Medibank Private halts trading when hackers contact to negotiate regarding possibly stolen data
October 19, 2022 |
Medibank Private’s woes continue as the ABC reports in Health insurer Medibank Private halts trading after receiving message from company claiming to be behind cyber attack when it was contacted by a group wanting to negotiate the return of stolen data. Nothing has been verified, or at least publicly identified, but Medibank Private notified the ASX to put a halt to the trade in its shares. The Australian Financial Review, in Medibank ransom demand targets politicians, actors, LGBT activists, claims that the hackers were demanding ransom to prevent the release of health and credit card information. The Sydney Morning Herald, in Medibank hackers threaten to release stolen health data in ransom demand, claims to have seen the ransom note.
Dealing with hackers who plant ransomware or those who simply exfiltrate data and then ransom in back to the organisation who is usually very keen to avoid more humiliation and cost has become a niche industry. Just as hackers have developed sophisticated processes for payment and negotiation there are people who have an expertise in negotiating with those hackers and sometimes outwitting them. There is an excellent article in the 31 May 2021 of the New Yorker titled How to Negotiate with Ransomware Hackers which gives a little bit of an insight into this murky world. The Australian also ran a similar, but lesser, story ‘They demanded $1m in 72 hours’: your money or your data. The official government advice is not to pay ransoms. The reality is much more nuanced. Payments are made. And hackers often to abide by their side of an agreement. But not always. And then there are the middling results where the hackers provide ransom keys but upon unlocking the ransomed data some or much of the data is corrupted. Sometimes the hackers only return some of the data, sometimes intentionally and sometimes by accident. Being a crook does not mean they are good administrators.
The answer is always to maintain proper cyber security. That doesn’t just mean having up to date programs. It means making sure the human element is covered. Staff need to be trained and there needs to be systems to avoid lax security occurring.
The ABC article provides:
Health insurer Medibank Private has confirmed they have received messages from a group wishing to negotiate with the company regarding their alleged removal of customer data.
The update comes less than a week after the company was hit by a cyber attack.
Medibank says they are working urgently to establish if the claim is true, but are treating the matter seriously.
As a result of this, the health insurer has halted trading on the share market until further notice.
Medibank CEO David Koczkar has apologised to customers and said he understood the latest update was distressing.
“We have always said that we will prioritise responding to this matter as transparently as possible,” Mr Koczkar said.
“Our team has been working around the clock since we first discovered the unusual activity on our systems, and we will not stop doing that now.
“We will continue to take decisive action to protect Medibank customers, our people and other stakeholders.”
‘Unusual activity’ detected
Medibank first reported “unusual activity” had been detected on its network on October 12
However, the company said there was no evidence sensitive data, including customer information, had been accessed.
The nature of the business means Medibank holds a range of personal information of customers.
In a statement, the company said their systems had not been encrypted by ransomware, which meant usual activities for customers could continue.
“Our ongoing response to safeguard our networks and systems may cause necessary temporary disruptions to our services,” the statement said.
“Investigations are ongoing and Medibank will continue to provide regular updates.”
Medibank Private is working with specialised cybersecurity firms and has advised the Australian Cyber Security Centre.
It is the latest cyber attack after the Optus breach last month, which affected millions of customers.
A few days after Thanksgiving last year, Kurtis Minder got a message from a man whose small construction-engineering firm in upstate New York had been hacked. Minder and his security company, GroupSense, got calls and e-mails like this all the time now, many of them tinged with panic. An employee at a brewery, or a printshop, or a Web-design company would show up for work one morning and find all the computer files locked and a ransom note demanding a cryptocurrency payment to release them.
Some of the notes were aggressive (“Don’t take us for fools, we know more about you than you know about yourself”), others insouciant (“Oops, your important files are encrypted”) or faux apologetic (“WE ARE REGRET BUT ALL YOUR FILES WAS ENCRYPTED”). Some messages couched their extortion as a legitimate business transaction, as if the hackers had performed a helpful security audit: “Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company.”
The notes typically included a link to a site on the dark Web, the part of the Internet that requires special software for access, where people go to do clandestine things. When victims went to the site, a clock popped up, marking the handful of days they had to fulfill the ransom demand. The clock began to tick down ominously, like a timer connected to a bomb in an action movie. A chat box enabled a conversation with the hackers.
In the past year, a surge of ransomware attacks has made a disruptive period even more difficult. In December, the acting head of the federal Cybersecurity and Infrastructure Security Agency said that ransomware was “quickly becoming a national emergency.” Hackers hit vaccine manufacturers and research labs. Hospitals lost access to chemotherapy protocols; school districts cancelled classes. Companies scrambling to accommodate a fully remote workforce found themselves newly vulnerable to hackers. In May, an attack by the ransomware group DarkSide forced the shutdown of Colonial Pipeline’s network, which supplies fuel to much of the East Coast. The shutdown, which pushed up gas prices and led to a spate of panic-buying, put a spotlight on ransomware’s potential to disable critical infrastructure. A week after the attack, once Colonial paid a ransom of $4.4 million to get its systems back online, eighty per cent of gas stations in Washington, D.C., still had no fuel.
