AILSA CHANG, HOST:
The federal government has managed to recover most of the ransom that Colonial Pipeline paid in Bitcoin last month. These attacks are happening at a rate of one every eight minutes, and they involve payments made in cryptocurrency. NPR's David Gura explains why.
DAVID GURA, BYLINE: What many executives wrote off as a nuisance or as the cost of doing business has become a threat to national security.
(SOUNDBITE OF TV SHOW, "WORLD NEWS TONIGHT WITH DAVID MUIR")
DAVID MUIR: New fallout - the long lines for gas, some gas stations running out after that massive cyberattack.
GURA: That hack of Colonial Pipeline put 45% of the fuel on the East Coast at risk. Another attack targeted the food supply.
(SOUNDBITE OF TV SHOW, "CBS EVENING NEWS WITH NORAH O'DONNELL")
NORAH O'DONNELL: The target was the world's largest meat-processing company JBS.
GURA: Cyber-risk consultant Juan Zarate says the threat landscape is changing.
JUAN ZARATE: What you've had, I think, over the last year and a half, two years is an uptick in the number of ransom attacks, the amount being demanded and the level of sophistication of those attacks to include hitting fairly sizable and important infrastructure and sectors.
GURA: Zarate worked in the Treasury Department on terrorist financing and financial crimes. And he says companies are held hostage, data are at risk and there's growing concern about collateral damage, which is why the CEO of Colonial Pipeline agreed to pay that ransom in the first place - to get vital systems back online, as he explained to NPR.
(SOUNDBITE OF ARCHIVED NPR BROADCAST)
JOE BLOUNT: And if owning that - the encryption tool gets you there quicker, then it's the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.
GURA: Many systems are not secure. Too often, companies treat security as an add-on, and over the last year, they've become even more susceptible. Holden Triplett used to run the FBI's office in Beijing. He worked for the bureau in Moscow as well. And he says with remote work, the vulnerabilities just exploded.
HOLDEN TRIPLETT: Now, everyone's home. They're on personal routers. Sometimes, they're on personal systems. And that has really changed the landscape.
GURA: There are more attacks. And Juan Zarate, whose consulting clients include banks and the cryptocurrency exchange Coinbase, says ransomware has become professionalized.
ZARATE: I think ransomware has become an industry. And there's an infrastructure and set of actors and systems that are attached to this that has made it easier to engage in.
GURA: The Russia-based criminal group behind the Colonial Pipeline attack, known as DarkSide, has what's essentially customer service to help companies pay ransoms. Kiersten Todt says nowadays, executives can hire consultants who will communicate with criminals after an attack and facilitate payments in crypto. Todt led the Obama administration's Commission on Enhancing National Cybersecurity, and she helps corporations game out what they do if they're targeted.
KIERSTEN TODT: You see a lot of companies that are purchasing Bitcoin, purchasing cryptocurrency, so if confronted with a ransomware attack, they have that available to them.
GURA: This is new territory for management, with ethical and legal issues to sort through. And Juan Zarate says a defining feature of this environment is the demand for digital currency.
ZARATE: We would have had ransomware anyway, and we did. And you would have seen cyber actors using these, and they do. But crypto, in some ways, has become a feature of that ecosystem, which in many ways has made it easier for these actors to transact and to hide their tracks.
GURA: Usually, they are able to do that. The trail becomes harder to follow as it crisscrosses the globe. And regulation varies from country to country, although it's generally pretty light. But in the case of Colonial Pipeline, the Justice Department did manage to locate and access those assets. But the deputy attorney general, Lisa Monaco, is adamant U.S. companies should not look at what happened this week and expect the federal government will be able to help them recover every ransom payment. There are simply too many of them - 65,000 last year alone.
David Gura, NPR News, New York. Transcript provided by NPR, Copyright NPR.
