"Ransomware Boom Comes From Gangs That Operate Like Cloud - Software Unicorns - ‘A Truly Incredible Business Model'
Roughly 1,000 businesses every week are being hit by hacks that
lock up computer networks for ransom, and an extortion attempt on Apple shows a new approach as ransomware-as-a-service attacks
explode into view.
If ransomware attacks call to mind hoodie-wearing hackers in basements or bunkers full of coding
soldiers, think again. These online assaults are proxy wars where organized cybercrime syndicates adopt business models straight
out of Silicon Valley.
JBS SA JBSS3, -0.71%, the world's largest meat-processing company, recently resumed most of its operations after hackers targeted its servers in North America and Australia and issued a ransom demand. Other recent targets have
included the ferry operator that connects Martha's Vineyard and Nantucket to the mainland, and Colonial Pipeline in May. Meanwhile, the insurer CNA Financial Corp. reportedly paid $40 million back in March to unfreeze its networks.
While those organizations have grabbed headlines, they're not alone. Roughly 1,000
organizations are being hit by ransomware attacks each week, Check Point Software Technologies Ltd. CHKP, +0.46% recently reported, having more than doubled from the same time last year. Essentially, ransomware is software that threatens
to encrypt data or make a victim's computer network useless unless a ransom is paid. The tactic has been adopted by criminal
enterprises taking advantage of our increasingly connected world, known as "enablers" or "ransomware-as-a-service"
(RaaS) providers, which have adopted the software-as-a-service, or SaaS, model common among cloud-software providers.
RaaS provider "REvil" was behind the JBS incident, and one called "DarkSide" was identified with the
Colonial incident, according to the FBI. RaaS providers supply criminals with the software needed to attack and lock up networks
for as little as a few dollars along with a cut of any ransom the perpetrators receive, suggesting a business model capable
of ridiculously expansive profit margins because the ransoms demanded have skyrocketed in just the past few years.
42, the global threat intelligence team at Palo Alto Networks Inc. PANW, +2.85%, said the average ransom paid by organizations nearly tripled to about $312,000 in 2020, up from $115,000 in 2019. Late
Wednesday, JBS disclosed that it had paid $11 million ransom in bitcoin BTCUSD, +1.33% to avoid further disruption to their plants. In the Colonial attack, the pipeline operator reportedly paid hackers $4.4
million in ransom, but the Justice Department said Monday it has been able to claw back about $2.3 million of that. "It's becoming a booming, lucrative business," Sandra Joyce, head of global intelligence at FireEye Inc. FEYE, +5.70%, told MarketWatch. "And it is not going away." "When I say it is a business, it is a truly incredible
business model," Joyce said. "You have ransomware operators, crew affiliates, they supply these affiliates with
all the tools and support that they need to go after victims." Now, the continuing trend by cybercriminals appears to
be blurring right past seeking a ransom to unlock data and heading straight into extortion with threats to leak intellectual
property or corporate secrets online or to the media, Joyce said.
"The future of this could be straight to extortion,"
Joyce said. "It's a real crisis at this point."
One recent example of the developing approach
to ransomware is what Check Point has termed a "triple extortion" attack, the likes of which it says targeted Apple
Inc. AAPL, -0.80% business partner Quanta Computer, a Taiwan-based laptop designer, back in April. Hackers, using the REvil service, originally
demanded a $50 million ransom from Quanta, Check Point said. "Since the company refused to communicate with the threat
actors, the threat actors went on to extorting Apple directly, demanding that Apple purchase back blueprints of their products
found on Quanta Computer's network," Check Point said. "Approximately a week later, REvil peculiarly removed Apple's
drawings from their official data leak website." Apple declined to comment to MarketWatch regarding the incident.
George Kurtz, CrowdStrike Holdings Inc. CRWD, +6.85% co-founder and chief executive, told MarketWatch in an interview that one of his biggest concerns in cybersecurity is
how quickly criminals are learning to flout protections.
"The pace of innovation in terms of these attacks continues
to ramp up," Kurtz said. "Just ransomware-as-a-service, just how organized they are, the new techniques they come
out with, it's very rapid." "It's working, and they're getting paid," Kurtz said. "Big payments are being
made at very little risk to the actors."
On the whole, healthcare, utilities and insurance are the industries
most often hit, according to Check Point, while Unit 42 said in a recent report that it found cybercriminals tend to favor
overworked networks, "often to the point that it overwhelms DevOps and Security teams."
example, the number of security incidents in the retail, manufacturing, and government [categories] rose by 402%, 230%, and
205%, respectively," the Unit 42 report said. "This trend is not surprising as these industries were among those
facing pressures to adapt and scale in the face of the pandemic - retailers for basic necessities, manufacturing and government
for COVID-19 supplies and aid." These cybercriminals are putting organizations in an impossible situation, FireEye's
Joyce said. Hospitals have to decide whether to pay up or cease treating patients, and companies have to decide whether to
pay or have their corporate secrets released, all the while cognizant that paying up further finances and incentivizes these
groups, she said.
"This is very organized, and there's an entire business model in place so not only is the software
platform very user-friendly and sophisticated, they interview their potential candidates, in one case they had to speak fluent
Russian to pass," FireEye's Joyce said. That would support findings from cybersecurity firm Check Point that called attention
to the REvil "working rules" that were posted to underground forums. Potential REvil clients were told that it is
"forbidden" to target organizations in the Commonwealth of Independent States and Ukraine, comprising much of the
former Soviet Union.