The F.B.I. advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivizes criminal behavior. This puts victims in a tricky position. “To just tell a hospital that they can’t pay—I’m just incredulous at the notion,” Philip Reiner, the C.E.O. of the nonprofit Institute for Security and Technology, told me. “What do you expect them to do, just shut down and let people die?” Organizations that don’t pay ransoms can spend months rebuilding their systems; if customer data are stolen and leaked as part of an attack, they may be fined by regulators. In 2018, the city of Atlanta declined to pay a ransom of approximately fifty thousand dollars. Instead, in an effort to recover from the attack, it spent more than two million dollars on crisis P.R., digital forensics, and consulting. For every ransomware case that makes the news, there are many more small and medium-sized companies that prefer to keep breaches under wraps, and more than half of them pay their hackers, according to data from the cybersecurity firm Kaspersky.
For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didn’t exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But they’ve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert. “While I’ve been talking to you, I’ve already gotten two calls,” he told me when we video-chatted in March.
The man who reached out to him in November explained that the attack, the work of a hacking syndicate known as REvil, had rendered the company’s contracts and architectural plans inaccessible; every day the files remained locked was another day the staff couldn’t work. “They didn’t even have an I.T. person on staff,” Minder said. The company had no cyber-insurance policy. The man explained that he had been in touch with a company in Florida that had promised to decrypt the files, but it had stopped replying to his e-mails. He wanted Minder to negotiate with the hackers to get the decryption key. “The people who reach out to me are upset,” Minder told me. “They’re very, very upset.”
As a child, Minder visited his father at the mill where he worked, in central Illinois, and watched him hoist fifty-pound sacks of flour. His mother, who worked for the state, sat in an air-conditioned office with a cup of coffee. He didn’t quite understand what her job was, other than that it seemed to involve a lot of typing. “I was, like, whatever that typing job is, that’s what I want,” Minder told me.
After college, in the early nineties, he got a tech-support job at a local Internet-service provider. Within a year, he was promoted to assistant systems administrator, a job that entailed keeping tabs on the server logs. He began to notice a strange pattern, which he eventually realized was evidence of hackers. “They would use our routers as what we would now call a pivot point—bouncing off them to attack someone else, so the attack looked like it was coming from us,” he said. The attackers were typically hobbyists who were more interested in showing off their skills than in wreaking real havoc; Minder found the cat-and-mouse energy of outsmarting them deeply satisfying.
By that time, hackers had proved that they could inflict serious damage. In 1989, twenty thousand public-health researchers around the world received a floppy disk purporting to contain an informational program about AIDS. But the disk also included a malicious program that is now considered the first instance of ransomware. After users rebooted their computers ninety times, a text box appeared on the screen, informing them that their files were locked. Then their printers spat out a ransom note instructing them to mail a hundred and eighty-nine dollars to a post-office box in Panama. The malware, which came to be known as the AIDS Trojan, was created by Joseph Popp, a Harvard-trained evolutionary biologist. Popp, whose behavior grew increasingly erratic after his arrest, was declared unfit to stand trial; he later founded a butterfly sanctuary in upstate New York.
Popp’s strategy—encrypting files with a private key and demanding a fee to unlock them—is frequently used by ransomware groups today. But hackers initially preferred an approach known as scareware, in which they infected a computer with a virus that manifested as multiplying pop-ups with ominous messages: “SECURITY WARNING! Your Privacy and Security are in DANGER.” The pop-ups told users to buy a certain antivirus software to protect their systems. Hackers posing as software companies could then receive credit-card payments, which were unavailable to those deploying ransomware. In the early two-thousands, ransomware hackers typically demanded a few hundred dollars, in the form of gift cards or prepaid debit cards, and getting hold of the money required middlemen, who siphoned off much of the profits.
The calculus changed with the launch of Bitcoin, in 2009. Now that people could receive digital payments without revealing their identity, ransomware became more lucrative. When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyone’s mind was data breaches—the theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware. By 2015, the F.B.I. estimated that the U.S. was subjected to a thousand ransomware attacks per day; the next year, that number quadrupled. Mike Phillips, the head of claims for the cyber-insurance company Resilience, told me, “Now it’s ransomware first and only, and everything else is a distant second.”
Criminal syndicates are behind most ransomware attacks. In their online interactions, they display a mixture of adolescent posturing and professionalism: they have a fondness for video-game references and the word “evil,” but they also employ an increasingly sophisticated business structure. The larger groups establish call centers to help talk victims through the confusing process of obtaining cryptocurrency, and they promise discounts to those who pay up in a timely fashion. Some ransomware groups, including REvil, work on the affiliate model, providing hackers with the tools to deploy attacks in exchange for a share of the profits. (REvil also handles ransom negotiations on behalf of its affiliates.) “It’s way too easy to get into this,” Reiner, of the I.S.T., told me. “You or I could do it—you just hire it out. There’s been an incredible commoditization of the entire process.”
Hackers use various techniques to gain access to a company’s computers, from embedding malware in an e-mail attachment to using stolen passwords to log in to the remote desktops that workers use to connect to company networks. Many of the syndicates are based in Russia or former Soviet republics; sometimes their malware includes code that stops an attack on a computer if its language is set to Russian, Belarusian, or Ukrainian. Some of the syndicates employ current or former members of the military, but they seem to care more about money than about geopolitical machinations. “We are apolitical,” a man claiming to be an REvil representative said in an interview with a Russian YouTuber. “No politics at all. We don’t care who’s going to be President. We worked, we work, and we will work.”
Phillips told me, “Paying a ransom, you worry about it being venture capital for this dark-Web Silicon Valley on the other side of the world.” Ransomware groups, like their Silicon Valley counterparts, move fast and break things. In May, 2017, the WannaCry attack infected three hundred thousand computers through old and unpatched versions of Microsoft Windows. In the United Kingdom, ambulances had to be diverted from affected hospitals, and a Renault factory stopped production. Just three years after that attack, though, the REvil representative called this scattershot approach “a very stupid experiment.” The WannaCry hackers had demanded ransoms of only three hundred to six hundred dollars, netting around a hundred and forty thousand dollars.
