dark web. That “press release” may also feature <a href="https://therecord.media/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid/?campaign_id=158&emc=edit_ot_20210429&instance_id=29942&nl=on-tech-with-shira-ovide&regi_id=95633146&segment_id=56818&te=1&user_id=b427913b60c799d875886038d08ae44e">threats to share</a> stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A ransomware lockout screen" src="https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=454&fit=crop&dpr=1 600w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=454&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=454&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=571&fit=crop&dpr=1 754w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=571&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=571&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Victims of ransomware attacks are typically presented with a screen like this.</span>
<span class="attribution"><a class="source" href="https://i1.wp.com/www.technollama.co.uk/wp-content/uploads/2017/05/ransomware.jpg">TechnoLlama</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities – and to pay affiliates – so they don’t get caught.</p>
<h2>The cybercrime ecosystem</h2>
<p>While it’s feasible that a suitably skilled offender could perform each of the functions, it’s highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage. </p>
<p>And there are plenty of specialisations in the cybercrime underworld. There are <a href="https://krebsonsecurity.com/2019/05/legal-threats-make-powerful-phishing-lures/#more-47793">spammers</a>, who hire out spamware-as-a-service software that <a href="https://theconversation.com/phishing-scams-are-becoming-ever-more-sophisticated-and-firms-are-struggling-to-keep-up-73934">phishers</a>, scammers, and fraudsters use to steal people’s credentials, and <a href="https://nos.nl/artikel/2374024-datalek-bij-autobedrijven-treft-mogelijk-miljoenen-nederlanders.html">databrokers</a> who trade these stolen details on the dark web.</p>
<p>They might be purchased by “<a href="https://www.theregister.com/2021/06/09/trend_micro_nefilim_ransomware_research/">initial access brokers</a>”, who specialise in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with <a href="https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware/">crimeware-as-a-service</a> brokers, who hire out ransomware-as-a-service software as well as other malicious malware.</p>
<p>To coordinate these groups, <a href="https://www.zdnet.com/article/us-weve-just-seized-1bn-in-bitcoin-stolen-from-silk-road-by-individual-x-hacker/">darkmarketeers</a> provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. <a href="https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html">Monetisers</a> are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.</p>
<p>This ecosystem is constantly evolving. For example, a recent development has been the emergence of the “<a href="https://geminiadvisory.io/ransomware-unmasked/">ransomware consultant</a>”, who collects a fee for advising offenders at key stages of an attack. </p>
<h2>Arresting offenders</h2>
<p>Governments and law enforcement agencies appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous <a href="https://www.theregister.com/2021/06/16/clop_ransomware_gang_arrests_ukraine/">CL0P ransomware gang</a>. In the same week, Russian national <a href="https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/">Oleg Koshkin</a> was convicted by a US court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1405212347912839174"}"></div></p>
<p>While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals – even if an extradition treaty is struck between the US and Russia.</p><img src="https://counter.theconversation.com/content/163015/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David S. Wall receives funding from UKRI EP/P011721/1 & EP/M020576/1</span></em></p>Ransomware has gone professional, with criminal consultants, affiliates and brokers – arresting them all will be difficult.David S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1624902021-06-15T16:36:15Z2021-06-15T16:36:15ZThe increase in ransomware attacks during the COVID-19 pandemic may lead to a new internet<figure><img src="https://images.theconversation.com/files/406286/original/file-20210614-107575-1yomew4.jpg?ixlib=rb-1.1.0&rect=0%2C40%2C5383%2C3537&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Colonial Pipeline storage tanks. On May 7, 2021, the company experienced a ransomware cyberattack.</span> <span class="attribution"><span class="source">(AP Photo/Seth Wenig)</span></span></figcaption></figure><p>Make no mistake: We are also in the midst of a digital pandemic of ransomware attacks. The recent ransomware attacks on <a href="https://www.nytimes.com/2021/05/13/us/politics/biden-colonial-pipeline-ransomware.html">Colonial Pipeline</a> and <a href="https://www.wsj.com/articles/jbs-paid-11-million-to-resolve-ransomware-attack-11623280781">JBS USA Holdings Inc.</a> — the world’s largest meat processors — underscore the growing brazen nature of organized, deliberate attacks on increasingly significant targets, and our chronic inability to defend against them. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/colonial-pipeline-forked-over-4-4m-to-end-cyberattack-but-is-paying-a-ransom-ever-the-ethical-thing-to-do-161383">Colonial Pipeline forked over $4.4M to end cyberattack – but is paying a ransom ever the ethical thing to do?</a>