"It's open season on U.S. businesses and the West," FireEye's Joyce said. "The
chatter places limits on Russian targets." While a few years ago most ransomware demands in the six figures would be
considered "unbelievable," demands for seven- and eight-figure sums have become much more commonplace, she said.
Both FireEye's Joyce and CrowdStrike's Kurtz told MarketWatch that the only real solution to the growing problem is through
policy making, and getting nations where cybercriminals are based to hold them accountable for their crimes.
week, President Joseph Biden called ransomware attack a "rising national-security concern" and has said that he will raise the issue of cyberattacks with Russian President Vladimir Putin at a meeting later this month, according to the White House. Reuters reported that the Justice Department is raising ransomware investigations to the same level as those for terrorism. A request
to the Justice Department for comment on the action has yet to be returned.
Across the board, such cybersecurity companies
as CrowdStrike, Palo Alto Networks, FireEye and Zscaler Inc. ZS, +4.55% have reported surging revenue over the past year as the COVID-19 pandemic broadened the threat landscape out to work-from-home
situations and vulnerable industries became low-hanging fruit for cybercriminals.
That, however, has had an uneven
effect on stocks in the sector as it seems that both sales of cybersecurity services and high-profile attacks are surging
in tandem. Over the past 12 months, the ETFMG Prime Cyber Security ETF HACK, +1.46% has risen 35%, while the S&P 500 index SPX, +0.47% has advanced 33%.
"G-7 Countries Agree to Back a Minimum Global Tax of 15% for Corporations"
In a statement following a Saturday meeting, the G-7 countries-Canada, France, Germany, Italy, Japan, the United Kingdom, and the U.S.-said
they would support a plan to impose a global minimum tax of 15% on multinational companies and to allocate taxes from large,
profitable global firms to the regions where they operate. The finance ministers said they hope to make further progress toward
a global agreement at the July meeting for the Group of 20 finance officials.
Treasury Secretary Janet Yellen said
in a statement Saturday morning that "the G-7 Finance Ministers have made a significant, unprecedented commitment today that provides
tremendous momentum towards achieving a robust global minimum tax at a rate of at least 15%."
The move had previously
garnered support from U.S. President Joe Biden, who floated the idea to Republicans as a way to finance an ambitious infrastructure
package, Reuters reports.
According to economists at Bank of America, about 60% of U.S. multinationals' reported foreign
income was booked in seven small countries with "relatively small economies" in 2019: Bermuda, the Cayman Islands,
Ireland, Luxembourg, the Netherlands, Singapore, and Switzerland.
While that share of revenues stopped increasing
after the U.S. passed the 2017 Tax Cuts and Jobs Act, which included a handful of measures to limit
companies' ability to shift profits to lower-tax jurisdictions, "the share did not decrease meaningfully and so profit
shifting remains a major concern," the economists wrote.
"Democrats and Republicans are likely to
disagree on the efficacy of the proposed changes. But beneath this disagreement there is common ground on cracking down on
profit shifting," they added.
The 15% figure is lower than the 21% global minimum tax originally supported by the White House, which Reuters reports has been offered instead of raising the U.S. corporate tax rate to 28% from 21%.
As of late April, strategists
at Goldman Sachs expected tax increases on foreign and domestic profits to reduce earnings of S&P 500 companies by about 3% in 2022, compared with what companies would otherwise earn under current U.S. tax policy.
"Meat Supplier JBS Paid Ransonware Hackers $11 Million"
JBS, the largest beef supplier in the world, paid the ransomware hackers
who breached its computer networks about $11 million, the company said Wednesday.
The company was hacked in May by REvil, one of a number of Russian-speaking
hacker gangs, leading to meat plants across the U.S. and Australia shutting down for at least a day. News of the payment was
first reported by The Wall Street Journal. Like many ransomware groups, REvil has made millions in recent years by hacking organizations, encrypting their files and
demanding a fee, often a large bitcoin payment, in exchange for a decryptor program and a promise not to leak those files
to the public.
In a statement, JBS indicated that while it was able to get most of its systems operational without
REvil's help, it chose to pay to keep its files safe. "At the time of payment, the vast majority of the company's facilities
were operational," the company said in an emailed statement, adding that it "made the decision to mitigate any unforeseen
issues related to the attack and ensure no data was exfiltrated."
The U.S. government has long recommended ransomware
victims not pay their attackers, though most ransomware gangs are not sanctioned entities and paying them is not illegal.
JBS CEO Andre Nogueira defended the decision to pay.
"This was a very difficult decision to make for our company
and for me personally," Nogueira said in the statement. "However, we felt this decision had to be made to prevent
any potential risk for our customers."
The news of JBS' payment comes on the heels of congressional testimony
from Joseph Blout, CEO of Colonial Pipeline, a major U.S. fuel pipeline that was recently hacked by a different Russian ransomware
group, called DarkSide. In Senate testimony Tuesday, he called the decision to pay "the right thing to do for the country."
In an unusual move, the Justice Department announced Monday that it was able to recover part of the payment that Colonial sent to its hackers. The FBI declined to give specifics
on how, however, leaving it unclear how frequently such a tactic could be deployed.