After WannaCry, ransomware groups concentrated on sectors where a combination of lax security and a low tolerance for disruption makes getting paid more likely and more lucrative—industrial agriculture, mid-level manufacturing, oil-field services, municipal governments. Groups timed disruption for periods of acute vulnerability: schools in August, right before students returned; accounting firms during tax season. Certain syndicates specialize in “big-game hunting,” launching targeted attacks against deep-pocketed companies. The group deploying the Hades ransomware strain focusses on businesses with reported revenues of more than a billion dollars. Another designs custom malware for each job. In 2019, during a Webinar hosted by Europol, the European law-enforcement agency, a security expert mentioned that the cryptocurrency Monero was essentially untraceable; soon afterward, REvil began asking for ransom payments in Monero instead of Bitcoin.
When companies seem reluctant to negotiate, executives receive threatening phone calls and LinkedIn messages. Last year, the Campari Group issued a press release downplaying a recent ransomware attack. In response, hackers launched a Facebook ad campaign, using the profile of a Chicago d.j., whom they had also hacked, to shame the beverage conglomerate. “This is ridiculous and looks like a big fat lie,” they wrote. “We can confirm that confidential data was stolen and we talking about huge volume of data.” Last year, printers at a South American home-goods chain began spitting out ransom notes instead of receipts.
More recently, syndicates have added extortion to their playbook. They siphon off confidential files before encrypting systems; if their ransom demand isn’t met, they threaten to release sensitive data to the media or auction it off on the black market. Hackers have threatened to publish an executive’s porn stash and to share information about non-paying victims with short sellers. “I’ve seen social-work organizations where ransomware actors threatened to expose information about vulnerable children,” Phillips said.
Before ransomware took over Minder’s life, he had settled into a routine. He walked to work, where he was usually the first to arrive and the last to leave. On the way home, he stopped at a coffee shop for a glass of wine and a salad. Back at his apartment, where he lived alone, he would work at his desk until he fell asleep. His major social outlet was the local motorcycle club, the BMW Bikers of Metropolitan Washington.
Early last year, GroupSense found evidence that a hacker had broken into a large company. Minder reached out to warn it, but a server had already been compromised. The hacker sent a ransom note to the company, threatening to release its files. The company asked Minder if he would handle the ransom negotiations. Initially, he demurred—“It never occurred to me as a skill set I had,” he said—but eventually he was persuaded.
To buy time, Minder suggested that the company acknowledge receipt of the ransom note. He began studying up on negotiation tips, watching MasterClass tutorials and reading books by former hostage negotiators. He learned that he should avoid making counteroffers in round numbers, which can seem arbitrary, and that he shouldn’t make concessions without providing a justification. During the next few weeks, as the conversation with the hacker unspooled, Minder discovered that he had a knack for negotiation. He did his best to engage the hacker, who appeared to be unaffiliated with any of the major ransomware syndicates. When the hacker complained about how much time and effort he’d invested in breaking into the company, Minder complimented him on his skills: “I told him, ‘You’re a very talented hacker, and we’d like to pay you for that. But we can’t pay what you’re asking.’ ”
The negotiation became all-consuming. On a motorcycle camping trip with his girlfriend, Minder huddled by the campfire with his laptop, using a 3G hot spot to keep talking. Eventually, the hacker agreed to a price that the company’s insurer found acceptable. “ ‘I think I could get him even lower if you gave me a little bit more time,’ ” Minder recalls saying. “But the cyber-insurance company said, ‘This is good enough.’ ”
Minder soon found more work. Sometimes it was a prominent company facing a multimillion-dollar ransom demand, and the negotiation took weeks. Sometimes it was a small business or a nonprofit that he took on pro bono and tried to wrap up over the weekend. But GroupSense rarely made money from the negotiations. Some ransomware negotiators charge a percentage of the amount that the ransom gets discounted. “But those really profitable approaches are ripe for fraud, or for accusations of fraud,” Minder said. Instead, he charged an hourly rate and hoped that some of the organizations that he helped would sign up for GroupSense’s core product, security-monitoring software.
Last March, after GroupSense’s office shut down, Minder paced in circles in his four-hundred-and-seventy-five-square-foot apartment. “I was, like, I need to go hike,” he said. He towed two motorcycles to a rental house in Grand Junction, Colorado. As the world fell apart, the ransomware cases kept coming. Minder handled the negotiations himself; he didn’t want to distract his employees, and he found that the work required a certain emotional finesse. “Most of our employees are really technical, and this isn’t a technical skill—it’s a soft skill,” he told me. “It’s hard to train people for it.”
The initial exchange of messages was crucial. People advocating on their own behalf had a tendency to berate the hackers, but that just riled them up. Minder aimed to convey a kind of warm condescension—“Like, we’re friends, but you don’t really know what you’re doing,” he explained. His girlfriend, who speaks Romanian, Russian, Ukrainian, and some Lithuanian, helped him find colloquialisms that would set the right tone. He liked to call the hackers kuznechik, Russian for “grasshopper.”
Occasionally, Minder was called in to try to rescue negotiations that had gone off the rails. If hackers felt that a negotiation was moving too slowly, or they sensed that they were being lied to, they might cut off communication. Following the advice of Chris Voss, a former F.B.I. hostage negotiator who is now a negotiation consultant, Minder tried to establish “tactical empathy” by mirroring the hacker’s language patterns.