</strong>
</em>
</p>
<hr>
<p>What we need is a new internet. The old one is broken.</p>
<h2>Origins of the internet</h2>
<p>Today’s internet originated from the <a href="https://www.britannica.com/topic/ARPANET/A-packet-of-data">Advanced Research Projects Agency Network (ARPANET) in the late 1960s</a> — a conglomerate of research institutions connecting military, political and industrial actors during the Cold War in the United States. It allowed for secure communications in case of conflict, and to facilitate research and development through electronic sharing of information. It was a closed, tightly controlled, highly secure, invitation-only network.</p>
<p>The invention of the World Wide Web (WWW) by Tim Berners-Lee in 1990 led to the browser-based internet that we know today. The WWW introduced, and advocated for, an open, inclusive, universal and unconstrained mode for networks to communicate with each other. It introduced the notion of hyperlinks that a user could simply click on and be transported to a new web page on a separate network. This was the start of the unregulated, user-driven, content-rich internet.</p>
<p>The paradox of the internet is that it was born, has grown and exists in an environment where control and access have been in constant tension and conflict.</p>
<h2>The rise of ransomware</h2>
<p>Cybercrime is a growing, highly successful and profitable industry. According to Cybersecurity Ventures, cybercrime costs will grow by 15 per cent per year to reach <a href="https://cybersecurityventures.com/annual-cybercrime-report-2020/">US$10.5 trillion by 2025</a>: the third greatest “economy” in the world, after those of the U.S. States and China. </p>
<p>A big part of this is ransomware, multi-pronged attacks capturing an organization’s data and systems. Since the start of the pandemic, ransomware attacks have increased by <a href="https://www.bitdefender.com/">nearly 500 per cent since the start of the COVID-19 pandemic</a>. </p>
<p>The average ransom payment has also continued to climb, <a href="https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound">up 43 per cent from the last quarter of 2020</a> to an average of over US$200,000. What is especially insidious about these attacks is that a ransom demand is often accompanied by a breach and extraction of company data, and a concurrent extortion threatening to release this data unless additional payments are made. </p>
<p>In the first quarter of 2021, <a href="https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound">over three-quarters of ransomware attacks were tied to such a threat</a>.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/_aC0g4PBu58?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The FBI warns that ransomware attacks are on the rise.</span></figcaption>
</figure>
<p>Criminals have also evolved to become increasingly systemic. The recent attack on <a href="https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html">Colonial Pipelines by the hacker collective DarkSide</a> exemplifies this. Like their state-sponsored counterparts, criminal collectives have created virtual organizations and enacted focus strategies targeting specific sectors and companies. They have infinite resources, skills and patience. They are playing a long game where targets are identified, carefully reconnoitred and only acted upon when the maximum value can be extracted. </p>
<p>CNA Financial was attacked in late March, and paid a ransom of US$40 million — one of the biggest payments on record. The hackers were apparently interested in obtaining access to CNA’s client database not only to blackmail the company itself, but to identify clients that had purchased cyberinsurance with <a href="https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack">a ransomware payment rider to identify the most lucrative targets</a>. DarkSide are also selling ransomware packs to other hackers — <a href="https://purplesec.us/resources/cyber-security-statistics/ransomware/">Ransomware-as-a-Service (RaaS) is becoming a growing profit centre</a>.</p>
