Cybercrime is up 600% during the COVID-19 pandemic. That staggering statistic from a 2021 PurpleSec report includes all forms of cybercrime, from theft or embezzlement to data hacking and destruction. The rise of cybercrime is expected to cost companies around the world $10.5 trillion annually by 2025, growing from just $3 trillion in 2015. This rapid increase has even led US research firm, Cybersecurity Ventures, to call modern cybercrime “the greatest transfer of economic wealth in history”.
The digitally dependant pandemic era of remote work and disrupted security has accelerated these cybercrime trends. Between 2019 and 2020, global ransomware attacks rose by 62%, and North American ransomware attacks by 158%, according to cybersecurity firm SonicWall’s 2021 report. The FBI received nearly 2,500 ransomware complaints in 2020, up about 20% from 2019, according to its annual Internet Crime Report. While the collective cost of the ransomware attacks reported to the bureau in 2020 amounted to roughly $29.1 million, up more than 200% from just $8.9 million, just one year earlier.
“Without question, we’re seeing an explosion of ransomware attacks. We’ve seen ransomware grow to a point where now it’s not just about locking up data and just collecting a ransom to release that data. It’s about extortion,” said Steve Morgan, CEO of Cybersecurity Ventures. “The largest reason for the increase in these attacks, is that more companies are choosing to pay the ransom to get their data back, and cybercriminals are taking note. It’s the proverbial get rich quick scheme for a lot of criminals.”
In 2021 alone; Kaseya VSA, a remote monitoring and management (RMM) platform, was the victim of a ransomware attack with a ransom of $70 million to release the encrypted data. The world’s biggest oil and gas company Saudi Aramco experienced a data breach and a demand for $50 million. And, the colonial pipeline, the largest petroleum pipeline in the US, was breached and forced to pay a ransom of $4.4 million, in addition to suffering huge losses from operational downtime during the incident.
The individuals involved in these attacks remain anonymous, suspected to reside in different countries from their targets, and firms often have little choice but to pay the ransom or face even greater losses. A recent report from the Institute for Security and Technology found that the amount of victims paying the ransom increased more than 300% from 2019 to 2020, most utilizing the anonymity of Bitcoin, which itself rose in value by more than 800% between April 2020 and April 2021. The main reason for this rapid rise in ransomware attacks is because they work, hackers can receive huge sums of money, relatively quickly and easily, and with minimal risk of being caught and even less risk of being prosecuted.
“It’s very difficult to prosecute, it takes a long time, it takes cooperation geopolitically because most of these attacks come from offshore,” said Lisa Donnan, partner at the cybersecurity private equity investor Option3Ventures. “The government only has so many resources. It doesn’t take a lot of tools or brain capacity to do these things. You can buy a tool kit on the dark web.”
“Imagine if people were able to rob banks, walk away with money and never get caught. Would we have more or less bank robberies?” Roger Grimes, cyber defense specialist at KnowBe4, told the PBS NewsHour. “I don’t think a lack of laws or regulations is our problem. [Cybercriminals] are mostly untouchable already. You could threaten them with the death penalty and they would laugh.”
The other major reason for the rise in cybercrime is the rise in potential entry points and the inadequate security being applied to them. Here, smart buildings present lots of potential for hackers to infiltrate corporate networks and seize confidential information, disrupt operations, and hold companies to ransom. Buildings have become highly digitally-controlled physical spaces, where connected devices manage everything from HVAC and lighting, to surveillance and access control. Meaning cybercriminals can remotely influence the physical space, locking people in or out, making the facility unbearable for occupants, or even attacking physical assets, such as delicate data servers with excessive heating.
“It used to be about financial exfiltration, stealing money, and reputational damage. It’s now in a life-threatening environment. That is a dramatic change,” Donnan said in an interview with The Guardian. “The landscape is ripe and ready for attack from a perfect storm of hackers, nation states and the average cybercriminal. We still have a culture of ‘get to market, be first’. We are designing code without security in mind.”
Attacks against smart buildings are on the rise but buildings are only getting more vulnerable as more and more unsecured devices hit the market. Even BACnet, one of the most widely used data layer protocols for HVAC control, is sometimes deployed in an unencrypted format. While more secure versions of BACnet are available, they are not used enough and when they are, it’s often not entirely secure, and this is mainly due to a lack of technical understanding and ability in facilities management. According to Cybersecurity Ventures, there are an incredible 3.5 million unfilled cybersecurity jobs worldwide, driving up the cost of cybersecurity and ensuring that buildings could remain vulnerable for a long time.
“If this is the new normal, they are winning,” said Paul Ferrillo, a partner at cybersecurity specialist law firm Seyfarth Shaw. “These criminal actors are well-funded and smart whether they are state-funded or not. We need to be as smart as they are,” he continued. “Companies have often hidden hacks because they don’t want to look like “doofuses”, but when industry shares information, we all get smarter. We understand where we should look and how we should do better. Cybersecurity is a shared responsibility. We are all in this together.”