Most of the time, Minder found himself dealing with a representative from one of the syndicates. “The first person you talk to is, like, level-one support,” he told me. “They’ll say something like ‘I want to work with you, but I have to get my manager’s approval to give that kind of discount.’ ”
GroupSense partnered with CipherTrace, a blockchain-analysis firm, which allowed Minder to see that a particular cryptowallet had been created and to trace its transactions. Determining the average payments flowing into a wallet gave him a sense of the going rate, so he could avoid overpaying. He came to understand that syndicates were working from a script. “Oftentimes, we can go to the client and say how it’s going to go before it starts,” he told me.
The clients themselves could be more challenging. Minder ran all communications by them, through a secure portal. Some wanted to edit every message to the hackers. “It’s like a spy game to them,” Minder said. Others erupted in anger or frustration. “Sometimes you’re negotiating in two directions at once—with the hacker and with the victim,” he said. “You have to have a personality type where you can be empathetic but also give directions in a way that isn’t confrontational.”
Minder has already seen pressure tactics and ransom demands escalate. In 2018, the average payment was about seven thousand dollars, according to the ransomware-recovery specialist Coveware. In 2019, it grew to forty-one thousand dollars. That year, a large ransomware syndicate announced that it was dissolving, after raking in two billion dollars in ransom payments in less than two years. “We are a living proof that you can do evil and get off scot-free,” the syndicate wrote in a farewell message. By 2020, the average ransom payment was more than two hundred thousand dollars, and some cyber-insurance companies began to exit the market. “I don’t think the insurers really understood the risk they were taking on,” Reiner told me. “The numbers in 2020 were really bad, but, at the end of 2020, everyone looked around and said, 2021 is going to be even worse.”
In 1971, a British manager at an Argentine meatpacking plant was seized by a guerrilla group. Several weeks later, after his employer paid a two-hundred-and-fifty-thousand-dollar ransom, he was freed. The following year, an electronics company paid twice as much to retrieve a kidnapped executive. In 1973, businessmen in Central America kept getting abducted, and their ransoms rose at an alarming rate: Coca-Cola paid a million dollars; Kodak paid $1.5 million; British American Tobacco paid $1.7 million; Firestone paid three million. One C.E.O. fetched $2.3 million; by the time he was kidnapped again, two years later, the price had risen to ten million. Then Juan and Jorge Born, heirs to a multinational food-processing conglomerate, were captured in a scheme involving fake street signs and operatives dressed as telephone workers and police officers. They were eventually ransomed for sixty million dollars, plus a million dollars’ worth of clothing and food to be distributed to the poor. Taking on the risk of kidnapping was “part of what it means to be an executive,” Gustavo Curtis, an American manager working in Colombia, was told by his employer shortly before his abduction, in 1976.
For much of human history, kidnapping had been largely a local affair, governed by a certain amount of ritual and reciprocity. Globalization, political destabilization, and rising inequality upended those norms. In Italy, criminal gangs abducted wealthy foreigners and farmers’ children; one year, eighty people were held for ransom. John Paul Getty refused to pay more in ransom for his kidnapped grandson than he could deduct on his taxes—reportedly three million dollars.
Kidnap-and-ransom insurance, a field that arose after the Lindbergh baby’s abduction and murder, in 1932, surged. In 1970, the size of the market was around a hundred and fifty thousand dollars; by 1976, it was seventy million dollars. The majority of policies were underwritten by Lloyd’s of London, the world’s main market for specialist insurance. Soon, there were risk analysts, who advised policyholders on how to prevent kidnappings; private security firms that offered on-the-ground protection; and specialist negotiators, who took over if things went south.
Control Risks was founded in 1975, by former members of the British Special Forces, to help the insurance industry deal with its kidnapping problem. Its executives performed their work with a patrician discretion. When, in 1977, two of its founding members were arrested in Colombia—no one was quite sure whether the nascent negotiation industry was legal—they spent their ten-week detention writing a code of conduct for their company. (The members were later exonerated.)
Around three-quarters of Fortune 500 companies eventually invested in kidnap-and-ransom insurance, but there was some discomfort with an industry that turned a profit by funnelling money to the Mafia, terrorist groups, and criminal gangs. “There is a feeling you shouldn’t make too much money,” a Control Risks co-founder told the Times, in 1979. Italy, Colombia, and the United Kingdom have all banned kidnap-and-ransom insurance.
But Anja Shortland, a professor of political economy at King’s College London, told me that privatized kidnap intermediaries were key in instituting what she calls “ransom discipline.” Control Risks didn’t merely negotiate ransoms; it also provided security audits, advising companies on how to keep staff from being abducted in the first place. Insurers offered reduced premiums to companies that beefed up their security, reducing over-all rates of kidnapping. When abductions did happen, skilled negotiators kept ransom demands from spiralling out of control. These days, some ninety per cent of kidnappings are resolved, typically through the payment of a ransom; when specialists are involved, the success rate rises to ninety-seven per cent. Countries that banned kidnap insurance drove negotiations underground.
Shortland specializes in the economics of crime. “A lot of economics is: let’s assume away all the complexities so we can come up with a tractable problem,” she told me. “And I’m just embracing the complexities.” To better understand the kidnap-for-ransom industry, she closely studied the piracy-and-kidnapping market in Somalia, where she saw how private insurers, consultants, and negotiators fostered a certain predictability in a trade that’s typically portrayed as unruly. “There is a pace, a rhythm to these things,” as one negotiator told her.
