Earlier this month, Microsoft announced that a group of hackers exploited previously unknown vulnerabilities in its Exchange Server software, compromising the email security of tens of thousands of organizations across the globe. While Microsoft swiftly released security patches, many of the affected servers remain unpatched and vulnerable. News of the Exchange hack sparked vigorous debates in the cybersecurity policy community about how the U.S. Government should respond, both in terms of holding guilty players accountable and preventing a similar security breach in the future. While it is critical for the Biden administration to get both of these aspects right, it must also prepare for the second-order effects of the Exchange hack. Specifically, it needs to take concrete steps to limit the threat of ransomware.
Ransomware on the Rise
Since the introduction of cryptocurrencies allowed for relatively anonymous online transactions, ransomware attacks have become increasingly popular among cyber criminals as a means of harming adversaries, generating income, or both. According to the cybersecurity research firm CrowdStrike, the frequency and sophistication of ransomware attacks rose dramatically in the last few years. The main reason for this trend is simple: ransomware pays.
Victims of ransomware – whether major corporations, small organizations, government entities, or private individuals – typically have a strong incentive to pay the ransom in hopes of regaining access to their systems. This creates a vicious cycle: When more victims pay ransoms, it makes ransomware attacks more profitable for attackers and, therefore, more attractive to a broader variety of malicious actors. The cybersecurity research firm FireEye noted that the increased profitability of ransomware drove a trend in which “threat actors that historically targeted sensitive information such as personally identifiable information (PII) and credit card information turned to ransomware to monetize access to victim networks.”
Not only are more threat actors executing ransomware attacks, they are employing innovative new tactics, techniques, and procedures (TTPs) to maximize effectiveness and profit. A growing trend among threat actors is the use of ransomware-as-a-service (RaaS). They hone specific skillsets that represent the composite parts of a ransomware attack – intrusion, automated distribution, or the development of ransomware are most common – and offer these services to other threat actors on the dark web in exchange for a cut of the ransom. Some threat actors are even starting affiliate programs that increase the spread of ransomware by offering their malware tools to third-party affiliates to use in ransomware attacks. When affiliates successfully use the provided tools to extort a ransom payment from a victim, the malware provider receives a share of the ransom. By leveraging other actors’ expertise, ransomware attackers are maximizing the efficiency and impacts of their attacks.
Threat actors are increasingly targeting victims that are most vulnerable and most likely to pay ransoms. Common examples include state and local government agencies that offer critical infrastructure, but lack the cybersecurity measures to prevent ransomware attacks.
The Exchange Hack: Adding Fuel to the Fire
In late February, the threat actors responsible for the Exchange hack – identified by Microsoft as the Hafnium group, which most security experts believe is affiliated with the Chinese government – learned that Microsoft planned to patch the vulnerabilities they exploited to gain access to mail servers across the globe. In a recent Lawfare Blog post, Dmitri Alperovitch and Ian Ward of Silverado Policy Accelerator, described the attackers’ response: “[They] decided to take the truly unprecedented step of automatically scanning practically the entire internet for vulnerable Exchange servers and then compromising every single one of those servers before they could be patched.” In effect, China opened a pro bono ransomware affiliate program and provided their intrusion expertise to any moderately competent ransomware threat actors who wanted to attack the thousands of vulnerable organizations with unpatched instances of Microsoft Exchange.
At an event on election security hosted by the Hayden Center in October of last year, then-Director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs said of the ransomware threat, “We are on the verge of a global crisis, and state and local [governments] are feeling it every day.” In an interview with Foreign Policy last week, Jonathan Tepperman asked Krebs about the real-world consequences of the Exchange hack. Krebs replied, “I think that story has yet to be told, frankly. If a number of organizations were compromised by cybercriminals that are looking around their networks to see what’s there, the potential ransomware attacks are still a couple of days to a couple of weeks out. That’s when you’re going to know the real consequences. And this hack was classic fodder for a ransomware attack. The attackers got access. They could move around [inside the compromised servers]. They’ll lock them up, and then they’ll demand payment.”
The ransomware crisis may become markedly worse in the coming weeks, and could present the most urgent national cybersecurity challenge for the Biden administration. To help mitigate the risk of ransomware attacks, the administration needs to invest in federal programs that can:
- offer federally-funded cybersecurity support and training to state and local institutions,
- incentivize information-sharing between the public and private sectors – especially the disclosure of ransomware incidents and coordination of cyber threat intelligence, and
- encourage the inclusion of cybersecurity and information security in public school curricula to strengthen the future of America cybersecurity talent.
Kevin McKenna is a graduate student in the International Security Master’s program at George Mason University’s Schar School of Policy and Government. His research interests are centered around the nexus between cybersecurity, national security, and diplomacy.
Photo can be found here.