Ransomware attacks — in which cyber criminals hold hostage data from businesses and agencies — are increasing in the United States and are being aimed at a wide range of targets, say cybersecurity experts in the private sector and government.
The average number of monthly ransomware attacks in the U.S. has shot up in the past nine months, according to data gathered by the cybersecurity firm Check Point Research. The FBI said it saw an increase in ransomware complaints late last year.
“In the utilities sector in the U.S., we can see on average around 300 weekly cyberattacks [per] organization, while the global sector has around 650,” Ekram Ahmed, spokesperson for Check Point Research, said in an email.
He said ransomware attacks were attempted against an average of 1 in every 88 utilities organizations in the U.S. in recent weeks, up by 34% from the beginning of the year.
Ransomware is malicious software that requires payment in exchange for restoring access to the data or systems held hostage.
The spread of ransomware has coincided with the COVID-19 pandemic, with more people online.
Brett Callow, threat analyst at the software company Emsisoft, said the targets of ransomware are becoming much bigger.
“In the last few years, ransomware has gone from mainly targeting [small and midsize businesses] to targeting much larger orgs, including governments and multinationals,” Mr. Callow said in an email.
Mr. Ahmed said Check Point has found that the most targeted sector is health care, followed by the government. But the spread of ransomware is not limited to any single industry.
The FBI on Monday formally attributed the cyberattack against Colonial Pipeline, a major supplier of U.S. fuel, to DarkSide ransomware.
The cyberattackers behind the DarkSide ransomware deployed in the pipeline attack are believed to be in Eastern Europe, and the Biden administration has noted that the pipeline appears to have been targeted by criminals instead of by a government.
The DarkSide ransomware works on a ransomware-as-a-service model, which leverages its partners to execute cyberattacks and can make it difficult to quickly pinpoint the real threat actor behind the pipeline attack, according to Lotem Finkelstein, head of threat intelligence at Check Point.
The Georgia-based Colonial Pipeline Co. said it transports about 45% of all fuel consumed on the East Coast, including gasoline, diesel, home heating oil, jet fuel and fuel for the military.
Ransomware also has caused damage at the local level. The D.C. Metropolitan Police Department fell victim to a ransomware attack last month.
“I think that what’s going on anecdotally is that attackers think that their time may be coming to an end with around-the-world governments thinking of cracking down more and more on these cybersecurity incidents, and so they seem to be unleashing everything,” Matthew Prince, co-founder and CEO of security company Cloudflare, said on CNBC.
The federal government is among the jurisdictions reviewing approaches to deterring cyberattacks.
John C. Demers, assistant attorney general for national security, said last month that the Justice Department had witnessed a “very significant increase” in ransomware attacks.
The Justice Department set up a ransomware task force to review the issue with input from the national security division, the criminal division and the U.S. attorneys’ offices, Mr. Demers said last month at an event hosted by George Washington University’s Project for Media & National Security.
Whether police, the pipeline company and others choose to pay ransomware attackers to restore access to data and systems remains to be seen. Payments could put victims in tricky legal situations if they run afoul of cybersecurity-related sanctions, depending on who is responsible for the ransomware attacks.
Mr. Demers, however, noted last month that the Justice Department has not prosecuted many victims for making hostage payments. He said prosecution could put the government in a “more adverse posture” with victims who could help them in the future.