Ransomware is becoming a systemic threat to Europe’s economy by Jean-Louis Gergorin, former Executive VP for Strategy of EADS, and Léo Isaac-Dognin, Director for Digital Trust, Capgemini Invent, Paris
Cybercrime entered a new chapter in 2020. What was once an emerging threat is now a full-blown risk to economic activity across the globe. Europe is a top target due to the combination of its considerable wealth and relatively high level of digitisation.
The pandemic has added fuel to the fire
Ransomware attacks, whereby hackers encrypt their target’s data and threaten to delete it unless a ransom is paid under short notice, have become the primary concern. Recent reports by agencies such as France’s ANSSI1 indicate that the number of incidents is projected to quadruple in 2020. The Covid-19 pandemic has added fuel to the fire: a climate of fear and uncertainty, in addition to the increased reliance on digital infrastructure, has made it easier than ever for hackers to trick victims into infecting their systems. Not to mention the widespread availability of packaged ransomware tools across the dark web, or what criminals and law enforcement now call a ‘malware-as-a-service’ model.
Cybercriminals are becoming more confident, and they have every reason to. The average ransomware payment asked of SMEs has doubled in a year, now reaching over 6000 € per target. In the case of larger corporations, a single attack can bring in several million euros in the space of days to top cybercriminals.2 While the upside is high, operational costs are low and downside risks are limited. Criminals have little to lose: their attacks may be blocked, but there has yet to be significant consequences for most of them. If anything, criminals have been among the greatest beneficiaries of the digital revolution: they can attack thousands of targets at the click of a button, all while staying in the shadows.
Cybercriminals have become indiscriminately in their attacks, targeting everything from large corporations to small suppliers, universities and public service providers, with a marked focus on healthcare facilities. Last May, Europe’s largest private hospital operator Fresenius, also a key provider of dialysis kits in high demand during Covid-19, was hit with a particularly sophisticated ransomware that significantly disrupted operations on a global scale.
The golden age of cyberpiracy
Taking into account both the costs of ransoms paid and the cost of IT downtime, security experts estimate that the total cost of ransomware in 2020 will range from $1.1 to 4.3 billion in Italy, $1 to 4 billion in Germany, and $830 million to 3.3 billion in Spain3. Existing data makes it difficult to obtain precise ranges, but even with conservative parameters, the economic and social costs are daunting.
Such widescale activity cannot happen without certain forms of state passivity, and in some cases state sponsorship. Private cybersecurity firms and law enforcement converge on the idea that the most significant ransomware threats, including Ryuk and Dridex, are run by criminal enterprises, with significant operations running out of non-European Union countries – Russophone countries in the case of the aforementioned malwares.4 The situation resembles the conditions that led to the “golden age” of piracy of the 16th century, where pirates blossomed across the Atlantic and were systematically instrumentalised, if not directly mandated by states like Britain, France or the Netherlands to weaken enemies, in particular Spain, the wealthiest power of the time.
Three centuries ago, piracy ceased once global powers of the time decided it was hampering economic development. Today, Europe cannot become an area with security standards and policy that do not match its prosperity, where pirates feel that they roam and loot freely.
European law enforcement agencies have made remarkable strides in moving online to tackle organised crime in the physical world, particularly drug and human trafficking, and to a lesser extent child pornography, but they need help in tackling ‘pure’ cybercrime. On 20th November, the UK formally confirmed it has set up a National Cyber Force that will work closely alongside intelligence agencies, most notably the Government Communications Headquarters (GCHQ), as a new unified command to tackle cyberthreats through offensive cyber-operations, including against criminals. EU Member States should take stock off this approach, both by considering all means to deprive cybercriminals of the sanctuaries constituted by countries not signatory to the Budapest Convention on Cybercrime, and by pursuing greater information sharing between cybersecurity agencies, intelligence, and key industrial partners.
Trade relations can be a powerful tool
EU leaders and policymakers also need to rise to the challenge. Individual travel bans and asset freezing, as recently enacted by the EU against Russia, China and North Korea-based actors already sanctioned by the US for cyberattacks dating back to 2017-2018,5 will not deter seasoned cybercriminals. Will Member States and EU institutions remain silent while businesses and critical infrastructure are attacked daily? The Union should leverage its economic strength and make known that trade relations with third party states will henceforth take account of their efforts to tackle cybercrime within their borders, linking trade terms to targets in cybercrime reduction, and helping states that do not have the means to tackle them independently. Western leaders must bring this topic to the table in their discussions with global counterparts. The urgency and scale of the issue justifies that the Council appoint an EU Cybersecurity Coordinator to coordinate strategy, intelligence sharing, defence policy and align Member State positions on the matter.
One decade ago, Europe took a strong stand in tackling piracy in the gulf of Aden, directly contributing to the drastic reduction of incidents in the region by setting up the EU NAVFOR mission in 2008, garnering the cooperation of partners such as the US, China and India, and working within the region to tackle the economic conditions that lead to piracy.
Similar steps need to be taken to tackle cyberpiracy.