<h2>The new old internet</h2>
<p>Legislators have, predictably, responded to these attacks. U.S. President Joe Biden has directed federal agencies to <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/11/fact-sheet-the-biden-harris-administration-has-launched-an-all-of-government-effort-to-address-colonial-pipeline-incident/">bring all of their resources to bear on dealing with digital disruptions</a>. The Department of Homeland Security is developing a set of mandatory rules for how pipelines, and likely other infrastructure providers, will need to <a href="https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/">safeguard their assets</a>. </p>
<p>While a good first step, it will not be enough, and we will continue to react, to be behind the attack curve.</p>
<p>Intranets — closed, proprietary networks — might hold the key to solving this threat.</p>
<p>We foresee a new internet emerging, with two distinct sides. On one side, we’ll have the wholly unfiltered, minimally regulated, Wild West internet that anyone can access. </p>
<p>On the other side, we might see the evolution of what could be called the “World Wide Intranet,” that is, widely accessible but tightly controlled websites with stringent access controls to prevent criminal activity, much like the closed corporate intranets that gained popularity two decades ago.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="shadow of a man with his head in his hands looking at a laptop screen that says RANSOMWARE" src="https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/406197/original/file-20210614-73420-1p549ga.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">As the amount of data generated worldwide increases, so will the vulnerability to cyberattacks.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<h2>Responsive security</h2>
<p>Large online merchants like Amazon, the government, health-care providers or other large organizations will no longer tolerate criminal assaults on their and their stakeholders’ data and resources. As such, as security measures like multi-factor authentification evolve, they will increasingly be adopted by these organizations and passed onto consumers as a condition of access.</p>
<p>As a society, we accept controls when the cost of not having them becomes greater than the restrictions they impose. We see this trend as an inevitable consequence of the growing security threats affecting not only networks but the individuals that transact with them.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyberattacks-are-on-the-rise-amid-work-from-home-how-to-protect-your-business-151268">Cyberattacks are on the rise amid work from home – how to protect your business</a>
</strong>
</em>
</p>
<hr>
<p>By 2025, the world will store <a href="https://cybersecurityventures.com/hackerpocalypse-original-cybercrime-report-2016/">200 Zettabytes (one trillion gigabytes) of data</a>. The accompanying growth in transactions leaves us no other choice but to tighten identity and access controls. </p>
<p>One pathway might divide the web into one open, but inherently risky, internet and one closed, controlled, regulated and inherently untrusting one where security and privacy dominate.</p><img src="https://counter.theconversation.com/content/162490/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The amount of online data and transactions are growing exponentially. Related is the increasing possibility of cyberattacks — one way to address these is by regulating parts of the internet.Michael Parent, Professor, Management Information Systems, Simon Fraser UniversityDavid R. Beatty, Academic Director of the David and Sharon Johnston Centre for Corporate Governance Innovation, Rotman School of Management, University of TorontoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1623902021-06-09T14:43:29Z2021-06-09T14:43:29ZFastly’s global internet meltdown could be a sign of things to come<p>For an hour on the morning of June 8, dozens of the world’s most-visited websites went offline. <a href="https://metro.co.uk/2021/06/08/fastly-503-error-all-the-websites-affected-from-reddit-to-guardian-14736308/">Among those affected</a> were Amazon, Reddit, PayPal and Spotify, as well as the Guardian, the New York Times and the UK government website, gov.uk. Together, these websites handle hundreds of millions of users.</p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/fastlys-global-internet-meltdown-could-be-a-sign-of-things-to-come-162390&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/uk/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>The issue was <a href="https://theconversation.com/fastly-global-internet-outage-why-did-so-many-sites-go-down-and-what-is-a-cdn-anyway-162371">quickly traced</a> to <a href="https://www.fastly.com/">Fastly</a>, a cloud computing company which offers a <a href="https://www.techopedia.com/definition/4191/content-delivery-network-cdn">content delivery network</a> to the affected websites. Designed to alleviate performance bottlenecks, a content delivery network is essentially a system of computers or servers that hold copies of data across various points of a network. When it fails, the websites it supports cannot retrieve their data and are forced offline.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1402471264678256644"}"></div></p>
