SAN FRANCISCO - It can feel abstract: a group of organized but faceless criminals hijacking corporate computer systems and demanding millions of dollars in exchange for their safe return. But the impact of these ransomware attacks is increasingly, unavoidably, real for everyday people.
These crimes have resulted in missed chemotherapy appointments and delayed ambulances, lost school days, and transportation problems. A ransomware attack on Colonial Pipeline in May led to gas shortages and even dangerous situations caused by panic buying. This past week, hackers compromised the JBS meat processing company, leading to worries about meat shortages or other key food providers being at risk. Last fall, the Baltimore County Public Schools system was hit with ransomware and forced to halt classes for two days, which were being held virtually.
As recently as Wednesday, ransomware attacks were causing problems across the country. In Martha’s Vineyard, the ferry service transporting people to and from the Massachusetts island said it had been hit by a ransomware attack that disrupted its ticketing and reservation process. Ferries continued operating all week, but the ticketing system was still affected, causing delays, on Friday.
The recent spate of high-profile ransomware incidents is exactly what cybersecurity professionals have been warning about for years. But it’s partially the impact on everyday people - far from the executive suites, cybersecurity companies, or government agencies that regularly fret about the criminal enterprise - that has made the risk more visible. The ripple effects of ransomware can result in everything from mild inconvenience to people losing their lives, and it’s only increased in frequency during the pandemic.
“It’s not only that it’s getting worse, but it’s the worst possible time for it to happen,” said Robert Lee, chief executive of Dragos, an industrial cybersecurity firm. He says on average, there are likely 20 to 30 big ransomware cases happening behind the scenes in addition to the ones making headlines.
Ransomware attacks are not new. The money at stake has changed drastically, however, inflating from thousands to millions of dollars, and the targets are more sophisticated as well. The increasing number of companies connecting their systems and adding more remote access points, along with things like the widespread use of bitcoin, have widened the pool of targets. Cybercriminals once focused on small companies and individuals but have made headlines this year for attacks on higher-profile victims.
“Now you’ve got ransomware affecting whole corporate networks, interrupting critical national function, causing disruption in people’s lives. It’s really become a national security, public health and safety threat,” said Michael Daniel, president and CEO of the nonprofit group Cyber Threat Alliance.
The ransomware industry has grown but the underlying techniques for gaining access have largely stayed the same. Hackers commonly access companies’ systems through “phishing” attacks - emails sent to try to trick employees into giving up passwords or access. Once inside a company’s system, ransomware outfits will find critical information and lock it down, then contact a company to demand a ransom for it to be released.
These criminals generally work in loosely defined groups, sharing tips and resources that make it possible for individual hackers to easily extort multiple targets. Companies occasionally have backup copies of their systems that they can restore rather than pay a ransom. But that can result in delays, and sometimes hackers make copies of the information they access and threaten to leak private information online if they are not paid. A big data leak could be a huge issue for consumers, not just the companies.
“There’s this awful downward spiral of societal harm that happens from ransomware,” said Megan Stifel, co-chair of the ransomware task force and an executive director at the Global Cyber Alliance.
The Colonial Pipeline attack was one of the many worst-case scenarios experts have been warning about, and planning for, for years. A ransomware attack last month caused the company to shut down its pipeline connecting Texas to New Jersey.
Panicked that they wouldn’t be able to get enough fuel, drivers swarmed gas stations, resulting in long lines and barren gas pumps in parts of the U.S. Drivers hoarded fuel as stations ran out of their supply, exacerbating the issue. The attack sparked a real-world fire in a Florida town, according to local news reports, when a Hummer burst into flames after the driver filled up four gas containers. The panic buying even prompted the U.S. Consumer Product Safety Commission to issue a long tweet thread about gas safety, including a message that quickly went viral: “Do not fill plastic bags with gasoline.”
People’s safety has been even more directly threatened by attacks on health care systems. Hospitals have been particularly hard hit, as far back as 2016 when the Hollywood Presbyterian Medical hospital paid $17,000 in bitcoin to a ransomware hacker. Last November, the University of Vermont Medical Center was hit by ransomware and it took nearly a month for it to regain access to its medical records. Chemotherapy patients had their treatments delayed, and were sent to other health centers where some had to re-create their medical history.
Joshua Corman, the chief strategist for health care and covid on the government’s Cybersecurity and Infrastructure Security Agency COVID Task Force, has been studying the potential impact of health-care attacks on mortality rates. For example, if a hospital has to close suddenly, ambulances might take longer to reach people in distress.
“Minutes can be the difference between life and death for heart attacks, and hour or two can be the difference for a stroke,” said Corman.
Lee, the head of Dragos, recently worked with a power company that got hit with a ransomware attack but was able to maintain operations. However, attacks like that could easily result in localized power shortages, he says. Attacks on pharmaceutical companies, or any of the manufacturers in their pipeline, could delay critical medicine like insulin or even vaccines. The increased targeting of industries with the most potential for disruption may be the criminals’ business decision.
“It feels like these groups realize industrial companies are more ready to pay out and more quick to pay out, because if you impact industrial operations you have to get up and going for safety and community,” said Lee.
Beyond the physical inconveniences, ransomware attacks can also hurt public trust in technology and systems, and cause people to worry they’ll be a victim or to panic-buy products they think will see a price hike or be in short supply, according to Stifel.
Panic after attacks is part of the problem. This past week’s attack on JBS, one of the largest meat-processing companies in the world, resulted in temporary factory shutdowns. While there were not yet any confirmed meat shortages in the U.S., worried meat suppliers still warned consumers not to panic-buy beef, which could cause otherwise still stable prices to go up.
From higher gas prices to canceled surgeries, real-world financial and consumer safety implications of these hacks have spurred the federal government to crack down on ransomware. It’s investigating the causes, working on guidelines, and urging corporate America to take cybersecurity protections seriously.
“We’ve been warning about this overtly for more than eight years and a lot more quietly for longer, but now that its manifested, the silver lining is that we’re not starting ice cold,” said CISA’s Corman.
- - -
The Washington Post’s Rachel Lerman contributed to this report.