Cyberattacks using ransomware — in which criminals break into computer networks, lock them up and hold the information for ransom — increased a lot in 2022.
Schools drew the attention of cybercriminals. And a method of doing business called “ransomware as a service” expanded.
Marketplace’s David Brancaccio wanted to know what this jump in ransomware attacks means as we step into 2023, so he discussed it with Dina Temple-Raston, host of the “Click Here” podcast, which focuses on digital and intelligence issues. The following is an edited transcript of their conversation.
David Brancaccio: These ransomware attacks are not getting better, despite the attention. Why worse?
Dina Temple-Raston: Well, there are lots of reasons, most of which have to do with money. Criminals are seeing better returns, groups that use ransomware have really grown and there’s some other factors too. You know, one is this growing rash of attacks against schools around the world. There was this ransomware group called Vice Society — they’re thought to be Russian — and they’ve turned attacking schools with ransomware into a kind of specialty. In fact, they were behind that Los Angeles Unified School District attack, which made lots of headlines back in the fall. And the group and others have also targeted small governments and potentially vulnerable institutions. I talked to a guy named Jon DiMaggio, who’s over at a cybersecurity company called Analyst1, and I asked him why schools are suddenly in the crosshairs. And he said it’s pretty straightforward: Hackers saw them as easy targets.
Jon DiMaggio: [Schools] don’t specialize in cybersecurity, they don’t have the budgets, they don’t have the right people. It makes them very, very easy to compromise.
Brancaccio: You know, our public school was hacked, and I was sitting there thinking, why? It’s not like they have vaults of money at a public school, right?
Temple-Raston: No, they don’t, and what’s interesting is that the hackers don’t seem to understand that. They see these multibillion-dollar school budgets, like the one in Los Angeles, and they assume that there’s money there.
Brancaccio: Did that district pay ransom?
Temple-Raston: No, Los Angeles refused to pay. So what the hackers did instead is they stole information. Cybercriminals love to use personal information to open credit cards and steal identities. And the students’ personal information was just golden for them because it had no credit history, and they can actually sell it for quite a bit on the dark web.
Ransomware on demand
Brancaccio: All right, so these softer targets. What else is driving this increase?
Temple-Raston: Well, there’s something called ransomware as a service. And it’s just like it sounds: Cybercriminals who are really good at writing that malicious code that you need for ransomware, they just start renting it out. And that means you don’t need to be a coding genius to attack a target anymore, someone else takes care of that. So all you do is pay a fee and someone lends you their malware. We talked to Kyle Hanslovan, who’s over at a cybersecurity company called Huntress. And he says that for years, cybersecurity officials were so focused on traditional hackers that they missed this.
Kyle Hanslovan: We were late, behind the power curve on all of ransomware as a service. Our stuff was nation-state threats. “Oh, it’s the North Koreas and the Chinas and the Russias and the Irans.” And we kind of slept.
Brancaccio: Dina, I mean, you’re watching this closely. Are authorities making some progress?
Temple-Raston: Very little. And part of that is because most of the world’s ransomware is still coming out of Russia. And Moscow has this long-standing unspoken agreement with hackers, which is basically don’t hack Russia and we’ll turn a blind eye to what you’re doing. And that’s proven to be the case. There’s a man named John Fokker, who’s head of investigations at a cybersecurity company called Trellix, and he thinks that these ransomware groups in 2023 are going to steal a page out of the al-Qaida and terrorism playbook. And instead of being like a cohesive army or a cohesive group, which is what they are now, hackers are going to break up into more independent cells. Which is going to make it even harder for authorities to try and track them.
John Fokker: As long as these people are still not arrested, they can still commit the similar crime. The skill doesn’t fade in that regard. And they can still regroup somewhere else.
Brancaccio: And you know, what discussion would be complete without referencing, what should I call it? The Costa Rica affair, a biggie over the last 12 months.
Temple-Raston: It wasn’t that big in terms of size or cost, but it kind of changed the playing field. It happened back in the spring, and it was launched by this Russian-speaking hacking group called Conti. And it’s the first time a country has ever declared a national emergency in response to a cyberattack. And basically what this group did is they locked up the ministry of finance’s computer network. So it caused problems with trade and taxes and imports. And then this group, Conti, asked for $10 million to unlock the system, and then they increased the ransom demand to $20 million. And then a short time later, another group came in and Costa Rica’s health care network was subject to a ransomware attack. And that’s the worst set of government hacks seen in 2022.
There’s a lot happening in the world. Through it all, Marketplace is here for you.
You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible.
Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.