How the growing Russian ransomware threat is costing companies dear

With KP Snacks the latest cyber-attack victim, firms must learn to defend themselves against a mounting menace

A ransomware attack on KP Snacks has prompted a possible shortage of the UK’s favourite snacks after crippling the company’s IT systems. Photograph: Andre M Chang/ZUMA Press Wire/REX/Shutterstock

A ransomware attack on KP Snacks has prompted a possible shortage of the UK’s favourite snacks after crippling the company’s IT systems. Photograph: Andre M Chang/ZUMA Press Wire/REX/Shutterstock

The January snow lay thick on the Moscow ground, as masked officers of the FSB – Russia’s fearsome security agency – prepared to smash down the doors at one of 25 addresses they would raid that day.

Their target was REvil, a shadowy conclave of hackers that claimed to have stolen more than $100m (£74m) a year through “ransomware” attacks, before suddenly disappearing.

As group members were led away in cuffs, FSB officers gathered crypto-wallets containing untold volumes of digital currency such as bitcoin. Others used money-counting machines to tot up dozens of stacks of hundred dollar bills.

The cybercriminals behind REvil had mastered a form of extortion orchestrated by seizing control of company computer systems and demanding payment to unlock them.

The ramifications of this

In May 2021, the DarkSide ransomware gang – often rumoured to be linked to REvil – took down fuel supplier Colonial Pipeline. As petrol stations ran dry and American motorists panicked, the company had little option but to hand over $4.4m (£3.3m).

In the case of Travelex, even coughing up didn’t help. The biggest factor in the collapse of Travelex in August 2020 may have been the effects of Covid-19 on tourism but lingering damage from a ransomware attack earlier that year helped tip it over the edge. Travelex reportedly paid a $2.3m ransom but the loss of trust from customers was lasting.

Ransomware attacks are on the rise. There were 1,396 in 2020, according to Ransom-DB, which tracks such incidents. The number nearly doubled to 2,699 in 2021, with about 35-40% of cases ending in a ransom payment.

The likelihood, Ransom-DB says, is that many more go unreported. In the UK, the body responsible for stemming the tide is the National Cyber Security Centre (NCSC).

Its deputy director of incident management, Eleanor Fairford, says: “As long as cybercriminals make gains, as long as people pay them, it’s a business model that is very lucrative. There’s no reason why it should stop.”

Some have proposed banning companies from paying ransoms, in theory removing the incentive for such attacks. This, warns Fairford, may just result in companies failing to report attacks or simply going out of business.

The challenges for those trying to stem the tide are manifold. Gangs are anonymous, rebranding, and relocating as quickly as the authorities can find them.

Increasingly, they work together to pool specialised knowledge. There are even “initial access” brokers connecting firms which are good at infiltrating systems to others who are better at deploying ransomware once inside.

Perhaps the greatest obstacle is that the countries from which hackers operate, dominated by Russian and former Soviet states, have shown little appetite to stop them. “It might be of benefit to certain states to have these gangs annoying the west, plus the impact is not in the states from which it originates,” says Fairford.

The FSB’s show of strength against REvil, she says, may be little more than theatre, or diplomatic expediency. “I don’t think anybody seriously views this as the beginning of the end of ransomware, at the hands of the Russian state. It’s some sort of token attempt to show movement.”

The only solution, experts agree, is for firms to take every precaution to defend against some of the most well-known weaknesses that ransomware gangs exploit, often via individual staff members.

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

These include targeting computers used remotely by staff, a growing trend as the pandemic led to more people working from home.

Helge Janicke, research director of the Cyber Security Cooperative Research Centre in Australia, stresses the need for “awareness of your workforce, having effective technical controls and integrating ransomware attacks in your organisation’s incident response and disaster recovery plans”.

“The key is being prepared.”