The orderliness, which relies on a mutual assumption of good faith, benefits all sides, Shortland told me. Kidnappers receive an expected rate of return; the kidnapped can reasonably expect that they’ll be released intact; companies in dangerous areas can assume that their staff won’t be abducted, but, if they are, they almost certainly won’t be killed. And the insurance companies and consultants can collect their fees.
Ransomware has less “kinetic impact” than kidnapping, Bill Siegel, the co-founder of Coveware, told me—that is, no one is sending severed ears in the mail. But, to an economist, the differences are small. “They are creating very similar kinds of institutions to the ones that the kidnap-and-ransom community has created,” Shortland said. “But they’re about eighty years behind.”
When it became clear that ransomware cases weren’t slowing down, Minder trained two of his employees to handle negotiations; one of them was Mike Fowler, a former narcotics detective from North Carolina. Working undercover had taught Fowler how to slip into character, which, he told me, “is part and parcel of being an effective negotiator.”
Last November, Fowler was the designated negotiator for the construction-engineering firm. When he logged on to the dark-Web site, he noticed that the timer showed that three days had already elapsed in the negotiations. In the chat box, a conversation was in progress. “It was shocking for me,” Fowler said. “This is a whole negotiation—poorly done, but a whole negotiation—that I’m looking at.”
Whoever had been chatting on behalf of the engineering firm was confrontational and aggressive. When the hackers demanded two hundred thousand dollars to unlock the company’s files, the negotiator initially counteroffered ten thousand dollars, and then quickly went up to fourteen thousand, then twenty-five thousand. “What that communicates to the threat actor is: there’s more money here,” Fowler said. The hackers grew frustrated. “You have reported an annual income of $4 million,” they wrote. “We are not expect small money from you.” The final message in the chat had arrived from the hackers two days earlier: “Are you ready to close with a cost of 65k?”
Fowler and Minder tried to piece together what had happened. The clients insisted that they had never gone to the dark-Web site, much less interacted with the hacker. Then Fowler reminded Minder about a recent post on REvil’s blog, warning about fraudulent middlemen who said that they could decrypt files; instead, the middlemen would secretly negotiate with the hackers before offering the decrypted files at a markup. At the time, it had amused Minder that a cybercrime syndicate was issuing a warning about scammers. But now the clients acknowledged that they had reached out to MonsterCloud, a Florida company that advertises itself as “the world’s leading experts in Cyber Terrorism & Ransomware Recovery.” MonsterCloud’s Web site encouraged victims to use its ransomware-removal services instead of paying a ransom. That pitch likely appealed to the heads of the engineering firm, who were “very, very patriotic,” Minder told me. “It didn’t surprise me at all that they’d rather pay a software company in Florida” than send a ransom to a foreign criminal syndicate.
Minder soon learned that, shortly after the REvil hacker demanded sixty-five thousand dollars, a MonsterCloud representative told the engineering firm that it could recover the files for a hundred and forty-five thousand dollars. (MonsterCloud declined to comment.)
According to an investigation by ProPublica, MonsterCloud has a long track record of secretly negotiating with hackers. ProPublica spoke with a number of former clients who believed that their files had been decrypted without their paying a ransom, even though the ransomware strains in question made this outcome highly unlikely; most are impossible to decrypt unless there is an error in the code. MonsterCloud is one of a handful of U.S.-based data-recovery companies that appear to follow a similar business model. By purporting to decrypt files using high-tech tools, these firms allow their clients to believe that ransomware can be addressed without sending funds to criminal syndicates—a strategy that’s particularly appealing to MonsterCloud’s publicly funded clients, such as municipalities or law-enforcement departments. Ransomware groups recognize that data-recovery firms can be lucrative partners; one offers a promo code especially for such firms. MonsterCloud declined to discuss its methods with ProPublica. “We work in the shadows,” Zohar Pinhasi, the company’s C.E.O., told the publication. “How we do it, it’s our problem. You will get your data back. Sit back, relax and enjoy the ride.”
When Minder explained the situation to his client, the man let loose a string of expletives. Because the negotiation had already been bungled, there was little chance that Minder could get the hackers to agree to a lower price. The client asked Minder to tell the hackers to go fuck themselves, but Minder says he “respectfully declined.” Instead, the company attempted to rebuild files from backups and old e-mails. Minder encouraged the client to investigate how the breach happened, but the company seemed uninterested. “They said their I.T. guy has theories,” he told me.
Minder reported MonsterCloud to the Federal Trade Commission, but the incident continued to gnaw at him. “If you Google ‘save me from ransomware’ or ‘ransomware response,’ you’re getting these companies that are basically profiteering or fraudulently misrepresenting themselves,” he said. “I’m just nauseous about it.”
Last October, the Treasury Department’s Office of Foreign Assets Control issued an advisory aimed at negotiators, cyber-insurance firms, and incident-response teams, warning that they may be fined for facilitating payments to criminals.
“They did this poorly,” Mike Convertino, the former chief information-security officer for Twitter, told me. “Maybe they got frustrated, but I view it as somewhat irresponsible. Let’s face it—if you’re a two-billion-dollar company and you’re encrypted and you don’t have good backups, they just took away your only option. So you just destroyed a two-billion-dollar company.” (The advisory seemed to have an effect: the number of ransomware victims who paid ransoms declined in the last quarter of 2020.)
