The January snow lay thick on the Moscow ground, as masked officers of the FSB – Russia’s fearsome security agency – prepared to smash down the doors at one of 25 addresses they would raid that day.
Their target was REvil, a shadowy conclave of hackers that claimed to have stolen more than $100m (£74m) a year through “ransomware” attacks, before suddenly disappearing.
As group members were led away in cuffs, FSB officers gathered crypto-wallets containing untold volumes of digital currency such as bitcoin. Others used money-counting machines to tot up dozens of stacks of hundred dollar bills.
The cybercriminals behind REvil had mastered a form of extortion orchestrated by seizing control of company computer systems and demanding payment to unlock them.
The ramifications of this increasingly common crime stretch from geopolitical tension between Russia and the west, to Britain’s looming shortage of Hula Hoops, Skips and Nik Naks.
This week, KP Snacks wrote to shopowners to warn of supply issues until “the end of March at the earliest” as it “cannot safely process orders or dispatch goods”.
KP – and fans of its savoury treats – had become the latest victims of a ransomware attack that, as of Friday afternoon, the company was still fighting. Multiple calls to the company went answered.
About 426m roubles (£4m), including in cryptocurrency, and $600,000 seized by Russia’s FSB from 25 apartments of 14 members of the REvil hacking group. Photograph: FSB/TASS
When the boss of a company such as KP gets the dreaded ransom note, no matter what time of day, their next call might well be to US cybersecurity firm Mandiant.
“The typical situation is that they don’t see it coming and then all of a sudden they experience a devastating impact,” says Dr Jamie Collier, Mandiant’s senior threat intelligence adviser.
The importance of computer systems to company supply chains, he says, affords enormous power to any hackers who breach their defences.
“It provides a huge amount of leverage and allows these groups to demand significantly higher extortion fees than they would have done in the past.”
While Mandiant’s teams go to work trying to fix or mitigate the damage, the victims enter negotiations with the hackers, who often act as if they are striking a legitimate business deal.
“Threat groups are very approachable,” says Dr Collier. “You’ll see them recruit English speakers who can deal with it [negotiations], almost like customer service where you can make contact and interact in a professional way.”
Hackers, he says, will even hand-hold executives through the process of buying and transferring the cryptocurrency favoured for ransom payments.
A sign at an Exxon station saying out of gas after a cyber-attack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline. Photograph: Yuri Gripas/Reuters
Depending on the sophistication of the attack, the damage done by a prolonged shutdown, and whether the likes of Mandiant can fix it, there is sometimes little choice but to pay.
On top of operational disruption, firms risk regulatory fines if data is leaked, as well as huge damage to their reputations.
Many now have cyber insurance that offers them the option of letting the insurer pick up the tab, albeit while fuelling criticism for potentially fuelling future attacks.
In May 2021, the DarkSide ransomware gang – often rumoured to be linked to REvil – took down fuel supplier Colonial Pipeline. As petrol stations ran dry and American motorists panicked, the company had little option but to hand over $4.4m (£3.3m).
In the case of Travelex, even coughing up didn’t help. The biggest factor in the collapse of Travelex in August 2020 may have been the effects of Covid-19 on tourism but lingering damage from a ransomware attack earlier that year helped tip it over the edge. Travelex reportedly paid a $2.3m ransom but the loss of trust from customers was lasting.
Ransomware attacks are on the rise. There were 1,396 in 2020, according to Ransom-DB, which tracks such incidents. The number nearly doubled to 2,699 in 2021, with about 35-40% of cases ending in a ransom payment.
The likelihood, Ransom-DB says, is that many more go unreported. In the UK, the body responsible for stemming the tide is the National Cyber Security Centre (NCSC).
Its deputy director of incident management, Eleanor Fairford, says: “As long as cybercriminals make gains, as long as people pay them, it’s a business model that is very lucrative. There’s no reason why it should stop.”
Some have proposed banning companies from paying ransoms, in theory removing the incentive for such attacks. This, warns Fairford, may just result in companies failing to report attacks or simply going out of business.
The challenges for those trying to stem the tide are manifold. Gangs are anonymous, rebranding, and relocating as quickly as the authorities can find them.
Increasingly, they work together to pool specialised knowledge. There are even “initial access” brokers connecting firms which are good at infiltrating systems to others who are better at deploying ransomware once inside.
Perhaps the greatest obstacle is that the countries from which hackers operate, dominated by Russian and former Soviet states, have shown little appetite to stop them. “It might be of benefit to certain states to have these gangs annoying the west, plus the impact is not in the states from which it originates,” says Fairford.
The FSB’s show of strength against REvil, she says, may be little more than theatre, or diplomatic expediency. “I don’t think anybody seriously views this as the beginning of the end of ransomware, at the hands of the Russian state. It’s some sort of token attempt to show movement.”
The only solution, experts agree, is for firms to take every precaution to defend against some of the most well-known weaknesses that ransomware gangs exploit, often via individual staff members.
Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk
These include targeting computers used remotely by staff, a growing trend as the pandemic led to more people working from home.
Helge Janicke, research director of the Cyber Security Cooperative Research Centre in Australia, stresses the need for “awareness of your workforce, having effective technical controls and integrating ransomware attacks in your organisation’s incident response and disaster recovery plans”.
“The key is being prepared.”
Rob Davies and Dan Milmo