The May 7 ransomware attack on the Colonial Pipeline “is probably the most significant ransomware attack on one of our critical infrastructures ever,” said Rep. John Katko, R-N.Y. And shortly after the pipeline was hit, the U.S. faced more ransomware attacks — targeting cities, ferries and even a meat plant.
“Although ransomware has really been around since 2013, it has not yet been seriously taken in terms of something that could impact critical infrastructure,” said Vanessa Pegueros, chief trust and security officer at OneLogin.
Ransomware, a program that hackers use to hold digital information hostage, has become the top choice of malware for criminals in recent years. In 2020, the total amount of ransom paid by victims reached nearly $350 million worth of cryptocurrency, a 311% increase compared with the previous year, according to Chainalysis.
“Over the last two years, it’s well into the millions, hundreds of millions of dollars from victims that we’ve come across,” said Marc Bleicher, managing director at Arete Incident Response.
Ransomware has grown into a multibillion-dollar industry. A majority of the ransom paid is shared among a relatively small number of highly organized groups of criminals with names such as Evil Corp. or DarkSide. According to Chainalysis, 199 deposit addresses received 80% of all ransoms paid in 2020, while an even smaller group, 25 addresses, accounted for nearly half.
These groups have become increasingly bold, showing off bundles of cash and fancy sports cars. That’s because tracking, arresting and bringing these hackers to justice is often incredibly difficult.
“A lot of these organizations are allowed to essentially operate freely within Russia or other former Soviet states as long as they don’t hit anybody within that country,” Bleicher said. “So unless there’s a cooperation at the political level there, I don’t see this going away anytime soon.”
The Colonial Pipeline incident sent shockwaves across the oil industry and the U.S. government, alerting them to the severity of cybersecurity concerns.
President Joe Biden signed an executive order to strengthen U.S. cybersecurity defenses, while House lawmakers rolled out a bill to invest $500 million in state and local cybersecurity in May.
But there remains a lot more work to be done, especially when it comes to critical infrastructure. Roughly 85% of America’s critical infrastructure is privately owned, and the private sector is not required to follow the strict cybersecurity guidelines set by the government.
“We’ve got electric grids in this country, we have water systems, we have pipelines. We have a lot of critical infrastructure that is really open to some of these ransomware attacks and cyberattacks,” said Katko. “And we need to do a much better job than that.”
When it comes to the future of ransomware attacks, experts agree: It is far from over.
“The amount of impact it’s going to continue to have will grow, and I think the amount of money to be made will continue to grow,” Pegueros said. “I don’t know where that will peak out, and I don’t know if it’s just going to morph into something even more dangerous and scary. It’s hard to say. But I don’t think we’re at the peak yet.”
— CNBC’s Eamon Javers contributed to this report.