In response, Convertino’s current employer, the cyber-insurance firm Resilience, participated in a Ransomware Task Force, which included representatives from major cybersecurity venders and incident-response firms, as well as from the F.B.I. and the Department of Homeland Security, under the umbrella of the Institute for Security and Technology. “Make no mistake, our recommendations aren’t about eliminating ransomware as a threat,” John Davis, a vice-president at the cybersecurity firm Palo Alto Networks, said at an online event; rather, the goal is to bring it to a level “that can be more effectively managed.” Those recommendations included requiring ransom payments to be reported to authorities and creating a fund to support victims who refrain from paying ransoms. In April, the Justice Department announced that it was forming its own ransomware task force to coördinate among the private sector, other federal agencies, and international partners.
Meanwhile, the ransomware syndicates have been working to shore up their images. DarkSide, the group responsible for hacking Colonial Pipeline’s system, had vowed that it would not attack schools, hospitals, funeral homes, or nonprofit organizations; it would target only large corporations. In October, DarkSide issued a press release announcing that it had just donated ten thousand dollars in cryptocurrency to two charities. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the syndicate wrote. But disabling critical infrastructure brought another level of attention, as well as the threat of a significant law-enforcement response. DarkSide apologized for causing disruption and, sounding like a chastened tech company, promised to invest more in moderation, “to avoid social consequences in the future.” A few days later, the syndicate announced that its servers had been shut down and its Bitcoin wallet emptied, potentially an indication of law-enforcement actions. Seemingly spooked by the negative publicity, REvil announced that it would no longer attack targets in the government, health-care, and education sectors.
Shortland saw this kind of brand-burnishing as a good thing. “If this was a complete fly-by-night scenario, then I might despair,” she told me. “But people who do this want to do it again.” The hackers cared about their reputations, which was a sign that the market was governable. That didn’t mean ransomware would go away—at least, if the example of criminal kidnapping was any indication. “There is a certain amount of kidnap that works for everyone,” she said. ?
Irena Hyde was kicking back at a Melbourne Cup day picnic lunch alongside Melbourne’s Gardiners Creek last year, pondering which horse to back, when her phone rang. Hyde never did get time to place her bet or even watch the race that stops the nation. Her race day was stopped dead by the chilling news delivered on the other end of the phone.
The Melbourne office of accounting and consulting firm Nexia Australia, where she was the acting chief operating officer, had been struck by a mystery cyber attack. The attackers had penetrated the company’s computers and would soon post a message on the dark web claiming that “all servers and working computers of the company are hacked and encrypted”.
“Our IT people said, ‘We have a situation here, it looks like a cyber attack is unfolding’,” says Hyde. “It took us a while to work out what was happening. We had to scramble very quickly and put together a crisis management team. I was on the phone the rest of the day; I even missed the Cup.”
The mysterious attackers, using the REvil “ransomware” – a type of malicious software – operated by a criminal outfit in Russia, soon posted pictures of what appeared to be numerous confidential files from Nexia, along with demands that a $1 million ransom be paid within three days. But Hyde was puzzled: although the company’s system had clearly been penetrated, there was no evidence the attackers had stolen any files; they had simply posted a screenshot of empty Nexia file folders. “The cyber attackers didn’t take any data, they took a screenshot of folders from our server and then put that onto their website [on the dark web] saying ‘Ha, ha we’ve got this data’.”
Confident there had been no security breach, the company ignored the 72-hour deadline and never paid the ransom. They did not even try to contact the hackers. And that, they hoped, was the end of it. But then, several days later, an IT news website saw the Nexia files screenshot on the dark web and published a story wrongly claiming that the company’s data had been taken. Now Nexia had to reassure its clients that their confidential information had not been stolen or compromised. “It became a public-relations nightmare,” says Hyde. “They hadn’t taken the data, yet these criminals on the dark web were maintaining that they had taken it.” Suddenly she was getting panicky calls from other affiliated companies in the $5.9 billion Nexia International group asking: what the hell has happened? “All stakeholders needed assurance – clients, staff, the authorities and other Nexia offices,” she says.
Hyde and her fellow managers say it took “weeks and weeks” to sort out the mess and reassure both clients and the authorities – from the Australian Securities and Investments Commission to the Australian Federal Police to the office of the Privacy Commissioner – that its computer systems were restored, extra cyber security had been put in place and nothing had been stolen.
This particular attack wasn’t successful, but Nexia was one of an ever-expanding list of Australian companies and organisations being targeted by the fastest-growing and most lucrative form of cyber crime in the world: shadowy gangs using ransomware to encrypt or steal data and releasing it only when a ransom is paid. This type of crime has lurked in the shadows for years, only to burst into global prominence this year through a raft of brazen attacks. Previously hackers would target individuals, reaping only modest returns; now they’re hitting major organisations and reaping millions in ransom payments.
In May, a ransomware attack on a major US oil pipeline network, Colonial Pipeline, which carries gasoline from Texas to eastern US states, caused fuel shortages and triggered panic buying, leading to long queues and empty bowsers in what was the largest ever cyber attack on US oil supplies. That same month, an attack on the world’s largest meat processing company, JBS, forced it to temporarily shut down operations in the US as well as at the company’s 47 sites in Australia, where thousands of workers were temporarily stood aside. The company reportedly shelled out $US11 million in ransom to prevent any further disruption. Ransomware attackers are now choosing unusual targets, such as New York entertainment law firm Grubman Shire Meiselas & Sacks; hackers last year claimed to have stolen private files from the firm that manages celebrities including Lady Gaga, Madonna, Bruce Springsteen, Elton John and Robert DeNiro. The firm reportedly refused to pay the ransom despite threats by the criminals to release confidential data on Madonna and its other celebrity clients.
