Why Are Ransomware Attacks Happening So Often—and Can They Be Stopped?
BU cybersecurity expert Sharon Goldberg on the reasons and the needed safeguards
Ransomware “is basically an industry, and there’s a business model that’s working,” says computer network security expert Sharon Goldberg. The College of Arts & Sciences computer science associate professor says this simple dynamic explains the rash of recent cyberattacks, many involving ransomware—malware that blocks access to data, or publicizes confidential data, unless a ransom is paid.
Hacks or attempted hacks of Colonial Pipeline (conduit for half the gas, jet fuel, and diesel used by the East Coast), JBS (one of the country’s biggest meat-packers), Martha’s Vineyard Ferries, the NBA, and New York City’s transit system made headlines, but they were far from unusual. Ransomware attacks targeting anything from hospitals to police departments occur every eight minutes, the New York Times reports, many of the attacks originating in Russia or China.
President Biden is expected to warn Russian President Vladimir Putin to back off the hacking at their June 16 summit, a response Goldberg says is essential. The cofounder and CEO of BastionZero, which helps companies secure their servers, Goldberg spoke with BU Today about the recent hackings.
With Sharon Goldberg
BU Today: Why this rash of attacks at this moment in time?
Sharon Goldberg: It’s like when a start-up takes off and you see its products being used everywhere. There’s a little bit of that happening with ransomware. If you look at the software used in these different attacks, often it’s the same pieces of software. So there’s this almost product-ization of ransomware. It’s kind of been the same technology for a while, the same software being sold to different criminal organizations. When the ransoms are paid, that’s just more cash to reinvest in the business and launch more ransoms.
BU Today: Does that mean companies paying ransom are doing the wrong thing?
Sharon Goldberg: I’m not prepared to say that. If the only way to get my hospital running and save people’s lives is to pay ransom, that’s my incentive. It’s more a question of national policy. There was a Bitcoin ransom paid [by Colonial Pipeline], and the FBI was able to recover that ransom. I’m not sure how they did that. But that’s a policy approach, to actually have consequences on these criminals.
It’s difficult because criminals are not located even in the same country. But there needs to be actual deterrence. It can’t just be that the attackers make money; they’ll just keep launching more attacks. You need someone whose incentive is to protect globally all these organizations—for example, the FBI coming in and trying to recover the coin or helping patch systems and putting out patching advisories. This is a national security issue in a lot of ways. If people can’t get gas for their cars or go to the hospital because the hospital’s been shut down, that’s national security, the same way a pandemic is national security.
It’ll continue to be a cat-and-mouse game. Organizations are investing in security, and that’s important, because you don’t want to be the only idiot with your front door unlocked. But there’s a bigger policy [need] here.
BU Today: Why are companies and governments so vulnerable and not better protected technologically?
Sharon Goldberg: You’d be hard-pressed to find a large organization that doesn’t have a chief security officer and hasn’t been investing in cybersecurity. The problem is that computer systems are really complicated. You have systems that grow over time. If you think about a castle, and it’s got a high wall, but there’s one brick that’s loose at the bottom, you pull that brick out and walk into the castle. That’s what these ransomware attacks are doing. It’s a lot harder to defend than it is to attack. Any security expert will tell you that no system is 100 percent secure at all times.
If you have a hospital, you’re faced with a choice of making something more secure versus making it harder to use in a way that could be risky to saving people’s lives. Imagine you require a complicated log-in to get into some computer system necessary for allowing someone to have a C-section within 60 minutes of a baby’s heart rate dropping. You’re not going to wait for the doctor to do a multifactor authentication.
BU Today: If somebody could hack the power grid and shut off the AC during a heat wave, or a nuclear plant—
Sharon Goldberg: I think the incentives are not necessarily aligned for that. These are often criminals looking to make money, not invoking the wrath of the US government. There’s a lot of money to be made doing this, and therefore, it’s proliferating.
BU Today: Do all businesses now need to have a hacking emergency plan in case one happens?
Sharon Goldberg: I think that’s true for most. The days in which breaching and being able to take down the whole organization have long passed. Most organizations are segmenting their software assets in a way that if one thing gets compromised, you don’t compromise the whole company. But I also think organizations need to up their security posture. Attackers are not going to go after the organizations that are hard to breach—they’re going to go after the ones that are weaker. That’s the way to think about your security.