“All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”
This is an excerpt from a chilling ransom note Baltimore IT officials received from hackers who managed to lock up most of the city’s servers in May. The attackers demanded $76,000, paid in Bitcoin, for a decryption key. Baltimore refused to pay – choosing, instead, to absorb an estimated $18 million in recovery costs.
Some 15 months earlier, in March 2018, Atlanta was hit by a similar assault, and likewise refused to pay a $51,000 ransom, eating $17 million in damage.
Stunning as these two high-profile attacks were, they do not begin to convey the full scope of what a pervasive and destructive phenomenon ransomware has become – to individuals, to companies of all sizes and, lately, to poorly defended local agencies.
Probing and plundering
Ransomware is highly resilient and flexible. Its core attraction for criminals is that it is about as direct a channel to illicitly-garnered cash as any conman could dream up – few middlemen required.
From a high level, ransomware is essentially an open platform that operates on market principles, around which a thriving ecosystem of suppliers and specialists has taken shape. This has opened the door for newbie purveyors, with modest technical skill, to enter the field, giving these novices easy and cheap access to powerful turnkey tools and services. Meanwhile, the advanced hacking collectives invest in innovation and press forward. The net result is a continuation of proven styles of ransomware attacks, as well as constant probing for vulnerable pockets and plundering along fresh pathways.
According to the FBI, the absolute number of daily ransomware attacks actually dipped slightly last year. However, that’s more a function of hackers targeting individuals less, and companies and governments more. And as highlighted by the assaults on Baltimore and Atlanta, municipalities are among the hottest targets of the moment. A survey of local media reports by Recorded Future tallied 38 ransomware attacks against cities in 2017, rising to 53 attacks in 2018. In the first four months of 2019 alone, some 22 attacks have been disclosed.
This shift has grabbed the attention of municipalities nationwide, so much so that 225 U.S. mayors attending the U.S. Conference of Mayors in Honolulu in early July felt compelled to sign a resolution never to pay a ransom to hackers.
Ah, but it’s never really that simple, is it? Just ask officials from the Florida burgs of Riviera Beach and Lake City. In June, Riviera Beach, population 35,000, paid a ransom of 65 Bitcoin, then valued at $600,000, while Lake City, population 12,046, paid a ransom of 42 Bitcoin, or $460,000, for a decryption key. After weeks of having city services disrupted, and facing pressure from constituents, city leaders viewed paying a six-figure ransom as the least painful, quickest resolution.
It’s not just cities encountering such dilemmas. Enterprises, small- and medium-sized businesses (SMBs) and individual consumers continue to be targeted, intensively, for ransomware attacks. And many are reaching the conclusion that capitulation is their best option. A poll of IT pros in the U.S., Canada, Germany and the U.K. conducted by Osterman Research found nearly 40 percent of ransomware victims choose to pay.
In its most recent annual report, U.K. insurance giant Beazley Worldwide reported that the average ransomware demand in 2018 was more than $116,000, a figure admittedly skewed by some very large demands. The highest demand received by a Beazley client was for $8.5 million – the equivalent of 3,000 Bitcoin at the time. The median was $10,310.
Beazley also reported that SMBs, which tend to spend less on information security, were at a higher risk of being hit by ransomware than larger firms, and that the healthcare sector was hardest hit by ransomware attacks, followed by financial institutions and professional services.
In its survey of 600 business leaders and 1,000 consumers in the U.S., IBM found that a quarter of business executives would be willing to pay between $20,000 and $50,000 to regain access to encrypted data, while 55% of consumers said they’d be willing to pay the ransom to regain access to digital family photos.
Spiking damage costs
These metrics ring absolutely true. Consider that the FBI last November charged two Iranian hackers with orchestrating the ransomware attack on Atlanta. Investigators say this was part of a series of cyber extortion campaigns targeting hospitals, municipalities, public institutions and critical networks across the U.S. and Canada. The Iranian duo by themselves are believed to be responsible for attacks on 230 entities, collecting $6 million in ransom and causing $30 billion in damages, the FBI says.