In Australia, more than 459 entities were hit in the 12 months to April. These include health provider UnitingCare Queensland in a major attack that briefly cut access to patients’ medical records. Other Australian victims include a law firm, a liquor co-operative, an online clothing retailer, a chemical packing firm and an organisation of mental health carers. Hackers will typically leave a message like this one, recently received by an Australian firm: “Hope you are smart guys and contact us, otherwise your financial, personal information about clients and other important private documents will be published.”
The prospect of having the private details of clients, customers and staff displayed on the internet is terrifying for any company or organisation. In March, a ransomware attack on Nine Entertainment saw its TV programming and print production thrown into chaos with staff locked out of emails, internet access and print production systems. Other Australian entities to be targeted by ransomware criminals include the NSW Labor Party, the NSW State Transit Authority and beverage giant Lion, which manages beer brands including Little Creatures, XXXX and Tooheys.
Rachel Noble, head of the Australian Signals Directorate, the government organisation charged with fighting ransomware, says there has been a 60 per cent jump in ransomware attacks in Australia in the past year. These strikes are estimated to have cost our economy $1.4 billion in 2020, including both the ransom payments and the downtime of networks, according to security firm Emsisoft.
In the US, ransomware attacks are now striking targets every eight minutes, hitting everything from police departments to NBA basketball and minor league baseball teams, ferry services, TV networks and a raft of main-street companies and critical infrastructure providers. “From an e-crime perspective, ransomware is by far the biggest issue that organisations around the world are dealing with at the moment,” says Mike Sentonas, chief technology officer for global cyber security firm CrowdStrike. “It is all big-game hunting now, targeting large organisations and critical infrastructure like hospitals. There is just so much money to be made – they [cyber criminals] are super successful.”
But increasingly, these attacks are impacting not just on companies’ bottom lines but also on ordinary people’s lives. “They are designed to disrupt very high-profile and critical services, not just in Australia but globally,” says Simon Howe from cyber security firm LogRhythm. “That’s why we are seeing attacks like Colonial Pipeline – they are hitting your gas supplies, your hot dog and beefburger supplies. These attacks are becoming very real to the population.”
FBI Director Christopher Wray in June compared the current spate of cyberattacks with the challenges posed by the 9/11 terrorist attacks. “There are a lot of parallels… and a lot of focus by us on disruption and prevention,” he says, adding the agency is investigating about 100 types of ransomware, most with links to Russia. He says that following the recent high-profile attacks, people are “now realising it can affect them when they’re buying gas at the pump or buying a hamburger. I think there’s a growing awareness now of just how much we’re all in this fight together”.
Perhaps the greatest risk to Australians is the growing number of attacks on hospitals and health facilities. Ransomware groups are targeting the sector because they know that hospitals cannot afford to lose essential services – patient records, timely test results – and are therefore more likely to pay. “At some point you are going to have some very devastating consequences here,” says CrowdStrike’s Sentonas. “It is inevitable if you look at the number of hospitals that are now being impacted around the world.”
On April 25, Anzac Day, aged and disability care provider UnitingCare Queensland was hit by an attack it said had been perpetrated with REvil ransomware. UnitingCare will not comment further on the nature of the incident or whether it paid a ransom. But from public statements it is clear that the cyber criminals caused chaos within the organisation. “As soon as we became aware of the incident, we engaged the support of leading external technical and forensic advisers. We also notified the Australian Cyber Security Centre of the incident and are continuing to work closely with them to investigate it,” UnitingCare said the following day.
In a media release 10 days later, it still could not say for sure if confidential information on patients or other people had been compromised. “With the assistance of leading experts and advisers, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached,” it said. In a further update, on June 10, UnitingCare said there was “no evidence” that the “health and safety” of patients had been compromised, but it also hinted that more than six weeks on, not all of its systems had been restored.
Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), which is a part of the Australian Signals Directorate, will not discuss individual cases but says that ransomware attacks on health providers are of growing concern. “We’ve seen the health sector targeted. Why? Because the criminals will attack those entities they think are most vulnerable and more likely to pay,” Bradshaw says.
Such is the concern that the ACSC now has four of its officers deployed in the Health Department to help prevent and respond quickly to attacks on health services or hospitals. Their role is especially important given the risk of attacks during the national Covid vaccine rollout. “During Covid-19, within hours of governments launching new online services, we saw criminal syndicates shift their attacks to leverage that new policy or service,” Bradshaw says. “They would pretend to be that service and try to lure people to click on malicious links.”
So who is behind this burgeoning form of cyber crime? “Today they are mostly highly sophisticated criminal organisations, many of whom are in Russia, but not just Russia,” says LogRhythm’s Howe. “A ransomware attack on an organisation can get [cyber criminals] millions of dollars in a few days so this is not pimply teenagers in the basement after school. They are highly organised criminal gangs.”
Despite concerns that some ransomware campaigns are state-sponsored, authorities say they mostly appear to be committed by opportunistic criminals rather than government-backed hackers who work for Russian or Chinese intelligence services trying to steal another country’s state secrets. The motivation of ransomware criminals is money.
The ransomware community is a loosely affiliated group of cyber crooks who provide services to each other to help facilitate hacks, and who share the profits from joint operations. For example, the gangs behind two of the best-known forms of ransomware, REvil and DarkSide, provide their software to paying customers who then use it for their own campaigns. “In lots of ways it is a [criminal] economy in its own right,” says Howe. “You get similar levels of organisational communication within that economy.”
