Ransomware continues to make waves in the US, forcing multiple cities and organizations into tough choices. Pressed for cash and time, local government organizations are left with few options: Either pay the ransom as soon as possible and encourage criminals to continue bringing essential services to their knees, or refuse and be left with a massive cleanup bill.
When a $50,000 ransom becomes millions of dollars in cleanup, forensics, external tech assistance, and more, sadly more and more organizations are throwing up their hands and paying the ransom.
Doing so almost certainly encourages the same or similar threat actor groups to come back around again at a later date, applying claims for their daily dose of extortion racket money. So what should these cities do?
We take a look at the most recent attacks, how US and international cities have handled them, and our advice for dealing with the aftermath.
A cone of silence: Texas
Twenty-three (23) local government organizations in Texas were recently hit by a coordinated attack likely from a single threat actor. Unlike some previous assaults on city infrastructure where information was released quickly, here officials are keeping their cards close to their chest. No word yet as to which networks, devices, or other technological infrastructure were affected, which family of ransomware was behind the attack, how defenses were penetrated, or if a ransom was paid.
According to WIRED, response teams from “TDIR, the Texas Division of Emergency Management, Texas Military Department, Department of Public Safety, and the Texas A&M University System’s Security Operations Center/Critical Incident Response Team SOC/CIRT” are all working to bring systems back online. This may suggest they held out on paying the ransom, and either the scam pages were taken down (meaning no ransom could be paid), or they missed a deadline and all systems were permanently locked out.
Either way, it could be that Texas is trying a new tactic: regardless of outcome, prevent the endgame of the attack from gaining oxygen. Simply hearing that someone paid or held off and had their network crushed makes it a lot easier for future potential attackers to figure out what worked, what didn’t, who paid up, and who is more likely to give nothing in return.
While it’s unlikely we won’t hear more and at least find out which files were used in the attack, it will be interesting to see if this tactic pays off for at-risk organizations or simply digs them a deeper hole.
Paying up: Florida
Florida has been hit particularly hard by ransomware attacks, and in just one month no less than three Florida municipal governments have been dumped on by the triple threat of Emotet, TrickBot, and Ryuk ransomware. Sadly, all three cases were triggered by the age-old trick of a booby-trapped attachment sent via email. Lake City was for all intents and purposes knocked out of digital commission, having to revert to pen and paper in place of locked-out computer systems. Emergency services remained untouched, but everywhere else—from email and land lines to credit card payments and city departments—chaos reigned.
Eventually, they ended up paying some US$460,000 in Bitcoin to the ransomware authors to release compromised systems. Riviera Beach, struck by a similar attack, ended up paying a cool US$600,000 to fix their hijack. These are incredible amounts of money to send to attackers who may simply have lucked out getting their infection files on the networks of big fish targets, but a drop in the ocean compared to the clean up costs—and that’s why cybercriminals keep getting away with it.
Some of these payments are covered by insurers, with many offering ransom protection as part of their services. As many have noted, paying the ransom is bad enough in that it essentially encourages attackers to keep going. Turning payments into an accepted cost of doing business removes much of the threat from organizations and probably means many simply won’t bother to spend on upgrading their network protection. After all, if the insurance companies are going to pay, then why bother?
However, complacency from organizations will only result in bigger and bigger fines from emboldened cybercriminals, who will most certainly capitalize on the opportunity to squeeze more money out of cities and companies. Eventually, insurance companies will drop organizations or require excessive monthly payments if the attacks keep happening.
Anthony Dagostino, global head of cyber risk at Willis Towers Watson, told Insurance Journal magazine, “We’re already getting word that some insurance companies are not providing the coverage or are adding to the deductibles.”
A state of emergency: Louisiana
Regardless of who pays and who doesn’t, make no mistake: People are taking these attacks seriously. We’re at the point where governors are declaring a state of emergency when these assaults on crucial infrastructure take place. After attacks on multiple school districts, Louisiana Governor John Bel Edwards called it in. Prior to that, Colorado gained some level of cybersecurity fame by issuing the the first-ever state of emergency executive order for a computer-centric attack.
A global threat: Johannesburg
The US may be grappling with the lion’s share of ransomware attacks, but let’s not forget this is a truly worldwide problem. In July, Johannesburg in South Africa found itself unable to respond to power failures after a successful ransomware attack. It potentially affected up to a quarter million people, preventing customers from buying electricity, causing issues with electrical supplies, and even stopping energy firms from dealing with localized blackouts.
Businesses under ransomware threat
Unlike the hugely-popular band Radiohead, who can choose to give away their ransomed music instead of succumbing to extortion attempts, organizations faced with a ransomware attack have no similar alternative. Pay up, or deal with the mess left behind is all that’s available. And as attacks ramp up, if they don’t look at preventative action, they may be forced to make a call between bad and worse.
It’s not just hospitals under attack from ransomware – all manner of healthcare can be impacted. No fewer than 400 dental offices were recently brought to their knees by what is claimed to be Sodinokibi. With the attack in full swing, payments, patient charts, and the ability to perform x-rays were all unavailable. Around 100 practices were able to get back online, and there’s some debate as to whether some organisations actually paid the ransom. Given emergency patients in severe pain would need an x-ray to proceed with treatment, this is quite a nasty attack to contemplate.
As our most recent quarterly report highlights,
Over the last year, we’ve witnessed an almost constant increase in business detections of ransomware, rising a shocking 365 percent from Q2 2018 to Q2 2019.
That’s quite a bump. Some other key findings:
- Ransomware families such as Ryuk and RobinHood are mostly to blame for targeted attacks, though SamSam and Dharma also made appearances.
- The ransomware families causing the most trouble for businesses this quarter were Ryuk and Phobos, which increased by an astonishing 88 percent and 940 percent over Q1 2019, respectively. GandCrab and Rapid business detections both increased year over year, with Rapid gaining on Q2 2018 by 319 percent.
- Where leading ransomware countries are concerned, the United States took home the gold with 53 percent of all detections from June 2018 through June 2019. Canada came in a distant second with 10 percent, and the United Kingdom and Brazil followed closely behind, at 9 percent and 7 percent, respectively.
- Texas, California, and New York were the top three states infected with ransomware, ganged up on with a combination of GandCrab, Ryuk, and Rapid, which made up more than half of the detections in these states. Interestingly, the states with the most ransomware detections were not always the most populous. North Carolina and Georgia rounded out our top five ransomware states, but they are not as heavily-populated as Florida or Pennsylvania, neither of which made our list.
Where to go from here
The pressure is most definitely on. Businesses and local governments must ensure they not only have a recovery plan for ransomware attacks, but a solid line of layered defense, complete with a smattering of employee training in the bargain. When so many attacks begin with a simple email attachment, it’s frustrating to think how many major incidents could’ve been avoided by showing employees how to recognize phishing attempts or other malicious emails.
Of course, securing the line of defense and taking preventative action is just one part. The growing willingness to pay the ransom and on some fundamental level encourage threat actors to do it all over again is not helping. However, with the ever-present threat of budget cuts and a lack of funding/security resources in general, it’s difficult to pass judgment.
More and more government officials will need to make their case to the board on why cybersecurity is an important business investment. And the board will need to listen. Otherwise, ransomware authors will continue to dine like kings.