30 years ago, the first ransomware attack took place. PC Cyborg, also known as the AIDS Trojan because it targeted AIDS researchers, demanded $189 after an infected floppy disk was inserted into a computer. However, modern ransomware demanding Bitcoin payment to save your files, started in 2013. One of the first targets of these attacks was the local government police station in Swansea, MA. Ransomware was so new at the time, that many referred to it as a “virus”.
That was six years ago. Since then, our knowledge of ransomware has increased as well as the number of attacks. According to the 2019 Verizon DBIR, ransomware attacks were responsible for 30% of cyber-attacks in 2018, with 94% delivered by a phishing email. There have been many ransomware attacks in 2019, in several different industries, however, one that was in the news the most was the ransomware attacks targeting U.S. cities.
Targeted ransomware attacks on local US government entities—cities, schools, and police stations—are on the rise. These attacks cost millions of dollars as organizations untangle themselves and restore their data and vital systems. Often, this involves paying the perpetrators the ransom demanded in an effort to get critical systems back running. In 2018, there were 53 reported ransomware attacks on local government entities. In the first four months of 2019, there were reports of 21 ransomware attacks on local county, city, and state government systems. Moreover, it is important to note that these numbers only represent reported cases. The FBI does not yet have a reporting system for ransomware-specific attacks; many times, they are classified as Malware.
Ransomware Attacks Targeting US Cities
Some journalists have coined 2019 as the “summer of ransomware attacks,” and with all of the attacks that occurred, it’s no wonder why. In June, an IT manager in Lake City, FL was ultimately fired for falling victim to a ransomware attack. The incident resulted in the city paying $460,000 in Bitcoin ransom to cybercriminals in order to unlock its municipal computer systems. This attack was two weeks after Riviera Beach, a suburb of Palm Beach, FL, paid more than $600,000 to regain controls of their computer systems. With these two incidents alone, the state of Florida paid over $1,000,000 due to ransomware attacks in one month. While paying the attackers worked for both cities in Florida, there were cities that refused to meet the demands.
On May 7, 2019, Baltimore, MD was the target of one of the largest ransomware attacks on a state government agency. Most of Baltimore’s government systems were infected with aggressive ransomware called “RobbinHood”. Out of precaution, all servers, except for essential emergency services, were taken offline. For weeks, the city operated on “skeletal systems” with many reports having to be filled out by pen and paper rather than electronically. Baltimore refused to meet the cybercriminals’ demand of 13 Bitcoin (see how much that currently equals) in exchange for the keys to restoring their systems, however, it cost the city close to $18,000,000 to finally restore the majority of their systems to full use.
Why Does Ransomware Work So Well?
With thousands of attacks per day, many people wonder why, after all this time, is ransomware still so effective. The answer is simple; attackers know what works. And not just digitally—a truly effective ransomware attack requires more than just expert coding. Attackers must tap into the psyche of their targets and know the right buttons to push that will get their victims to pay. But what are those “right buttons”?
For instance, an attack can start with an email that doesn’t show any of the normal red flags. The spelling is accurate, the message is personalized, and the content is similar to what you’re used to seeing. With those pieces seemingly legitimatized, you do not suspect anything is amiss when asked to click on a link or open an attachment (such as a fax or invoice). These specially crafted emails quickly build trust and allow the attackers to gain access without you noticing until it is too late.
There are also more specifice tailor made attacks. For instance, imagine you’re preparing for an event (a work conference or company event) that requires you to purchase a list of items online. Your stress is high. Because on top of your already-busy schedule, the timeline for this event is getting shorter and shorter. At your computer, you receive an email from an online retailer you frequently use for purchasing. The email states your order was cancelled due to a declined payment method. Your heart skips a few beats; you don’t have time for this nonsense! Before you can even stop to breathe, you click the link…which leads you to a malicious website. These attacks are effective because they often begin by overriding your critical thinking skills and forcing you to make a choice based on an emotional response instead of logic.
With these ransomware attacks occurring—and oftentimes succeeding—how do you protect yourself and your organization?
Minimize Your Risk
The FBI provided information to help everyone, from government entities to home networks, protect themselves from ransomware attacks:
- Education: Everyone from top-down should receive effective training on how to recognize malicious emails and understand the critical role they play as individuals in protecting their organization’s information. Educational training is one of the main keys to combating the risk of ransomware affecting your networks.
- Policies: Limiting privileges and implementing software restrictions can help enterprises limit the possibilities of ransomware incidents. Computer–use policies are also needed. Policies such as not giving users administrative privileges and configuring access controls, including file, directory, and network share permissions. By creating limits, the damage a potential ransomware attack may have will be smaller.
- Protection: Implementing runtime malware defenses can help stop ransomware that may possibly get past your already-in-place antivirus protection. Use scanning tools to identify vulnerable systems, patch these vulnerable as soon as possible, and upgrade any Operating Systems (OS) that are depreciating to offer your systems the best possible protection.
- Backup Plan: Have a proper backup and recovery strategy in place and test it regularly. The 3-2-1 approach works with many organizations. Have 3 copies, in 2 different formats, and 1 copy stored offsite. Secure your backups—don’t have them connected to the computers and networks they are backing up. Test your backups and ensure integrity. Implement regular penetration tests and vulnerability assessments.
Already a Ransomware Victim?
If you think you or your organization is already a victim of ransomware, report it immediately to your local FBI field office, report the incident to the Bureau’s Internet Crime Complaint Center, or report it to the FBI’s IC3 online.
Of course, the question that everyone asks is, “Should I pay the ransom?” The FBI’s initial advice is to not pay up, but they do recognize that sometimes it is ok to pay the ransom. When systems have been compromised, the choice to pay the ransom is a serious decision that needs to be made. Victims will need to evaluate the timeline, technical feasibility, and cost of restarting their system from the backups. Before making decisions, victims need to be aware of a few points:
- Paying the ransom to a malicious actor does not always guarantee your organization will be given access to the data and systems. Some groups did not receive the decryption key, even after paying the ransom.
- After paying the initial ransom, some criminals moved the goalpost and demanded victims pay more in order to receive the decryption key.
- Some victims who paid the demand were targeted yet again by other criminal actors.
U.S. Senate Taking Action
While the plague of ransomware that swept through 2019 seemed ruthless, it got the attention of lawmakers. In September 2019 the United States Senate passed the DHS Cyber Hunt and Incident Response Teams Act (S.315). This act authorizes the Department of Homeland Security (DHS) to maintain cyber hunt and incident response teams to help private and public entities defend against cyber-attacks. These senators realized that now more than ever, it is critical for them to use all resources to help protect against these attacks and to also increase our resiliency. With this act, DHS will be able to provide:
- assistance to asset owners and operators in restoring services following a cyber incident;
- identification of cybersecurity risk and unauthorized cyber activity;
- mitigation strategies to prevent, deter, and protect against cybersecurity risks;
- recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate;
At the time of the publication of this blog, this bill is not yet law, but the forward-thinking of the U.S. Congress gives a sense of hope for securing our organizations in the future. However, in the meantime, stay safe!