Ransomware attacks used to focus on individuals. However, ransomware criminals have found that they can get a lot more money when attacking organizations. More and more, they are taking down large organizations looking for big paydays.
A few years ago, individuals were typically forced to pay about $300 to get the key to unlock their data. Today, payments are sometimes in the hundreds of thousands of dollars.
In as many as half the cases, the criminals don’t provide the key to decrypt the data even if the ransom is paid. In other cases, they demand additional money after the first ransom is paid. (They are criminals, after all.)
Ransomware is a form of malware where an attacker takes control of data and encrypts it. The criminal then demands money (a ransom) to decrypt it. If the ransom isn’t paid, the data remains encrypted and unusable.
Attackers send massive amounts of spam with attachments malicious links. Opening the attachment typically installs the malware. If someone clicks on a malicious link, it connects them to a server that attempts to download the malware.
The Weak Link Lets the Criminals In
In most of these attacks, the criminals get into a network from a single user clicking on a link in a spam email. This can be an uneducated user or someone that just has a momentary lapse.
If the network doesn’t have adequate protection, this one click by a user is often enough to give the attacker unrestricted access to the network.
Here are a few examples of some recent ransomware attacks.
Palm Springs Florida
Palm Springs, Florida was hit by a ransomware attack in 2018. This was notable because the criminals demanded a ransom of $1,200, which the city paid. However, the criminals then demanded more money before giving the final decryption key to unlock the data.
They ended up paying about $70,000 for an outside organization to help them recover their data. They also created a new position of IT Director to help prevent future recurrences.
Riviera Beach, Florida
A little north of Palm Spring is the small city of Riviera Beach, Florida (population about 35,000). It became crippled by ransomware attacks in May 2019. After about three weeks, they decided to approve a payment of about $592,000 to get their data back.
The initial attack was traced back to a single city employee that opened a spam email infected with ransomware.
The city of baltimore suffered a huge ransomware attack in May 2019. It locked up billing systems and email accounts, among other things. Criminals demanded $76,000 as ransom but Mayor Young said that paying a ransom was not not an option.
The attack reportedly affected hospitals, factories producing vaccines, airports, and ATMs. Overall, the city estimates the cost of this attack will be over $18 million.
Hancock Regional Hospital
Criminals encrypted all the network data used by hospital employees in January 2018. The staff reverted to pen and paper and the 100-bed facility had to divert all emergency patients to a different hospital 20 miles away.
That’s right. Criminals shut down the hospital’s network at the height of the flu season. It’s unclear how many lives were put at risk, or if the criminals cared about the health of people served by the hospital.
Criminal demanded about $55,000 which the hospital paid.
In this case, the criminals accessed the hospital’s network through a vendor. Using the vendor’s credentials, the criminals were able install malware and encrypt the hospital’s data.
Lake City, Florida
Attackers hit Lake City, Florida in June 2019, effectively shutting down city hall business. The criminals demanded about $460,000. After consulting with their insurance company, they decided to pay. The city paid their $10,000 deductible and the insurance company reportedly paid the rest.
In August 2019, 23 government organizations across 22 towns, counties and police departments in Texas were attacked simultaneously. The Texas Department of Information Resources (TDIR) indicated all the attacks came from a single source. The FBI and other agencies are investigating.
The FBI recommends not paying ransoms. From their point of view, each ransom paid encourages criminals to launch another attack.
Because criminals have enjoyed some huge paydays, ransomware attacks will continue. At least until the payments stop.
Update – Voter Databases
Reuters recently reported that U.S. officials fear potential ransomware attacks against voter databases. In anticipation, the U.S. government plans to launch a program to protect voter registration databases and systems.
Some officials predict attackers may use readily available ransomware software to encrypt the data, and leave it forever encrypted. Attackers could manipulate voter lists creating confusion and delay during a voting cycle.
As an example, imagine if 10 percent of registered voters showed up to vote and were turned away because their registration data was encrypted and unavailable. The results could be catastrophic.
Prevention and Education against Ransomware Attacks
The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware:
A recent Joint Ransomware Statement included the following recommendations for state and local governments to build resilience against ransomware:
- Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
- Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
- Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.
You can also view additional tips and guidance via these links: