At the end of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. “It is a life-or-death situation,” the technician said at the time.
The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.
Ransomware has been around for decades, and it’s a fairly straightforward attack: Hackers distribute malware that mass-encrypts data or otherwise blocks access to a target’s systems, and then demand payment to release the digital hostages. It’s a well-known threat, but one that’s difficult to eradicate—something as simple as clicking a link or downloading a malicious attachment could give attackers the foothold they need. And even without that type of human error, large corporations and other institutions like municipal governments still struggle to devote the resources and expertise necessary to lay down basic defenses. After watching these attacks in 2020, though, incident responders say that the problem has escalated and that the ransomware forecast for next year looks pretty dire.
“I see no reason why ransomware would slow down in 2021,” says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant, which is owned by FireEye. “Everything that’s played out this year leads me to believe it’s going to just keep getting worse until something really dramatic happens. I anticipate seeing threat actors get more disruptive.”
Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and, unfortunately, predictable devolution. After years spent honing their techniques, attackers are growing bolder. They’ve begun to incorporate other types of extortion like blackmail into their arsenals, by exfiltrating an organization’s data and then threatening to release it if the victim doesn’t pay an additional fee. Most significantly, ransomware attackers have transitioned from a model in which they hit lots of individuals and accumulated many small ransom payments to one where they carefully plan attacks against a smaller group of large targets from which they can demand massive ransoms. The antivirus firm Emsisoft found that the average requested fee has increased from about $5,000 in 2018 to about $200,000 this year.
To make all of this happen, ransomware gangs have professionalized. A whole underground economy has developed to provide support services like stolen credentials or even consulting time with network access specialists. As a result, Emsisoft threat analyst Brett Callow says, it’s not so much that the quantity or pattern of attacks has changed, it’s that those attacks have become even more effective and intrusive.
“Ransomware always has peaks and troughs,” Callow says. “I really think that things haven’t changed much over the course of the year. It’s something that’s gradual over a period of time. But credit where credit is due, the ransomware groups have done a tremendous job of growing their business.”
Researchers and incident responders are wholly focused on trying to change ransomware’s threatening course. On Monday, the Institute for Security and Technology launched a Ransomware Task Force with partners like Microsoft, the Shadowserver Foundation, Citrix, and McAfee.