The Federal Office for Information Security (BSI) publishes a situation report on IT security in Germany. Ransomware appears in it more than once. Time for an update on Bitcoin’s most unpopular killer app. Does the extortionate malware threaten the legitimacy of cryptocurrencies?
Recently, the Federal Office for Information Security (BSI) published the Situation Report on IT Security in Germany 2021.
The report outlines on 100 pages the “threat situation of IT security in Germany”, with a focus on “attacks on companies, state as well as public institutions and private individuals.” The word “ransomware” appears 79 times on these 100 pages. This indicates the great importance of this “blackmail software” among the sources of danger from cyberspace.
Ransomware is really not a new phenomenon. “Malware that restricts access to data or systems, for example by means of encryption, so that the attacker can then extort a ransom” existed even before Bitcoin. But only since it became customary to demand Bitcoins for payments around 2013 did the “ransomware business model” become THE success story of international cybercrime – and that uninterrupted for about eight years.
Why Bitcoin? Why did the cryptocurrency become a landmark for ransomware?
Bitcoins are not anonymous. The digital coins are highly transparent. Like a snail leaving its slime trail, every transaction leaves an abundantly clear trace on the blockchain. Experts like the former CIA general … therefore say that Bitcoin is the worst conceivable means of payment for criminals.
However, Bitcoins are very good for one thing: To receive money anonymously. Anyone can generate an address to receive money. For that, you don’t need an ID, a bank account, a phone number, not even an email address. Moreover, Bitcoins for which you have the private key are unfreezeable, and incoming transactions uncensorable. With these properties, Bitcoin spurred ransomware – which subsequently became a Bitcoin “killer app” that the scene would rather not talk about.
Strictly speaking, ransomware poses a decent threat to Bitcoin. In the US, there are tendencies to classify large-scale extortion, for example against a prominent law firm, as cyberterrorism. Ransomware could become the reason – or pretext – why cryptocurrencies are (even) more strictly regulated and possibly also banned.
All the stops for mafia protection rackets
The BSI report shows how the situation around ransomware has continued to develop in Germany from June 2020 to May 2021. It is excellent for getting a snapshot of this emerging “trade” – and the damage it is doing.
Some trends literally jump out at you. For example, the industry is being challenged by a change in thinking among victims. More and more often, victims are more relaxed about the attack thanks to a backup or follow the recommendations of authorities not to pay protection money.
The hackers react to this with two tactics: On the one hand, they not only encrypt the data, but also steal it. This way, they can improve their position with the threat of data leaks. In addition, they also threaten with DDoS attacks to get the victim to pay the ransom. For example, according to the BSI, “if an online mail-order company were forced to switch to a web presence less resistant to DDoS attacks due to a ransomware attack, such a DDoS attack would make it even more difficult to cope with the ransomware attack.”
So this brings ransomware closer to multidisciplinary mafia-style protection rackets. Any means will do if it builds pressure.
The ransomware as the finale of the big game hunt
A second trend in ransomware is an internal professionalisation. Other reports have already written about this, such as the division of labour between software developers, distributors and money launderers.
The BSI adds to this the multi-stage nature of the attacks. Instead of dragging malware through the ocean of IT systems like a dragnet, hackers are increasingly oriented towards “APT espionage attacks.” These are elaborate, complex, professional and targeted – hand-crafted, so to speak – attacks on government agencies and businesses. They focus on a target, then work out vulnerabilities, sometimes over months, and then exploit them with all the means at their disposal. Such attacks are suspected of being funded or promoted by the usual rogue states: China, Russia, Iran and North Korea.
In the case of ransomware, for example, this is how it works: First, the Emotet Trojan nests in Outlook. There, it analyses the victim’s email traffic in order to carry out “particularly authentic-looking social engineering attacks on the victim’s contacts”. Emotet then opens the download so that the hackers can install the spy malware Trickbot. This now scans the entire system and, if possible, also the network. Only in the last step – and only if it is worthwhile – do the hackers upload the ransomware Ryuk. This then encrypts the data.
The ransomware thus becomes the finale of a long orchestrated takeover of computer systems.
The hackers are increasingly targeting financially strong victims. The BSI calls this “big game hunting”. This trend has been around for a while and is manifested in increasingly well-known and large victims, from Swedish supermarkets to Italian energy providers.
A new public victim every week
The damage caused by ransomware is difficult to estimate. But it is becoming apparent that they must be enormous.
According to the president of the BSI, Arne Schönbohm, the IT of at least one German city administration or district authority is paralysed by ransomware every week. When things go wrong in the German administration, it can increasingly be due to ransomware.
The BSI does not disclose how much ransomware German companies and institutions pay each year. If it knows this information at all. But the fact is that the ransom is only part of the damage caused by ransomware – and probably not even the biggest.
“It usually takes an average of 23 days from the discovery of an infection until the systems are cleaned up and fully restored to working order […] This immediate impact is usually followed by follow-up costs incurred in dealing with the attack.”
On average, it therefore takes a good three weeks until the systems are fully intact again. In the case of an online shop, for example, this can be very costly. If there is also reputational damage due to the publication of data, “the damage caused by a ransomware attack can threaten the existence of an affected organisation”, explains the BSI.
But it is not only the processing of an attack that devours resources – also its prevention. The BSI recommends extensive measures: Companies should maintain a backup, namely one that is completely offline and regularly checked for its reconstructability. Network data transfers should also be closely monitored to prevent data theft or to detect it at an early stage. Vulnerabilities, such as connections to the outside world, should be minimised, operating systems and programmes should be updated regularly and promptly, and networks should be segmented internally. Employees should be trained “comprehensively and continuously”, access to admin levels should be limited consistently.
Such measures are certainly sensible. They cannot completely prevent attacks, but they can make them much less likely. But they are expensive. They require almost constant maintenance of the IT systems, they demand the time of all employees, and they slow down processes, for example when data transfers are blocked. They throw a spanner in the works.
Seen in this light, ransomware is not only becoming a lucrative business model in low-risk cybercrime – but also a global sabotage of the economy and the state. Whether they actually already have an impact on global economic growth or lack thereof, however, is rather speculative.
A threat to democracy?
More and more, the BSI is concerned that ransomware and other malware are not only attacking businesses, but threatening public safety. The signs are already there:
“A new threat situation occurred last year due to incidents in which cyber criminals or state actors specifically attacked companies and authorities from the health sector. Unlike at the beginning of the pandemic, the BSI observed targeted IT attacks related to COVID-19 on key areas of the health sector in the current reporting period. These include, for example, the attack on the European Medicines Agency (EMA), attacks on foreign vaccine manufacturers, a DDoS attack on the COVID-19 vaccination portal of the German state of Thuringia and a ransomware attack on a German manufacturer of COVID-19 antigen tests.”
A prominent case is also an attack on a university hospital in North Rhine-Westphalia, which suffered temporary system outages due to a ransomware incident and was unable to admit new intensive care patients for 13 days. The hospital in question may have been the Düsseldorf hospital. Also affected was Saarbrücken Airport, whose IT systems were down for some time in the course of an attack almost a year ago.
The BSI speculates that ransomware could also pose a threat to democracy if it attacks the electoral environment. For example, “a ransomware attack against a city or county administration could cause delays in the conduct or counting of the election if, for example, email communications are unavailable due to the attack.” This could damage trust in the electoral processes, become part of a rigging operation and make it difficult or impossible to implement electronic voting systems.