What’s more, recent analysis from Coveware, a supplier of incident response services, concludes that the cost of ransomware attacks across all sectors spiked during Q2 2019, with ransom payments rising 184% to an average of $36,295 in April, May and June, as compared to $12,762 in the first three months of this year. Coveware also found the average downtime resulting from a ransomware attack increased to 9.6 days in Q2 2019, as compared to 7.3 days in Q1 2019.
Downtime, as any company executive will tell you, is not cheap, especially for cash-strapped SMBs. A survey by Datto, which supplies services and systems to managed service providers (MSPs,) found that downtime resulting from ransomware typically costs SMBs more than $8,500 per hour. Datto polled 1,100 MSPs worldwide and found 63% were dealing with ransomware attacks that led to business-threatening downtime. SMBs face ransom demands ranging from $500 to $2,000, while 7% of respondents to Datto’s poll said payment of the ransom did not result in the return of data. And fully 91% of poll takers said their clients had been hit by ransomware in the past 12 months, with 40% reporting more than six separate attacks during the past year. Some 31% of respondents said they experienced multiple attacks in a single day.
At first blush it might seem valid to adopt a policy of categorically refusing to pay a ransom. However, the operational imperatives in today’s world of internet-centric commerce often boil down to survival math, especially for SMBs. In fact, such scenarios have become so common that Forrester Research recently published a guide to paying ransomware.
Due diligence for smaller and mid-sized organizations in today’s environment, it seems, can now include retaining a specialized third-party firm to negotiate with cybercriminals in pursuit of an acceptable outcome. This can include steering to a staged process and taking steps to build rapport with the attacker. This all goes toward ascertaining whether the criminal is willing and able to supply a viable decryption key, according to Josh Zelonis, senior analyst for cybersecurity and risk at Forrester.
A very recent development foreshadows many more SMBs and small cities facing these decisions: MSPs have now become a favorite target of ransomware gangs on the leading edge. This makes very good sense from the criminal perspective. MSPs make wide use of remote management tools to administer company email and manage file sharing on behalf of their clients.
Best practices imperatives
Cyber extortion has come a long, long way, indeed. While reporting for USA Today in 2009, I wrote about how fraudsters launched scareware campaigns to lock up computer screens as a means to extract $80 for worthless antivirus protection. No one guessed, back then, how this low-level form of cyber blackmail – mainly targeting individual consumers and scoring multi-millions for certain hacking rings – would metastasize into the multi-billion dollar criminal endeavor it has become today.
Clearly, the deck is stacked. Ransomware purveyors have every incentive, not to mention all the tools they need, to find vulnerable organizations and force them to do survival math. In today’s digital marketplace, the traditional response – categorically refusing to capitulate – just doesn’t fit.
Those on the front line defending these attacks – the security analysts manning enterprise SOCs, the IT administrators in SMBs and the MSPs servicing multiple companies – have a greater security burden than ever to bear. Best security practices are a must. The latest tools and guidance – and support within the cybersecurity industry via efforts like the No More Ransom program are badly needed. It’s imperative to keep legacy anti-malware, firewall and intrusion prevention systems updated. Everyone must get more proficient at inventorying and proactively managing access and authentication. A top-down security mindset absolutely must be instilled and nurtured. Talk more soon.
The Evolution of Ransomware
Ransomware gains unauthorized access to targeted files or computer systems. It then uses strong encryption, requiring a decryption key for which the victim must pay a ransom, most often in Bitcoin. Here’s a timeline of recent ransomware advances:
- 2013-2014. Fine-tuning functionality – CryptoLocker spreads through compromised websites and malicious email attachments – and begins requesting payment in Bitcoin.
- 2016: Petya – Petya propagates through cloud file sharing services. The name Petya is a reference to the 1995 James Bond film GoldenEye.
- 2017: WannaCry – Attackers leverage hacking tools stolen from the NSA. WannaCry revives the self-propagating internet worm as a means to automatically spread, machine to machine, with no user action required. In less than a day it locks the hard drives of 200,000 Windows machines in 150-plus countries, requesting $300 for a decryption key.
- 2019: U.S. cities hit – Baltimore, Cleveland Airport and Taos, N.M., schools are among at least 24 local government entities hit hard in the first half of the 2019. Two smaller Florida municipalities, Riviera Beach and Lake City, pay $600,000 and $460,000, respectively, for keys.