How the growing Russian ransomware threat is costing companies dear

With KP Snacks the latest cyber-attack victim, firms must learn to defend themselves against a mounting menace

The January snow lay thick on the Moscow ground, as masked officers of the FSB – Russia’s fearsome security agency – prepared to smash down the doors at one of 25 addresses they would raid that day.

Their target was REvil, a shadowy conclave of hackers that claimed to have stolen more than $100m (£74m) a year through “ransomware” attacks, before suddenly disappearing.

As group members were led away in cuffs, FSB officers gathered crypto-wallets containing untold volumes of digital currency such as bitcoin. Others used money-counting machines to tot up dozens of stacks of hundred dollar bills.

FSB video of the alleged raid (which is entertaining but not that enlightening):

— Mike Eckel (@Mike_Eckel) January 14, 2022

The cybercriminals behind REvil had mastered a form of extortion orchestrated by seizing control of company computer systems and demanding payment to unlock them.

The ramifications of this increasingly common crime stretch from geopolitical tension between Russia and the west, to Britain’s looming shortage of Hula Hoops, Skips and Nik Naks.

This week, KP Snacks wrote to shopowners to warn of supply issues until “the end of March at the earliest” as it “cannot safely process orders or dispatch goods”.

KP – and fans of its savoury treats – had become the latest victims of a ransomware attack that, as of Friday afternoon, the company was still fighting. Multiple calls to the company went answered.

About 426m roubles (£4m), including in cryptocurrency, and $600,000 seized by Russia’s FSB from 25 apartments of 14 members of the REvil hacking group.
About 426m roubles (£4m), including in cryptocurrency, and $600,000 seized by Russia’s FSB from 25 apartments of 14 members of the REvil hacking group. Photograph: FSB/TASS

When the boss of a company such as KP gets the dreaded ransom note, no matter what time of day, their next call might well be to US cybersecurity firm Mandiant.

“The typical situation is that they don’t see it coming and then all of a sudden they experience a devastating impact,” says Dr Jamie Collier, Mandiant’s senior threat intelligence adviser.

The importance of computer systems to company supply chains, he says, affords enormous power to any hackers who breach their defences.

“It provides a huge amount of leverage and allows these groups to demand significantly higher extortion fees than they would have done in the past.”

While Mandiant’s teams go to work trying to fix or mitigate the damage, the victims enter negotiations with the hackers, who often act as if they are striking a legitimate business deal.

“Threat groups are very approachable,” says Dr Collier. “You’ll see them recruit English speakers who can deal with it [negotiations], almost like customer service where you can make contact and interact in a professional way.”

Hackers, he says, will even hand-hold executives through the process of buying and transferring the cryptocurrency favoured for ransom payments.

A sign at an Exxon station saying out of gas after a cyber-attack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline.
A sign at an Exxon station saying out of gas after a cyber-attack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline. Photograph: Yuri Gripas/Reuters

Depending on the sophistication of the attack, the damage done by a prolonged shutdown, and whether the likes of Mandiant can fix it, there is sometimes little choice but to pay.

On top of operational disruption, firms risk regulatory fines if data is leaked, as well as huge damage to their reputations.

Many now have cyber insurance that offers them the option of letting the insurer pick up the tab, albeit while fuelling criticism for potentially fuelling future attacks.

In May 2021, the DarkSide ransomware gang – often rumoured to be linked to REvil – took down fuel supplier Colonial Pipeline. As petrol stations ran dry and American motorists panicked, the company had little option but to hand over $4.4m (£3.3m).

In the case of Travelex, even coughing up didn’t help. The biggest factor in the collapse of Travelex in August 2020 may have been the effects of Covid-19 on tourism but lingering damage from a ransomware attack earlier that year helped tip it over the edge. Travelex reportedly paid a $2.3m ransom but the loss of trust from customers was lasting.

Ransomware attacks are on the rise. There were 1,396 in 2020, according to Ransom-DB, which tracks such incidents. The number nearly doubled to 2,699 in 2021, with about 35-40% of cases ending in a ransom payment.

The likelihood, Ransom-DB says, is that many more go unreported. In the UK, the body responsible for stemming the tide is the National Cyber Security Centre (NCSC).

