How Did ‘Ransomware’ Get So Bad?

This article is part of the On Tech newsletter. You can sign up here to receive it weekdays.

A woman died from treatment delays after a hospital in Germany hit by a cyberattack was forced to turn away emergency patients. Hackers released private information, including Social Security numbers, from a Las Vegas school district. A coronavirus vaccine trial was bogged down in recent weeks when researchers were locked out of their data.

This is a small sample of the toll from ransomware attacks, in which hackers break into computer networks and freeze the digital information until the targeted organization or city pays for its release. Victims have two bad choices: Give in to extortion and hope the criminals didn’t do too much damage, or refuse and risk the hackers releasing or deleting essential information. It might also cost more than the ransom to rebuild computer systems.

I spoke to Charles Carmakal, an executive with the cybersecurity response company FireEye Mandiant, about the root causes and fixes for ransomware attacks.

What are the root causes of ransomware?

According to Carmakal, criminal organizations that typically stole bank account or credit card information found a quicker payday from extorting organizations by locking up their essential data. When victims paid, it encouraged the criminals.

More organizations have bought insurance against cyberattacks, though that has been a double-edged sword. Insurance can help organizations, but it also guarantees a payout to criminals. And recently during the coronavirus pandemic, organizations are more vulnerable to ransomware because they are more dependent on digital systems, and computer security personnel working remotely may be less speedy or effective than usual.

How big is this problem?

Carmakal said his company was aware of more than 100 organizations that were dealing with ransomware attacks in September. That’s more than double the number from the same month in 2019. “We’re at a point that I feel is really unbearable,” Carmakal said.

Some U.S. officials worry that ransomware groups will try to freeze voter registration data or otherwise disrupt U.S. elections or sow uncertainty among voters.

Who is behind these attacks?

A vast majority of ransomware incidents today are committed by organized criminals who are motivated by financial gain and are often based in Russia or elsewhere in Eastern Europe, Carmakal said. A small fraction of ransomware attacks, notably ones called WannaCry and NotPetya that hit a number of global companies several years ago, are traced to foreign governments with political motivations.

What can law enforcement and the targets of attacks do?

Law enforcement agencies in the United States have stepped up efforts to identify, arrest and try the perpetrators of ransomware attacks. It’s not always easy, Carmakal said, because a good number of them operate in countries that don’t extradite people to the United States.

It’s helpful for organizations that were victimized by ransomware attacks to share what they have learned about what happened, he said, because criminals tend to follow a similar blueprint. “Nobody wants to talk about the details of their breach,” Carmakal said, “but I can tell you it helps.”

Should organizations pay or refuse?

Carmakal said organizations should weigh the benefits and risks of paying. For some organizations, including hospitals, getting computer systems working again quickly is life or death, and they may have little alternative. But victims of ransomware attacks should also assess whether criminals will restore data and keep information private even if the ransoms are paid, and whether paying will encourage more attacks. There are, Carmakal said, no great choices.

Is ransomware a fad?

Ransomware will go away, Carmakal said, only if organizations that have been hacked stopped paying the ransoms, or if law enforcement caught enough of the criminals. “I don’t know how realistic that is,” he added.

Illustration by Jeron Braxton.

Don’t pay too much attention to lawyers

(Sorry to all of the lawyers out there for that headline.) I’m talking specifically about a document prepared by Facebook’s lawyers arguing against any potential government attempt to split the company apart.

The Wall Street Journal reported that Facebook’s document said that any government attempt to force the company to ditch its Instagram and WhatsApp apps would be nearly impossible to achieve and exorbitantly expensive, and that it would discourage legitimate business deals.

Some of Facebook’s critics have said the company bought those apps in the past decade in an attempt to reduce competition. That type of activity breaks antitrust laws in the United States. I am not a lawyer, so I won’t assess the strength of Facebook’s arguments against undoing its acquisitions.

Documents like this are useful as a potential preview of Facebook’s defense if the government tries to break it up, but they can’t tell the whole story. That’s because real life is different from court life.

In court life, Uber can say that it’s not in the business of providing transportation, nor are drivers essential to what it does. This defies common sense, but there’s a semantic legal reasoning behind those arguments. Any antitrust case against Facebook will hinge on a lot of semantics, too.

But the courtroom is not the only place where decisions are made. Right now, members of Congress are thinking through whether laws need to be revised because they don’t fit our world of tech superpowers. Regulators around the globe are asking how Facebook and other digital gathering spots moderate what people say, and how they contribute to or detract from people’s relationships to one another and to their governments.

These are questions of law, yes, but they are also broad questions about what kind of world people want to live in. That’s why I tell myself not to get too fixated on legal fights. That’s not the only place where the action is.

Before we go …

• WeChat keeps them together and divides them: My colleague Nicole Hong wrote about the role of WeChat, a Chinese messaging app that the White House is trying to ban, in helping Chinese immigrants in the United States connect with friends and relatives and collaborate on shared causes. But WeChat has also been a place where people can be swayed by Chinese government propaganda or misinformed about everything from the coronavirus to a popular bakery going out of business.

• The conspiracies have come for LinkedIn: The Wall Street Journal found that believers in the false QAnon conspiracy are finding business opportunities on LinkedIn and using the professional networking site to spread misleading information. LinkedIn has responded in recent months by disabling searches for popular QAnon hashtags and kicking people off the site for breaking rules on sharing bogus information.

• He’s not the person they are trying to hate: I love articles about how people handle getting mistaken online for famous people. Mel Magazine writes about a cybersecurity worker who gets angry Facebook messages but also perks like reservations at popular restaurants because he shares a name with Bill de Blasio, the mayor of New York City who is not exactly universally loved. (A warning that the article has some salty language.)

Hugs to this

Look at these fat bears! A park in Alaska holds an annual online competition to crown the brown bear who has most successfully gained weight for winter hibernation. I am partial to bear No. 812 for his all-body chunkiness.

We want to hear from you. Tell us what you think of this newsletter and what else you’d like us to explore. You can reach us at [email protected].

If you don’t already get this newsletter in your inbox, please sign up here.