In The Ransomware Battle, Cybercriminals Have The Upper Hand

Apr 29, 2021
Originally published on April 29, 2021 8:23 am

The NBA's Houston Rockets were hit by a ransomware attack earlier this month. Now it's the Washington, D.C., police department. The common thread is a ransomware group called Babuk, which was unknown and likely didn't exist until it began posting on the dark web early this year.

This group is just one of many that reflect the proliferation of ransomware outfits that are increasingly sophisticated, specialized and largely beyond the reach of law enforcement.

In short, the cybercriminals have the upper hand, while U.S. authorities and those targeted are struggling to keep up, according to cybersecurity experts.

"There are certainly cases where people have been caught for running ransomware attacks, but it seems like it is a pretty small minority," said Ryan Olson, vice president of threat intelligence at the cybersecurity firm Palo Alto Networks. "It doesn't seem like there's a high likelihood of a ransomware attacker today ending up in handcuffs."

Higher ransoms

Solid numbers are hard to come by since many attackers and victims don't want to be identified. But Palo Alto Networks was able to gather information on more than 300 cases worldwide last year that reflected several clear trends.

— Payments are soaring. The average ransomware payment in the U.S., Canada and Europe nearly tripled last year, going from $115,000 in 2019 to $312,000 in 2020.

— The U.S. remains the most targeted country by far, suffering 151 of the attacks last year, or nearly half of those in which information was available.

— A rise in "double extortion." This is when an attacker seizes data and demands payment. If the money isn't forthcoming, the attackers will publish the data in an attempt to damage or embarrass the victim.

Many ransomware groups are believed to be operating from Russia and parts of Eastern Europe — countries that don't extradite suspects to the U.S. Still, it's hard to nail down the exact locations of the attackers since so few cases result in arrests and prosecutions.

A task force made up of cyber experts from government, academia and the private tech sector released a report Thursday that calls ransomware a "national security risk that threatens schools, hospitals, businesses, and governments across the globe." The report includes dozens of recommendations, including a call for increased international cooperation.

In the D.C. case, the Babuk hackers said Monday they had seized a large cache of computer records from the D.C. police department, and unless they receive an undisclosed ransom payment, they'll post confidential police files.

The D.C. police have confirmed the breach, but haven't provided details.

Cybersecurity experts says the D.C. police would be trying to determine a number of basic facts about the stolen data. Is it mission-critical information needed to make arrests and prosecutions? Or is it mostly information that could be embarrassing and disrupt operations in a limited way, like revealing the disciplinary records of police officers or publishing the names of police informants?

Those are just a few of the factors that could determine whether the police pay a ransom, and if so, how much.

The reality is that many cases do end with ransoms being paid.


Babuk has posted statements on the dark web in fractured English and Russian, suggesting it may be a Russian organization.

The group calls itself a bunch of "cyberpunks" who describe their work as "audits" that test the cybersecurity of organizations.

The group lays out a strange list of organizations it will and won't attack. Babuk says it won't go after hospitals or medical facilities — except for plastic surgery and private dental clinics.

Babuk considers charitable foundations to be off-limits but says it will pursue those that support the Black Lives Matter movement or LGBT organizations.

Babuk also pledges to refrain from hitting companies with annual revenue of less than "4 mln$." That style reflects the way a monetary figure would be written in Russian, rather than the way it would typically be written in English, as "$4 million."

According to Kimberly Goody, manager of cybercrime analysis for Mandiant Threat Intelligence, ransomware attackers like Babuk now tend to be highly specialized. They often partner to carry out different parts of an attack, then split up the ransom money afterward.

"With a typical ransomware operation that we see today, one threat actor is gaining access to organizations, another is deploying the ransomware, and then maybe a third party is providing the ransomware that is actually deployed," she said.

Vulnerable groups

In the attacks, two groups are frequent targets — hospitals and local governments.

With hospitals, patient data can be a matter of life and death. If attackers lock up a hospital's computers, it has to respond urgently and that almost always means paying a ransom.

Both hospitals and municipal governments are considered prime targets for other reasons. They have money to pay ransoms, and increasingly they have insurance that will help cover the cost.

They tend to be vulnerable because they have large numbers of people logging on to their computer systems, and many have invested little in cybersecurity.

More than two dozen local governments have reportedly been hit so far this year.

Attackers do go after small towns and organizations, which will likely have limited cyberdefenses. But with little fear of prosecution, cybercriminals often prefer bigger targets with deeper pockets.

"Threat actors have been targeting organizations that would be considered larger Fortune 500 companies, instead of smaller organizations, partially because they can elicit higher payments from larger organizations," said Goody.

For several years now, ransomware groups have demanded payment in cryptocurrencies, which can be difficult, though not impossible, to trace.

Olson, of Palo Alto Networks, says ransomware groups can be most at risk of being identified "when they're moving money around inside the financial system, rather than when they're actually launching the attacks."

"That's where there's a lot of data that gets attached to an actual human with a name. And those suspicious transfers can really stand out," he added.

Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.

Copyright 2021 NPR. To see more, visit


Hackers say they have seized many computer records from the Washington, D.C., police. They're demanding ransom money or else they'll go public with confidential police files. This is an example of an all-too-common story. Ransomware has become an industry. NPR national security correspondent Greg Myre is here. Greg, good morning.


INSKEEP: OK. So what happened to the D.C. police?

MYRE: Well, a known ransomware group posted on the dark web this week that it had captured all this data. And it's posted a few screenshots to prove its claim. Now, the D.C. police have confirmed a breach. But they haven't provided details. They're certainly trying to determine very urgently if this is mission critical data, stuff they would need for arrests and prosecution. Or is it mostly just kind of embarrassing stuff like, perhaps, disciplinary records of police officers, names of police informants.

INSKEEP: OK. So they're investigating this. And we said this is common. Is it typical that people end up paying the ransom?

MYRE: Yes. It really is, Steve. Cybercriminals have the upper hand right now. Just one example - more than two dozen U.S. municipalities have already been hit this year. And overall, payments are skyrocketing. It's hard to get definitive figures because many victims don't want to go public. But Palo Alto Networks, a cybersecurity firm, says the average payment almost tripled last year, went from a little over 100,000 in 2019 to more than 300,000 last year.


MYRE: We also know the U.S. is the most targeted country. Many of the attackers are from Russia and Eastern Europe. And they're rarely arrested. Here's Ryan Olson of Palo Alto Networks.

RYAN OLSON: There are certainly cases where people have been caught from running ransomware attacks. But it seems like it is a pretty small minority. It doesn't seem like there's a high likelihood of a ransomware attacker today ending up in handcuffs.

MYRE: And that's because countries like Russia, for example, would never extradite a suspect to the U.S.

INSKEEP: OK. So what is known about the Washington, D.C., attackers?

MYRE: So there's a group that calls itself Babuk. And it emerged on the dark web just earlier this year. It puts out statements in sort of awkward English and Russian, which suggests but doesn't prove they may be Russian. They've also been blamed for a recent attack against the NBA's Houston Rockets. And according to Kimberly Goody, who follows cybercrime at the firm Mandiant, ransomware attackers like Babuk are now very, very specialized. And they often partner up with someone or two or three other groups to carry out an attack and then split up the ransom money afterward. Here's what she said.

KIMBERLY GOODY: With a typical ransomware operation that we see today, one threat actor is gaining access to organizations. Another is deploying the ransomware. And then maybe a third party altogether is providing the ransomware that is actually deployed.

INSKEEP: So who has to be most worried about this happening to them?

MYRE: So basically, everybody. Anybody can get hit. And these are often crimes of opportunity. But two groups in particular stand out, hospitals and local governments. With hospitals, obviously, data on patients is a life and death matter. If attackers lock up a computer system there, they have to respond urgently. And that almost always means paying ransom. And also, both hospitals and municipal governments do have money. They have lots of people logging onto their computer systems. Some now have insurance to pay a ransom. So they're often prime targets. The Biden administration says it will soon announce plans to upgrade cybersecurity. But it's not clear how they plan to combat ransomware.

INSKEEP: Greg, thanks so much.

MYRE: My pleasure.

INSKEEP: NPR's Greg Myre.

(SOUNDBITE OF SUBLAB AND AZALEH'S "ARCANUM") Transcript provided by NPR, Copyright NPR.