<p>The outage to Fastly’s content delivery network appears to have been caused by an <a href="https://www.bbc.co.uk/news/technology-57413224">internal software bug</a> that was <a href="https://www.bbc.co.uk/news/technology-57413224">triggered</a> by one of their customers. Yet even though it was resolved <a href="https://news.sky.com/story/fastly-internet-outage-is-a-cautionary-tale-about-the-fragility-of-the-web-12327846">within an hour</a>, it’s estimated to have cost Fastly’s global clientele <a href="https://www.standard.co.uk/business/internet-down-fastly-cost-to-global-economy-b939430.html">hundreds of millions of dollars</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/fastly-global-internet-outage-why-did-so-many-sites-go-down-and-what-is-a-cdn-anyway-162371">Fastly global internet outage: why did so many sites go down — and what is a CDN, anyway?</a>
</strong>
</em>
</p>
<hr>
<p>This case illustrates the fragility of an internet that’s being routed through fewer and fewer channels. When one of those major channels fails, in what is called a “<a href="https://www.networkcomputing.com/networking/single-point-failure-internet?ng_gateway_return=true&full=true">single point of failure</a>”, the results are dramatic, disruptive and incredibly costly. </p>
<p>This hasn’t been lost on cybercriminals, who know that one targeted hack can bring down or breach a number of organisations simultaneously. It’s urgent we address this significant vulnerability if we’re to avoid another global internet meltdown – but this time caused by criminals, not code.</p>
<h2>Warning signs</h2>
<p>Given that it came hot on the heels of the <a href="https://www.bbc.com/news/business-57050690">ransomware attack</a> on the Colonial oil pipeline in the US, experts initially speculated that Fastly’s outage could have been <a href="https://www.telegraph.co.uk/business/0/fastly-did-cyber-attack-cause-worlds-biggest-websites-go/">caused by a cyberattack</a>.</p>
<p>It’s easy to see why. Drawing upon an analysis of over <a href="https://www.emphasis.ac.uk/">4,000 ransomware attacks</a>, my research has revealed a massive acceleration in major cyberattacks that target organisations, conducted by <a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">ransomware gangs</a> looking to extort cash from businesses they manage to hack.</p>
<p>These attacks are taking advantage of <a href="https://conference.cepol.europa.eu/media/cepol-online-conference-2021/submissions/DBR7WE/resources/Wall_Cybercrime_and_Covid_CEPO_Zx0nGyn.pdf">vulnerabilities</a> caused by remote working arrangements. But there’s also been a noticeable shift in attacks upon organisations like Fastly, which provide core services to other organisations and their own clientele.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A graph showing the increase in cyberattacks on multiple service organisations" src="https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=377&fit=crop&dpr=1 600w, https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=377&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=377&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=473&fit=crop&dpr=1 754w, https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=473&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/405318/original/file-20210609-14808-1o9bkwq.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=473&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Cyberattacks targeting platforms similar to Fastly have risen sharply since 2019.</span>
<span class="attribution"><span class="source">David S. Wall</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>This trend is unlikely to stop. Ransomware has become a sophisticated billion-dollar <a href="https://www.bleepingcomputer.com/news/security/ransomware-is-a-multi-billion-industry-and-it-keeps-growing/">business</a>, and attackers are supported by an increasingly <a href="https://conference.cepol.europa.eu/media/cepol-online-conference-2021/submissions/DBR7WE/resources/Wall_Cybercrime_and_Covid_CEPO_Zx0nGyn.pdf">professional ecosystem</a> that’s incentivised by the high yield generated by such attacks. <a href="https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf">A 2020 Verizon report</a> found 86% of hacks are financially motivated, while less than 10% are motivated by espionage.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">Ransomware gangs are running riot – paying them off doesn't help</a>
