After a Temporary Lull, Ransomware Has Become a Scourge Again

Posted on by Robert Ackerman

A few months ago, Baltimore—the biggest city in Maryland and the 30th most heavily populated in the country—made big news in the cybersecurity world and elsewhere when it got slammed with a ransomware attack. Urban ransomware attacks have recently become far too common, but no others impacted a city of this size.

The hackers demanded just over $76,000 in Bitcoin, and Baltimore, following the recommended script, refused to pay. Instead, it fixed its computer systems on its own, but that took a lot of time, ultimately costing the city more than $18 million and inconveniencing tens of thousands of citizens in multiple ways.

Ransomware—a cyberattack in which hackers hijack computer systems or websites and demand payment to release them—is back big-time, and that means hackers are consistently winning yet another series of battles on the cybersecurity front.

Ransomware attacks slowed last year, but that turned out to be a fluke. They are expected to rank No. 1 among all breaches this year, with 621 attacks already costing more than $185 million, according to cybersecurity firm Emsisoft. Ransomware attacks have more than doubled in 2019, McAfee adds, with hackers modifying attack methods for more lucrative payouts. The average downtime from an attack is 9.6 days.

This year’s victims have included government agencies: public schools, forced to close; delayed surgeries at hospitals, the single biggest victim virtually every year; and cities nationwide. There were more than 50 successful ransomware attacks in cities alone—often in small cities less resource-rich and so more likely to pay a ransom rather than find the time to fix the problem themselves.

The sharp upturn in ransomware this year is a call to action for government entities and other enterprises. The message is obvious: They must strengthen their protection against ransomware and other cyber-threats across the board.

Most ransomware attacks are launched via emails that dupe employees into clicking on a malware link or opening an attachment. So better employee training—including, in particular, incorporating the use of two-factor authentication and getting in the habit of right-clicking on email attachments to scan for malware before opening them—should become the norm. Cybersecurity measures, after all, are only as useful as their weakest link.

When ransomware slowed last year, it turned out signaling nothing significant. The conventional wisdom was that many hackers had decided primarily to pursue targets most likely to know how Bitcoin (the typical payment method) works—and offering a higher chance of success. As it turns out, most organizations know how to use Bitcoin or at least how to learn about it quickly.

Well-trained employees help sidestep ransomware attacks, but this step alone is insufficient. Organizations must also make sure that antivirus software is up to date and that use of intrusion prevention and detection systems, among other protective steps, become the norm. These products provide an up-do-date view of the network and help spot traffic anomalies that might suggest a ransomware breach or some other type of incursion.

Also helpful is new cybersecurity technology that enhances protection against ransomware in additional ways. For instance, a platform developed by Prevailion, a Columbia, MD-based cybersecurity company, can be used to monitor an organization’s third-party ecosystem for ransomware activity, reducing the odds of contagion from a business partner. Companies with the platform could, for example, stop receiving emails from partners infected with ransomware with an email propagation component or shut down normally trusted network connections from partners infected with ransomware with lateral movement capabilities.

Organizations must work harder to avert ransomware attacks on multiple fronts because they have evolved significantly since first showing up in Russia and other parts of Eastern Europe between 2005 and 2009. The attacks made strides but were hamstrung by the lack of a reliable way to collect money from victims—at the time mostly through text messages.

Then two big developments sparked significant growth. Digital payment methods emerged, especially Bitcoin, the most popular method for demanding ransom because it helps anonymize transactions to prevent the tracking of extortionists. Also important was the arrival of CrypoLocker, which used public and private cryptographic keys to lock and unlock a victim’s files.

Then, in 2017, ransomware grabbed unprecedented attention with the outbreak of two global WannaCry attacks, shutting down hospitals in Ukraine and radio stations in California. In May of that year, the data in 250,000 computers in 116 companies running the Microsoft Windows operating system was encrypted, and ransom payments in Bitcoin cryptocurrency was demanded to unencrypt it.

Ransomware suddenly became an existential threat. So where do things stand now?

Highly vulnerable organizations worldwide must step up to the plate to improve their defenses. Ransomware is now proving so lucrative that hackers are pouring some of their profits back into their own research and development, better masquerading attacks until the last minute, and making their attacks more precise.

In addition, one relatively new flavor of ransomware—SamSam—has been making a number or high-profile hits, including at the City of Atlanta, the Colorado Department of Transpiration and at numerous healthcare facilities. SamSam is a ransomware-as-a-service. Its subscribers probe pre-selected targets for weaknesses, and attacks are particularly damaging.

The average cost of a ransomware attack doesn’t rival what Baltimore paid, but it isn’t inexpensive. It cost $36,295 in the second quarter, up from $12,762 in the first quarter, according to Coveware, a ransomware recovery vendor. That is an increase of 184% and no doubt will keep rising.

In some cases, such as hospitals, a successful ransomware attack can be a matter of life and death. It’s less deadly elsewhere, but still a major reputational issue, one undermining confidence in an organization, especially since half of ransomware victims typically get hit again, according to security firm Druva.

Let’s hope that organizations make the effort to get a firm grip on this problem once and for all.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Hackers & Threats


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs