Ransomware attacks look beyond monetary gains to target governments

A growing volume of cyber-attacks on governments around the world are showing instances of how ransomware is being used by cybercriminal groups beyond financial extortion jobs. Now, experts state that ransomware groups are leveraging the specialized malware to turn their attention towards governments, to disrupt public services, steal sensitive public records, and even leverage government-linked cyber insurances.

A ransomware is a specific type of malware that, when downloaded, encrypts a user’s device to prevent access to its files. Such malware then asks for ransom in order to decrypt a company’s data, failing which may lead to various types of disruptions of services in both public and private sectors. They have typically been used to extort money from corporations.

Akshat Jain, co-founder and chief technology officer (CTO) of Indian cyber security firm Cyware, said that by targeting governments, ransomware groups get access to sensitive civic data, government schemes and internal plans. “This data can be used for highly targeted, customized attacks against individuals belonging to vulnerable demographic groups, or businesses that deal with government departments,” Jain added.

A clear case in point happened earlier this month in the Central American nation of Costa Rica, which was targeted by the Conti ransomware group.

On May 8, Costa Rican president Rodrigo Chaves declared a state of national emergency after multiple government departments were breached. A report by Bleeping Computer also stated that Conti has since published over 650GB of data on the dark web, belonging to various government agencies of the country.

During the same time, Conti also infiltrated South American nation Peru’s National Directorate of Intelligence to steal 9.1GB of sensitive data from the government agency. Both Costa Rica and Peru refused to pay the $10 million ransom demand made by Conti. In fact, on May 18, Chaves said his country was “at war” with the Conti ransomware group.

In a blog post on May 26, Sergey Shykevich, threat intelligence group manager at cyber security firm Check Point, wrote that the underlying factor of the latest attacks is Conti’s efforts to incite civil disruption in the two nations, and interfering in a nation’s political process to try and overthrow an existing government.

While using ransomware to attempt overthrowing a government was a first, experts state that government bodies have been growing targets of ransomware groups around the world for at least two years now. Moreover, while governments are less likely to pay ransom, the real value – as seen in the latest Conti attacks – lie in the nature of exploited data.

Sanjay Katkar, CTO of Indian cyber security services company Quick Heal, said that the biggest threat of ransomware targeting governments lies in the disruption of public services, which could leave such departments at risk of being compelled to pay the ransom. “There is also cyber insurance involved, coupled with infrastructure that is often easier to breach – these factors combine to make government departments a prime target for ransomware,” he said.

Cyware’s Jain added that in cyber warfare activities, modern-day ransomware groups can potentially bring down critical public services that include “power grid, financial system, communication systems, government agencies, healthcare providers, educational institutions and others.”

While direct warfare is still not a regular target area for ransomware groups, these experts state that their increasing impact on public life cannot be ignored.

Such instances have been seen in India as well, when Mumbai faced a power blackout in October 2020 due to a state-sponsored cyber-attack on connected power grids. There was, however, no official confirmation of ransomware in this incident.

In April this year, upstream oil exploration company, Oil India Limited (OIL) reportedly faced a ransomware attack in its operational infrastructure at its field headquarters in Assam. The attackers, who planted a Russian malware through a server hosted in Nigeria, had reportedly demanded $7.5 million in ransom, which OIL claimed was not paid.

A report on global ransomware attacks by US-based cyber security firm Trellix published in April this year said that such attacks on critical infrastructure and government-linked bodies in India rose by 70% year on year in the last quarter of 2021. A year-end report for 2021 published by the USA’s central intelligence body, Federal Bureau of Investigation, stated that local governments of counties across the USA were targeted by ransomware groups more than ever before.

Quick Heal’s Katkar said that such attacks in India have not been seen yet, the impact of this global activity cannot be ignored.