The Cyber Pearl Harbor Finally Happened, and it’s Ransomware

cyber pearl harbor ransomware

Since 2007 the InfoSec industry has been talking about TheBigOne™—the event that would change cyber threats from annoyances to existential concerns.

They called it Cyber Pearl Harbor.

The idea was that it’d be some massive blast that would take out the country’s power grid, or disable the entire internet, along with what they used to call e-commerce. That moment hasn’t happened (yet), but I think we’ve become the frog in the boiling cyber-water.

Ransomware is the Cyber Pearl Harbor we’ve been waiting for all along. It just looks different.

google trends ransomware

Google Trends data for the term Ransomware

Some stats:

  • At the time of this writing, Google News returns 7,460,000 results for the term Ransomware. More
  • SafetyDetectives reports the average cost of a ransomware-caused downtime incident has risen from $46,800 in 2018, to $141,000 in 2019, to $283,800 in 2020. More
  • The UHS hospital network, which is a Fortune 500 company with over 400 hospitals, has had multiple hospitals affected which required them to redirect patients to other options. More
  • According to Datto, Ransomware attacks are costing businesses more than $75 billion a year. More

Ransomware groups simply evolve too fast for small school districts with no IT staff.

  • A woman recently died in Germany after she couldn’t receive critical care at her local hospital due to an attack. More
  • A ransomware attack against the New Orleans city government in early 2020 cost the city over $7 million dollars. More
  • New York City’s capital was hit with a ransomware attack in 2019 that took several key services offline. More
  • IBM says 1 in 4 of attacks its X-Force Team sees is caused by Ransomware. More
  • Ransom demands are increasing exponentially. In some cases, IBM Security X-Force is seeing ransom demands of more than $40 million. More
ransomware crossover

My rough scribble of how ransomware sophistication surpassed our defensive capabilities somewhere around 2018

I think the only reason we survived this long without serious disruption to business—like we’re seeing now—is because attackers didn’t have their acts together. Their tooling wasn’t nearly as good as it is now, and they hadn’t linked their tooling with the business models.

Today there are multiple routes to make money from an insecure business. Once they get in—via RDP or Phishing or Drive-bys—they are not only extorting people who want to get their data back.

google trends cph

Google Trends Data for the term Cyber Peal Harbor

Many groups have evolved to realize that some companies have good backups, so they start by stealing a copy of the data for themselves at the beginning of the attack. That way, if someone doesn’t want to pay, they can pivot to a different attack where they threaten to release the data and create an incident.

data release threat

A threat to release data. Image from

These attacks don’t seem to be slowing down, and the attackers keep getting better at them. They’re improving their tools, they’re improving their business models, and they’re constantly evolving their techniques for getting companies to pay using social engineering.

The question is—how fast are our schools and hospitals and local governments improving our defenses to stay ahead of the attackers on all these fronts?

Nowhere near fast enough. That’s my answer.

Even medium and large businesses struggle to handle this threat, and that’s with dedicated security staff to help them. The small businesses, government orgs, and other entities that lack security talent and budgets are hopelessly outgunned.

I think the attackers are just now hitting their stride. I think they’re going to get more deadly, more efficient, and smarter about who to target at what times. As far as I can tell there’s no end in view here. We don’t have enough security people to cover the surface area, even if these targets had the budget to hire them.

We can stop waiting for Cyber Pearl Harbor. It’s here already, and we’re living it.


  1. I think what’s going to to happen before too long is the government will tap the endpoint vendors on the should and say: “Hey, the country needs you. Here’s several hundred million dollars: you now need to get Crowdstrike, Sentinel One, etc., installed on every school and government computer in the country. Go.”

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.