It's Your Turn To Be Afraid: Easy Money From Ransomware Is Gone
President Marshall: Tonight, I come to you with a pledge to change America’s policy. Never again will I allow our political self-interests to deter us from doing what we know to be morally right. Atrocity and terror are not political weapons. And to those who would use them: Your day is over. We will never negotiate. We will no longer tolerate and we will no longer be afraid. It’s your turn to be afraid.
Three weeks after I reported the accurate prediction that ransomware would be on the rise due to cyber insurance companies paying out ransoms instead of attempting to recover the data, another local municipality has become the latest victim of this scheme. La Porte County, Indiana just paid $130,000 to unlock their files and regain control of city systems encrypted with Ryuk ransomware, the same strain of ransomware that hit several cities in Florida. The county’s cybersecurity insurance paid $100,000 and the balance came from the city’s coffers. A week later, the US Conference of Mayors met and unanimously passed a resolution that none of the 1400 mayors in attendance would authorize their cities to make any payments as a result of ransomware attacks. They sent a clear message that they would no longer be afraid and that it was time for the attackers to be afraid.
Even before the resolution not to pay was passed, the tide was already turning against the ransomware attackers. Multiple factors as a result of these attacks and resulting payments are changing both the legal and cyber threat landscapes to make it harder for attackers to collect payment if they manage to infect the networks of municipalities. First and foremost, public opinion is turning against mayors and city council members. While paying the ransom is a quick fix to get systems back online, the public perception is that their systems got infected because there were not property security controls in place to prevent the cyberattack. Citizens are not holding ticker-tape parades for the mayors after they pay ransoms and files are unlocked; they are angry that it happened in the first place and that everyone will collectively pay as a result. Paying the ransom is a short term fix which does not address the root cause of the attacks, inadequate cybersecurity training and defense mechanisms. While it is true that no system is genuinely unhackable, municipalities can make themselves a less attractive target by making it harder for attackers to infect their systems, with the hope that attackers will go after an easier target.
The commonly held thought is that car insurance rates go down over time. Customers build loyalty with the insurance company, long stretches without tickets or accidents reduce a driver’s risk profile, and a car’s value depreciates over time. To my surprise, my auto insurance rate went up 15% year-over-year on my most recent renewal. When I called to inquire as to why, the insurance company said that more people were getting into accidents with my type of vehicle and the cost to repair them was higher than expected. (Life Pro Tip: If you own a single share of Berkshire Hathaway Class B stock, you are eligible for an 8% discount on Geico auto insurance) With 22 ransomware attacks against municipalities in 2019 alone, cybersecurity insurance coverage will inevitably skyrocket come renewal time. Cash-strapped city budgets will be looking to spend more on cybersecurity (an ounce of prevention) and less on insurance (a pound of cure), or altogether opt-out of coverage if it becomes unaffordable. In either case, it will make it more difficult for attackers to recover any ransom. Systems will be more challenging to infect and even if successful, cities may opt to lose their data than pay the enormous ransom amount out-of-pocket.
Auto insurance gives discounts and price breaks for drivers who take safety courses or drive with a vehicle monitor to prove that the owner is not a reckless driver. Cyber insurance companies reeling from unexpected massive payouts will likely implement similar requirements for achieving affordable insurance rates. Mandatory security awareness training, bulletproof and tested offline backups, proper cybersecurity controls, phishing tests, and third party audits will likely become mandatory for future or affordable coverage options for municipalities. Most insurance companies exist to minimize their risk exposure and maximize their profits. They will recalculate their premiums based on the actual 2019 data, which will show that unprepared municipalities cost them millions of dollars.
In addition to legislation designating municipalities as critical infrastructure, lawmakers can also pass legislation to prevent ransom payments. There are existing and shifty regulations that can be leveraged to prevent ransomware payments. If attacks originate from countries that are designated as state sponsors of terrorism such as Syria or Iran, paying a ransom could be considered providing material support for a terrorist organization. Legislation can be further expanded to prevent payments which encourage future attacks against the US and weaken national security. If municipalities and their insurance carriers are legally prohibited from making payments to attackers, they will move onto newer and more straightforward targets.
Recent municipalities that have been affected have not had any significant impact on loss of life or public safety. This trend will inevitably end when attackers hit the wrong system either by accident or on purpose and lawmakers will be forced to take a more heavy-handed approach. Imagine the 911 system of San Francisco or New York City going down as a result of a ransomware outbreak. One thought is to designate municipal systems as critical infrastructure that will get the protection of US Cyber Command. Systems will come under their protection and attacks against municipalities will result in the full force of the US government coming down on them. There will be no more easy insurance payouts; welcome hack back and defend forward attacks. With recent tensions between western nations and Iran ramping up due to geopolitical concerns, it is conceivable that Iran may choose to focus their attacks on less protected infrastructure to cripple cities or find a way to pivot their attack upstream. The US Department of Defense (DoD) has never been shy about their new offensive hacking operations to prevent the next major attack in the cyber wars. With the escalating pace in which these ransomware attacks are occurring, it is possible that the DoD will hit the attackers first putting them on the defense and crippling their ability to launch new cyberattacks. It’s their turn to be afraid.
It is not enough to have a backup strategy in place. Those backups must be regularly tested to ensure they work once the primary data systems go down. It is not enough to have “good enough” security that only examines the DNS record or HTTP traffic, bypassing “trusted” websites such as CDNs, cloud file storage, and HTTPS traffic. It is not enough to tell users not to click on links in e-mails from unknown senders. Proper security awareness training extends beyond once-a-year online training classes and must extend to phishing tests, red teaming, and security controls to protect users against themselves. With a 400% increase in phishing attacks utilizing SSL or TLS-based encryption, it becomes essential to inspect this traffic for malicious data. Security is everyone’s responsibility and working with users and enabling them to be extensions of the security team will be the only way to prevent the next ransomware outbreak effectively.