Ransomware versus cities: Sowing chaos as well as cost
Ransomware attacks on cities are on the rise. The latest ransomware attacks of 2019 suggest that international organized criminals are behind the epidemic.
The original version of this post was published in Forbes.
Maybe it isn’t just about the money.
Indeed, for victims of ransomware attacks, it’s about both money and chaos. It can cost from tens to hundreds of thousands of dollars to get the decryption “key” from attackers to unlock files. Or, it can cost millions to try to recover without paying the ransom.
Meanwhile, as long as files and systems are locked with virtually unbreakable encryption, it can be difficult to near impossible for an organization to function.
As seen in dozens of reported attacks on municipalities over the past year (reported two weeks ago on Forbes), ransomware attacks can shut down municipal services ranging from public safety to utilities and everything in between.
And when it comes to attacks on governments, maybe that’s the idea—to create chaos and dysfunction along with crippling expenses.
Ransomware attacks on cities might be political
Gregory Falco, a researcher at Stanford University specializing in municipal network security, suggested as much recently to Security Week—that the motives of some nation-state attackers might be political as well as financial.
“Attackers which aren’t such big fans of the U.S. might want to cause economic disruption,” he said. “Instead of trying to take down the whole electric grid, they may try to create chaos in a number of cities.”
It hasn’t—at least reportedly—reached any kind of coordinated level yet, where multiple cities get hit at the same time by the same attackers. But some of them are indeed coming from hostile nation-states. Last December a federal grand jury in Atlanta returned an indictment charging two Iranians with the March 2018 attack on that city, using the notorious SamSam malware.
As described by Malwarebytes Labs, “SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold.
“From there, the ransomware ‘fun and games’ begin for the authors. For everyone else, it’s chaos.”
“Chaos”—the same word Falco used.
A thousand cuts?
So is this the digital version of death by a thousand cuts?
Perhaps. One of the strengths of local and regional governments is their diversity. There are thousands of them, and you can’t take them all down by attacking one or two—even one or two dozen of them.
But it is possible to weaken the system beyond individual city, town or county borders by making some of them bleed—financially and organizationally.
Which is what ransomware does.
The ransom demands can vary from a relatively low $70,000 or so to the $500,000 range, as was the case with a couple of Florida cities. Or it can cost well into eight figures to try to recover without paying, as is the case for Baltimore and Atlanta. And during the recovery, municipal services can be spotty to nonexistent.
Ransomware attacks on the rise
What is beyond dispute is that attacks on governments and government agencies are increasing.
Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, told a congressional subcommittee of the Committee on Homeland Security last month that the attacks are aimed at all levels of government, “from relatively robust states to major metropolitan areas to smaller cities and counties.”
“Targets include police and sheriff departments, schools and libraries, health agencies, transit systems, and courts … no jurisdiction is too small or too large,” he said.
That’s confirmed by the FBI. “We see these types of attacks happen every day all across the country,” Amanda Videll of the agency’s Jacksonville, Florida Division told NPR earlier this month.
The security website Bleeping Computer even has a The Week in Ransomware feature.
And the main motive still appears to be the obvious one: money.
It doesn’t take much analysis to figure out that ransomware attacks are likely more lucrative, less risky and much less stressful than trying to carry out a physical bank robbery. No cops, no bullets, no security cameras. Given that they can be launched from anywhere on the planet, and that demanding payment in cryptocurrency makes it virtually untraceable, there is next to no chance of being caught or prosecuted.
Current ransomware attacks invoke chaos theory
But Falco said there are indications that the motive goes beyond money in some cases. He pointed to a recent notification from Microsoft to 10,000 of its customers that they had been “targeted or compromised by nation-state attacks,” with the majority coming from Iran, Russia and North Korea.
The company said 781 of those attacks were against “political campaigns, parties, and democracy-focused nongovernmental organizations (NGOs),” with 95% of them based in the U.S.
Of course those intrusions, at least so far, are not necessarily ransomware. But Falco noted that two of the most notorious ransomware “families” come from hostile nation-states: SamSam from Iran and WannaCry from North Korea.
In an interview, he said that while conducting research for a paper, he noticed patterns going back to nation-states that indicated it was less about money and more about disruption.
“I don’t have statistics,” he said, “but it is clear that the [ransom] money isn’t really significant. These are essentially operational attacks—the goal is to deny services to an entire jurisdiction.”
And that, he said, could easily cause the kind of disruption that would lead to physical consequences. “If that happened to New York City, it could deny services to 10 million people in one fell swoop,” he said, noting that if it compromised public safety and health services, it could lead to “chaos that could cause physical destruction.”
Falco said he hasn’t seen evidence of a coordinated attack to take down services in multiple cities at the same time, but said he thought the Baltimore attack in May, which used the so-called RobbinHood ransomware, “might have been a tipping point.”
That attack left public safety services like police, fire and EMTs operational but did affect hospitals, factories producing vaccines, airports and ATMs.
And the bill for damages and recovery is expected to be $18 million or more.
Proof is elusive
Still, the theory hasn’t yet convinced others in the security community. Andrew Hay, chief operating officer at Lares, a security assessment, testing and coaching firm, said such attacks “certainly would be impactful.”
But he said he has seen no proof. “Right now, based on all available information, those that are wielding ransomware with the greatest success are tied to organized criminal enterprises,” he said.
“When I say ‘organized,’ I mean the entire spectrum from one to three-person friends coordinating activities all the way up to international organized criminal groups looking to increase profits.”
Milan Patel, chief client officer at BlueVoyant and former CTO of the FBI’s Cyber Division, said the theory “has merit,” since security researchers and government threat intelligence indicate that “nation-states are often engaged with criminal actors either through rogue elements or sanctioned operations.”
But he said governments are investigating the attacks the way they would “traditional crime,” and that “more often than not, large-scale cybercrime is operated by sophisticated organized crime.”
International organized crime just one possibility
Sammy Migues, principal scientist at Synopsys, said it is certainly possible that there is a political component to attacks on government entities.
“There could be a method to the ransomware madness,” he said, which could include attackers breaching multiple city governments but not activating the malware until a critical time, such as election day or the day taxes are due. “If they caused some chaos in a few swing states on election day, for example, that might not change the result, but it would still be bad.”
But he noted there are plenty of other possible scenarios as well. “The thing is, we really don’t know,” he said. “Some ransomware attacks could be insiders or perpetrated by random individuals through scattershot phishing—not everything is an APT [advanced persistent threat].”
What is more important and more relevant, he said, is that attackers have the equivalent of a rock that can “break the glass around your assets.” And it won’t help simply to make the glass thicker, because there will always be a rock big enough to break it, and if they can’t break your glass, they’ll turn their attention to your supply chain.
So, whatever the motive behind attacks, “one of the first things we can do is be able to back up our stuff and restore it in an emergency,” he said.
“The goal is that you are able to survive a disaster. Ransomware is just another disaster. If you aren’t prepared, you need to get prepared.”
Measure your software security initiative with the BSIMM
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/ransomware-attacks/