</strong>
</em>
</p>
<hr>
<p>Two high-profile hacks that targeted organisations with access to thousands of other organisations have recently shown just how fragile centralised internet systems can be. The <a href="https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T">SolarWinds</a> and <a href="https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/">Microsoft Exchange Server</a> hacks, which took place in early 2020 and early 2021 respectively, breached <a href="https://www.nytimes.com/2021/03/06/technology/microsoft-hack-china.html">tens of thousands</a> of companies. Both have been attributed to state-backed hackers, rather than ransomware gangs.</p>
<p>But cybercriminals have <a href="https://www.bleepingcomputer.com/news/security/ransomware-attacks-target-msps-to-mass-infect-customers/">deliberately targeted</a> multiple service providers and critical <a href="https://www.ncsc.gov.uk/collection/supply-chain-security/supply-chain-attack-examples">supply chains</a> too in order to upscale the impact, and therefore the potential payout, of their hacks. <a href="https://www.bleepingcomputer.com/news/security/blackbaud-sued-in-23-class-action-lawsuits-after-ransomware-attack/">Blackbaud</a>, <a href="https://www.wired.com/story/accellion-breach-victims-extortion/">Accellion</a> and other key online service providers have been victim to such attacks.</p>
<h2>Centralisation of the internet</h2>
<p>All these particularly disruptive hacks are partially the result of the drive towards centralisation of online services, which may be efficient for businesses, but is counter to the founding principles of the internet.</p>
<p>The initial appeal of the internet was that it was a <a href="https://hackernoon.com/the-evolution-of-the-internet-from-decentralized-to-centralized-3e2fa65898f5">distributed network</a> designed to resist attacks and censorship. When released for public use in the early 1990s, the internet became popular for commerce as well as being regarded as a beacon of free speech. But market logic, rather than free speech, has driven developments since the early days. </p>
<p>Today, cloud computing firms and multiple service providers manage large chunks of internet traffic, causing <a href="https://www.networkcomputing.com/networking/single-point-failure-internet?ng_gateway_return=true&full=true">single points of failure</a> where internet flows can be accidentally or deliberately disrupted. Even something as simple as a typo can cause significant disruption, as was the case in 2017 when several of Amazon’s servers – which power large swathes of the internet – <a href="https://www.theverge.com/2017/3/2/14792442/amazon-s3-outage-cause-typo-internet-server">went temporarily offline</a> due to an inputting error.</p>
<p>We should take our hats off to Fastly for quickly rectifying the June 8 outage. But this case has revealed the dangers of consolidating <a href="https://www.theguardian.com/commentisfree/2021/jun/08/the-guardian-view-on-the-internet-outage-we-need-resilience-not-just-efficiency">key internet infrastructure</a>, resulting in the emergence of costly single points of failure. It’s another stern wake-up call for law enforcement and the cybersecurity community, giving renewed emphasis to the mission of the <a href="https://www.ncsc.gov.uk/blog-post/ransomware-taskforce-rtf-announce-framework-to-combat-ransomware">US and European ransomware taskforces</a>.</p>
<h2>Avoiding internet meltdowns</h2>
<p>But are taskforces enough to address this problem? What this event has really shown is how firms like Fastly are in effect privately-owned public spaces, which not only blur the lines between business and national infrastructure, but have, in effect, become “<a href="https://www.investopedia.com/terms/t/too-big-to-fail.asp">too big to fail</a>”.</p>
<p>All this suggests that the solution to this dilemma must be found beyond multi-sector taskforces, requiring full-blown political debate over what we want the internet to look like in the latter three-quarters of the 21st century. If we fail to make that decision, then others will for us.</p><img src="https://counter.theconversation.com/content/162390/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David S. Wall receives funding from UKRI. EP/P011721/1 & EP/M020576/1</span></em></p>The centralisation of internet infrastructure leaves swathes of the online world vulnerable to sudden outages.David S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.