I Love It When a Plan Comes Together: Ransomware Rakes in $1 Million in a Week
So many brilliant and outrageous news headlines start with the words “Florida man…” that it has officially become a meme. Here are a few zingers from the past week.
In other Florida news, two municipalities were forced to pay over $1 million to recover from devastating ransomware attacks that sent their city infrastructure back to the stone age. 911 response systems went down, payroll staff wrote checks by hand, citizens could not pay their water bill, and proper backups (of course) were not in place. In all, attackers earned $1.13 million for the cost of sending out a few e-mails to unsuspecting city workers.
There is a reason why the United States has taken a stance against negotiating with terrorists. If the United States agrees to pay a ransom in exchange for a hostage or to prevent an imminent attack, that will encourage other bad actors to do the same since it is now profitable to perform acts of terror. For the same reason, the US’s top domestic law enforcement agency the FBI has advised American business not to pay the ransom when they become victim to a ransomware attack. Recently, I had the privilege to speak on a panel with a Supervisory Special Agent from the FBI’s cybercrime division and he spelled out the reasons for not paying the ransom.
1. Paying the ransom shares similarities with blackmail. If an organization pays the ransom, the attackers know the organization is willing to pay and can come back asking for more money before releasing the decryption key.
2. There is no guarantee the files will be decrypted once the ransom is paid. Surprise, surprise, criminals by definition do not follow the law and have no obligation to release the decryption key after payment is made.
3. Assuming an organization gets the decryption key after the ransom is paid, it still makes them a future target since it is now known that they will pay the ransom.
4. Paying the ransom makes all organizations more attractive targets for ransomware attacks now that it is seen as a profitable endeavor.
Frequent visitors of my blog know that I make predictions on the direction of the cyberwars based on current events, new and innovative technologies, and the cyber adversaries’ ability to continually think of creative and unconventional ways to attack their targets. I take no pleasure in having my predictions come true, especially when it comes to worst-case scenario cyber attack scenarios. In April, I predicted that after a steady decline, ransomware attacks would resurge as a result of companies acquiring cybersecurity insurance and having riders on those policies to cover the payment of a ransom should they become a victim of a ransomware attack. In January, February, and June of this year, I posted advisories of new and ingenious phishing attack methods, often the first stage in a ransomware attack campaign. Getting someone to click on a link to steal credentials or install unauthorized software can easily lead to a ransomware outbreak. In March, I documented the dwindling trust in Anti-Virus software in preventing ransomware attacks. All of these predictions culminated in the news stories for the cities in Florida.
With no other options available, the cities of Lake City, FL and Riviera Beach, FL both authorized their cybersecurity insurance companies to pay 42 Bitcoins (approximately $530,000) and 65 bitcoins (Approximately $600,000) respectively to attackers to regain access to their locked systems. Not wanting to follow in the footsteps of Baltimore city, who just spent $18 million to recover from a similar ransomware attack or the city of Atlanta, who is expected to pay over $10 million after the SamSam ransomware outbreak. In the case of Atlanta, the ransom was $52,000, a small percentage of the recovery costs, but the city took the stand not to pay the ransom. Lake City and Riviera Beach also budgeted for increased expenditures in IT to rebuild their networks and cybersecurity knowing they will become the targets of increased attacks. Hopefully, these cities credit ratings are not downgraded as a result of the increased cybersecurity expenditures.
It is too soon to tell if paying the ransom was the right move and if systems get restored promptly avoiding significant rebuilding costs, but time will tell. The cities also somewhat hit a stroke of fortune as the price of Bitcoin skyrocketed over 40% since the payment was authorized.
The UK National Cyber Security Centre recently released an advisory that the Ryuk ransomware is increasingly targeting organizations. The US Cybersecurity and Infrastructure Security Agency (CISA) issued that cyber activists based in Iran will be ramping up attacks against the US and her allies in retaliation to the escalating tensions between the two countries. Iran is known to use disk-wiping malware disguised as ransomware as seen in the Shamoon attack against Saudi-owned petroleum company Saudi Aramco and even more nefarious malware to blow up gas pipelines and gas processing plants using the Triton malware.
In April, I pledged not to say “I told you so,” but these very costly attacks should serve once again as a wake-up call to municipalities and organizations to take the threat of ransomware seriously. It is not enough to have a backup strategy in place. Those backups must be regularly tested to ensure they work once the primary data systems go down. It is not enough to have “good enough” security that only examines the DNS record or HTTP traffic, bypassing “trusted” websites such as CDNs, cloud file storage, and HTTPS traffic. It is not enough to tell users not to click on links in e-mails from unknown senders. Proper security awareness training extends beyond once-a-year online training classes and must extend to phishing tests, red teaming, and security controls to protect users against themselves. With a 400% increase in phishing attacks utilizing SSL or TLS-based encryption, it becomes essential to inspect this traffic for malicious data. Security is everyone’s responsibility and working with users and enabling them to be extensions of the security team will be the only way to effectively prevent the next ransomware outbreak.