Charles Carmakal has a problem: Ransomware has become so prolific that he has too much business.
“We’re getting calls from organizations almost every single day,” Carmakal, the chief technology officer at the cybersecurity giant Mandiant, said in a phone call. “We’re barely able to keep up.”
And that was before cybersecurity professionals had to deal with one of the most pervasive ransomware attacks ever: the hack of the software company Kaseya, which allowed one ransomware group to infect more than 1,500 organizations last weekend.
The cybersecurity industry is stretched thin. Ransomware attacks are now so prolific that some companies simply cannot help every newly hacked victim get back online. And a shortage of workers means no immediate help in sight.
“I feel bad, but we turn down a lot of organizations because we don’t have the capacity to help them,” Carmakal said.
A once-quiet epidemic, ransomware — in which hackers, often from Russia or other former Soviet bloc countries, break into private computer systems to encrypt and often steal files to hold for ransom — has emerged in 2021 as a major national security issue. In recent months, ransomware gangs have launched several high-profile attacks, including on a major pipeline and a meat supplier, and frequently hampered schools and hospitals. Ransomware cost American victims an estimated $1.4 billion last year.
The pace of attacks is relentless, leading to renewed efforts from President Joe Biden to “deliver“ a message to Putin that they’re unacceptable. In mid-June, Biden met with Russian leader Vladimir Putin and discussed the issue, stressing how much ransomware emanates from Russia, where the criminals behind it seem to operate with impunity. Over the following two weeks, confirmed ransomware attacks briefly went “down” to just over 100 publicly confirmed new cases, said Allan Liska, an analyst at the cybersecurity company Recorded Future. Most victims were American.
But then ransomware exploded again. One of the most prolific ransomware gangs, REvil, conducted its boldest attacks yet over the Fourth of July weekend, on Kaseya, which services customers who in turn contract with thousands of businesses. Though the dust has yet to settle, researchers say the hack allowed REvil to infect more than 1,500 different organizations. The gang seems to have bitten off more than it can chew and has asked for a $70 million lump sum to unlock all infected computers.
Jake Williams, the chief technology officer at the cybersecurity company Breachquest, said his company had drastically increased the number of ransomware cases it handled even before the Fourth of July spree.
“We’re having to be selective on some of the cases we’re taking,” Williams said. Breachquest has had to hire subcontractors to manage the influx of work, he said.
“I’ve never been in a position like this before, where I’m choosing work based on what I’m most interested in working today,” he said.
Cybersecurity professionals can barely keep up despite significant industry growth in recent years — and plenty more money is pouring in. That money is chasing a limited talent pool, with almost a half-million cybersecurity jobs unfilled, according to CyberSeek, a project that tracks the industry and is sponsored by the federal National Institute of Standards and Technology.
The government is also on a massive hiring spree, with the Department of Homeland Security racing to fill more than 2,000 cybersecurity jobs. Secretary Alejandro Mayorkas called it a victory last week that it had recently onboarded almost 300 new employees and offered jobs to 500 more.
It’s a problem that some in the cybersecurity industry are hoping to address even in the years to come. The National Cryptologic Foundation, a nonprofit affiliate for the National Security Agency, offers free educational materials to middle schools. The Center for Infrastructure Assurance and Security at the University of Texas at San Antonio has produced free cybersecurity educational games for students in an effort to inspire young people to consider careers in the industry.
But the current work is still a hard job, exacerbated by the long, stressful hours that cybersecurity incident responders have to spend putting out the fires that ransomware lights, said Dmitri Alperovitch, the chair of the Silverado Policy Accelerator, a technology-focused think tank, and an original founder of the cybersecurity firm CrowdStrike.
“There are only so many Friday night family dinners, weekends and holidays you are going to be willing to miss before you decide to pursue another, more comfortable line of work,” Alperovitch said.
“So generally people don’t stay long doing front-line incident response,” he said. “It’s a job that burns people out quickly.”