Its deputy director of incident management, Eleanor Fairford, says: “As long as cybercriminals make gains, as long as people pay them, it’s a business model that is very lucrative. There’s no reason why it should stop.”

Some have proposed banning companies from paying ransoms, in theory removing the incentive for such attacks. This, warns Fairford, may just result in companies failing to report attacks or simply going out of business.

The challenges for those trying to stem the tide are manifold. Gangs are anonymous, rebranding, and relocating as quickly as the authorities can find them.

Increasingly, they work together to pool specialised knowledge. There are even “initial access” brokers connecting firms which are good at infiltrating systems to others who are better at deploying ransomware once inside.

Perhaps the greatest obstacle is that the countries from which hackers operate, dominated by Russian and former Soviet states, have shown little appetite to stop them. “It might be of benefit to certain states to have these gangs annoying the west, plus the impact is not in the states from which it originates,” says Fairford.

The FSB’s show of strength against REvil, she says, may be little more than theatre, or diplomatic expediency. “I don’t think anybody seriously views this as the beginning of the end of ransomware, at the hands of the Russian state. It’s some sort of token attempt to show movement.”

The only solution, experts agree, is for firms to take every precaution to defend against some of the most well-known weaknesses that ransomware gangs exploit, often via individual staff members.

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

These include targeting computers used remotely by staff, a growing trend as the pandemic led to more people working from home.

Helge Janicke, research director of the Cyber Security Cooperative Research Centre in Australia, stresses the need for “awareness of your workforce, having effective technical controls and integrating ransomware attacks in your organisation’s incident response and disaster recovery plans”.

“The key is being prepared.”


Rob Davies and Dan Milmo

The GuardianTramp

Related Content

Article image
Russian ransomware attacks increased during 2021, joint review finds
Britain, the US and Australia point to growth in ‘sophisticated, high-impact ransomware incidents’

Dan Sabbagh Defence and security editor

09, Feb, 2022 @2:07 PM

Article image
Yahoo fined £250,000 for hack that impacted 515,000 UK accounts
ICO says firm ‘failed to prevent’ 2014 Russia-sponsored hack after 500m accounts compromised

Samuel Gibbs

12, Jun, 2018 @2:53 PM

Article image
Largest collection ever of breached data found
Store of 770m email addresses and passwords discovered after being put on hacking site

Alex Hern

17, Jan, 2019 @5:31 PM

Article image
Russian-led cybergang broken by police
Group laundered more than a million euros after malware attacks demanded money from people in 30 countries

Charles Arthur, technology editor

13, Feb, 2013 @10:15 PM

Article image
UK tackles record cyber incidents as Russian ransomware attacks increase
National Cyber Security Centre says cyberattacks at record high and urges businesses not to pay up

Dan Sabbagh Defence and security editor

17, Nov, 2021 @6:00 AM

Article image
Cybersecurity stocks boom after ransomware attack
Companies see share prices rise sharply amid expected increase in spending on IT security after WannaCry hack

Nick Fletcher and Haroon Siddique

16, May, 2017 @3:35 PM

Article image
What is WannaCry ransomware and why is it attacking global computers?
Malicious software has attacked computers across the NHS and companies in Spain, Russia, the Ukraine and Taiwan. What is it and how is it holding data to ransom?

Alex Hern and Samuel Gibbs

12, May, 2017 @4:16 PM

Hacker threat to Whitehall revealed

The security of Government internet and email services is a shambles, raising serious questions about national security, according to one of the Government's most senior advisers on electronic protection.

Kamal Ahmed, political editor

23, Jul, 2000 @12:10 AM

Article image
WannaCry attack lifts shares in cybersecurity firm Sophos to record high
Oxfordshire-based firm inundated with calls in wake of last week’s ransomware attack on NHS and other businesses

Angela Monaghan

17, May, 2017 @1:51 PM

Article image
'Petya' ransomware attack strikes companies across Europe and US
Ukraine government, banks and electricity grid hit hardest, but companies in France, Denmark and Pittsburgh, Pennsylvania also attacked

Jon Henley European affairs correspondent and Olivia Solon in San Francisco

27, Jun, 2017 @2:55 PM