Ransomware is Paying Off Again for Hackers
by Robert Bond
Ransomware is Paying Off Again for Hackers
Lake City and Riviera Beach in Florida Lost $1 million in Ransomware Attacks
Last year the FBI reported that 1,493 ransomware attacks were executed with a total of $3.6 million being paid to hackers — approximately $2,400 per attack. While this year started more slowly for ransomware incidents, several high-profile attacks seem to be suggesting a dark turning point in the new wave of breaches.
For example, two cities in Florida have paid significant Bitcoin ransoms in the past several weeks in order to regain access to their data. In Riviera Beach, a fairly small town approximately 80 miles from Miami, the city council voted unanimously to pay $600,000 in Bitcoin to the cybercriminal that was able to lock down their IT systems with ransomware.
The impact on the Riviera Beach IT systems was critical as employees lost access to e-mail and 911 services experienced significant disruptions.
Lake City, a small town north of Gainsville and west of Jacksonville was hit by a ransomware attack around the same time period as Riviera Beach. In an emergency meeting of Lake City’s administrative council voted less than a week after the attack to agree to a cybercriminal’s demand for 42 Bitcoins. With the price of Bitcoin almost tripling over the past 3 months the ransom amounted to nearly a half a million dollars.
Lake City officials described the incident as a “triple threat,” according to ZDnet, and it has since been determined that a single employee downloaded an infected document they had received through a phishing or e-mail attack. Opening the document set off a chain of events involving three separate malware variants sometimes used in concert in cyber attacks.
The initial document carried the Emotet trojan, which installed itself and subsequently downloaded another trojan called TrickBot and the Ryuk ransomware. Ryuk then spread throughout the cities systems, locking them down and demanding a ransom. Only the police and fire department systems were spared as they were on a different server, according to the New York Times.
In several interviews with city employees they suggested that they tried to rid their systems of the malware for over two weeks before they decided that they were not going to be able to rid their systems of the malware.
Phishing Attacks Typically Deliver the Malware
Both cities think the malware was delivered through a phishing e-mail that contained a malicious link to a site that delivered the ransomware. This type of attack is typical for cybercriminals because despite the fact that users try to be careful not to open suspicious e-mails, many phishing e-mails are fairly sophisticated and in the end, only one employee who receives one of the hundreds or thousands sent has to download an attachment or click a malicious link.
In a press release Lake City described how some departments had resorted to using pen and paper due to the lack of access to any usable systems. Further, due to city employee’s inability to monitor emails, residents of Lake City were told to monitor the Lake City Police Department’s Facebook page for any critical updates.
“I would have never dreamed this could have happened, especially in a small town like this,” said Lake City mayor Stephen Witt. Fortunately for Lake City and its taxpayers, insurance is expected to cover all of the payment with the exception of approximately $10,000.
NTT Security Survey Suggest Significant Risks Remain
In the Risk:Value Report 2019, by NTT Security which examines the attitudes of more than 2,200 non-IT decision makers to risk and value of cybersecurity to the business across 20 countries 33% of those surveyed suggested that they would consider paying a ransom to an attacker instead of investing in cybersecurity – as they believe that in the long run it is cheaper. It was also identified that 36% would rather pay a ransom than get a fine for non-compliance – thus indicating a fear about the potential consequences, particularly fines of being non-compliant.
The report further suggests that it is evident that organisations want to address cybersecurity concerns, with respondents stating that strong information and protecting data integrity were important to 84% and 85% of businesses respectively. With 88% of respondents citing that strong cybersecurity measures would benefit their organisation.
Unfortunately, it was also identified that organizations report that their critical data is no more secure than it was last year. Only 48% of all organizations stated that their critical data is secure, while only 45% have secured all of their organization’s data.
Small Cities are Increasingly the Target of Ransomware Attacks
One of the larger issues that organizations are facing is the inevitable correlation between ransoms paid and attacks executed. The fact that two cities have paid half a million dollar payments to hackers in the same state and within a few weeks of one another will encourage cybercriminals to launch similar attacks against similar targets; and there are certainly no shortage of small cities that fit the same profile.
One of the most infamous ransomware attacks victimized the city of Atlanta. When the city of Atlanta decided against paying a $50,000 ransom, the city had to hire outside consultants to work with their back up systems and ultimately spent nearly $3 million to restore the systems and data. In addition, Baltimore officials recently estimated the cost of an attack using the RobbinHood ransomware that hit around 10,000 city computers at $18 million and counting when they decided not to pay the ransom.
Thus small cities like Riviera and Lake City are using Atlanta and Baltimore as examples and chosing the less expensive alternative.
As most IT security professionals know it is virtually impossible to stop every attack. There are too many vulnerabilities in software, users are not as saavy as their attackers, and as the NTT Security survey report suggests, organizations have not made the commitment required to protect their data, users and customers.
5 Ways to Stop or Recover from Ransomware Attacks
Let’s leave you with the five best things you can do to avoid being a victim of ransomware:
- Do not provide personal information when responding an email, phone call, text message or frankly any other message. Criminals are experts at tricking employees into installing malware.
- Please, please back up your files; back up your entire system. If all else fails you will at least have a way to access your critical files.
- Use content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
- Make sure that all systems and software are updated with the most recent patches. Exploit kits hosted on compromised websites are used in most attacks to spread malware.
- Try not to pay the ransom. It obviously encourages and ultimately funds cybercriminals. Further, in many cases in which the ransom has been paid the victim is never given access back to their files.
June 8, 2018