Despite the apparent sophistication, the techniques used to gain access to a company’s computer systems remain relatively simple. Hackers send “phishing” emails to trick employees into giving up passwords or access, and once inside the company’s system deploy the ransomware to encrypt or steal data. They only provide keys to decrypt or release this data once the ransom has been paid in cryptocurrencies such as bitcoin.
They are believed to operate mainly from Russia, because most of the groups conspicuously do not target Russian organisations. The issue of the Russian government harbouring these groups, even if they may not directly support them, was raised during the recent G7 summit in England during which leaders demanded that Moscow take action against those conducting ransomware attacks from within its borders.
The ACSC’s Bradshaw says not all ransomware attackers need to be cyber experts because they can simply buy the software. “There has been a proliferation of ransomware-as-a-service syndicates. On the dark web, you can fairly easily locate websites and services that enable you to purchase the ransomware and deploy that unilaterally. It requires a fairly low level of expertise,” she says. “Businesses are increasingly storing valuable data online and in the cloud, such as contracts, customer and personal data. Technology has globally connected and enabled us, and become more accessible to citizens and criminals. Cryptocurrency has become more available and widely used. As a consequence there has been a corresponding proliferation in the cyber threat.”
Although the ransomware threat is a global one, Bradshaw says Australia is proving to be a “useful and attractive target for cyber criminals [because] we’re relatively wealthy, technologically adept and there’s a high take-up of digital services.”
It’s a difficult crime to fight, but there’s hope: the US Justice Department recently announced it had seized more than half of the $US4.4 million that was paid in bitcoin by Colonial Pipeline, by tracking it through a series of electronic accounts controlled by the gang behind DarkSide until it broke into one and seized the bitcoin. “The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” said US deputy attorney general Lisa Monaco.
Authorities in Australia and the US strongly advise companies or organisations not to pay the ransoms. “You have to remember you’re negotiating with criminals,” says Bradshaw. “Why would you believe that they’re going to give you an effective decryption key they promised after you’ve paid a ransom? I wouldn’t trust a criminal who says they’ll destroy sensitive data they’ve stolen and copied from you if you pay a ransom.” She adds that paying a ransom doesn’t guarantee the organisation won’t be targeted again – some “have been attacked once and have been attacked again in short order”.
But according to a Global Attitudes survey at the end of last year by cybersecurity firm CrowdStrike, 33 per cent of Australian firms do end up paying the ransom, compared with a global average of 27 per cent. It found that the average amount of ransom paid by Australian entities was $1.25 million.
CrowdStrike’s Sentonas says he understands why some organisations choose to pay. “It’s easy for security professionals or people in the industry to say, ‘Don’t pay it because you are fuelling a crime’, but you have to put yourself in the shoes of the victim. If they, for example, are trying to get a hospital up and running, or if you are Colonial Pipeline and people can’t get fuel, then you have a tough decision as to whether you pay the ransom and get up and running as quickly as possible. Time is of the essence.”
Joseph Blount, CEO of Colonial Pipeline, said he paid the ransom because he didn’t initially know how badly its systems had been penetrated and how long the pipeline might be out of action. “I know that’s a highly controversial decision,” Blount said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”
Australian Signals Directorate chief Noble says that if companies co-operate with the ASD after they’re hit by a ransomware attack, it can help prevent future attacks and lead to tip-offs to other likely victims. Noble says the information provided by Nine after it was attacked helped the ASD avert two other planned attacks on Australian targets by the same ransomware group. “We were very engaged with them, and the technical information they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn [the others],” Noble told Senate Estimates.
But Australian organisations that are subject to a ransomware attack are often loath to report it or even discuss it. I approached a number of companies who had been named on the dark web as ransomware victims, but most of them refused to talk about their experience, even off the record. None would confess to having paid the ransom being asked of them.
The ACSC says that fewer than one in five Australian organisations hit by a ransomware attack contact the ASD for help. In the 12 months to April 2020 at least 291 Australian organisations are known to have been subjected to a ransomware attack, yet only 51 sought assistance from the ASD. In the year to April 2021, 459 organisations are known to have been attacked by ransomware, with only 81 coming forward for help.
“Unfortunately, there are entities that are reluctant to tell us about a ransomware incident, let alone tell us if they’ve paid a ransom,” says the ACSC’s Bradshaw. The Federal Government is considering the merits of making it mandatory for organisations to report ransomware attacks.
Not surprisingly, the ASCS says prevention is better than cure and has published a ransomware “Protection and Prevention Guide” for organisations and – if it is already too late – an “Emergency Response Guide”.
Assistant Defence Minister Andrew Hastie says intelligence agencies like the ASD are now using “offensive cyber” capabilities to target ransomware criminals operating on the other side of the world. Bradshaw won’t explain how that’s done, but says: “Our [offensive] effects options are excellent and can stop some adversaries in their tracks, or even prevent an attack by tipping would-be victims. So we want to have those options available to us more than once – we can’t show our hand.”
For Nexia’s Irena Hyde, the memories of that day when her company was hacked continue to haunt her. “I think ransomware is not just one of the great threats to your business, but also to your personal life because we live our lives these days through electronic devices,” she says. “It was a really frightening time for me.”
The only lighthearted moment for Hyde was when she learnt the name of the horse that won the Melbourne Cup that she missed. “It’s prophetic that on the day of the failed ransomware attack at Nexia Australia’s Melbourne office, the Melbourne Cup winner was called Twilight Payment,” she laughs. “I did not back that horse.”