Municipalities Will Face Future Ransomware Attacks
The idea that your computer can be locked down and held hostage by a remote attack seems closer to the plot of a “Black Mirror” episode than reality, but today, businesses and individuals alike face that very threat in the form of Ransomware.
Ransomware is an umbrella term, but its core principles are to comprehensively restrict access to a target’s system until the attacker’s demands are met.
“The purest ransomware just locks up everything,” said John Stark, president of John Reed Stark Consulting Inc., a Maryland-based company, during a phone interview. “And those started to happen in late 2015. Around that time, historically, it was more about people’s individual computers getting locked up in one of those crazy things where you log into something and it says you need to pay.”
The demands traditionally are a substantial payment, but an amount that the target can actually pay. Some attackers even offer partial payment to unlock a select amount of files or computers. The modern method of sending payment to ransomware attackers is through the crypto-currency bitcoin. However, that wasn’t always the case
“[Late 2015] was a little before bitcoin [became the standard form of payment] so you had something like, ‘call this number,’ and it slowly evolved,” Stark said.
In Ransomeware’s early days, it was common for individuals to be targeted by the now-infamous malicious software. Municipalities and hospitals have become more likely targets with several of the United States’ largest cities falling victim.
“Ransomware in municipalities is the most underreported criminal phenomenon that’s going on right now in cyber security,” said Stark. “Because they’re not necessarily reportable events in terms of the law because your data hasn’t been stolen; it’s just been locked. No one came into your house. They just put a big padlock on it, and you can’t get in.”
Claims and reports climb each year. Beazley, a specialist insurance company, Response Team Services, saw a 105% rise in notifications from first quarter 2018 to first quarter 2019. Demand values are also rising with unsettling consistency. According to Beazley’s Insight Breach Report, average payment demanded rose from 2018’s $116,324 to $224,871.
Chief Executive Bill Spiegel of the incident response firm Coveware was also featured in the report weighing in on why this trend escalated so quickly. “First, anytime the average ransom demand goes up, it’s going to pull in more attack groups interested in making money,” Spiegel said in the report. “Second, the easy availability of exploit kits and ransomware-as-a-service means there is a lower barrier to entry for would-be-hackers.”
What this illustrates is a self-perpetuating threat in the form of ransomware. The higher the stakes, the more players. The big question is often whether the victim should pay or push back against the attack. The answer is not as cut and dry as most would hope.
“Only a municipality can get away with [not paying] because they have a monopoly,” Stark said. “They can sit there and say sorry [to citizens]. A normal corporation can’t get away with it. You’re losing business by the second. You can’t send emails, your phones don’t work, your website is down.”
At this point in the attack, you would typically expect the victim’s insurance to step in to assist in loss recovery. However, Stark explained the increasing difficulty in nailing down exactly what insurance companies are responsible for.
“Insurance is getting tougher and tougher to get,” explains Stark. “It’s difficult for insurance companies to measure the risk. What do you get with insurance anyway? Do you get the amount of the [ransom] pay, the cost of being shut down, reputational [loss]?”
Municipalities have quickly become a hotbed of targets, but not for any political reasons you might suspect. The attacks are often aimed at city departments because they simply don’t have the means of defending themselves. The reason for this, as Stark sees it, is the difficulty a city faces when recruiting against more enticing private firms.
“When you’re [looking for a job], are you going to work for the City of Baltimore as an IT engineer, or are you going to work for Mandiant and make gobs of money while traveling the world,” said Stark. “They have a very hard time finding people. They don’t have enough money to pay cybersecurity consulting firms like mine or others to help them really shore up, and there’s no silver bullet anyway.”
What Stark means by no silver bullet is that even the best laid defenses will eventually find themselves outdated, because while we reference these attacks by ransomware or trojan banking, it’s ultimately just people.
“It changes so quickly,” said Stark. “When I was doing data breach at Strauss [Troy], I would say every six months we transformed our approach, and that’s with forensic labs all over the world.”
The City of Baltimore fell victim in early May of 2019. The demand was reportedly $72,000. As of a report mid-June, the attack has cost the city over $18 million in recovery efforts and lost revenue. Atlanta suffered a similar ransomware attack reported by WIRED that cost the city $2.6 million in recovery to a demand set at $52,000.
In the future, there will undoubtedly be a rise in ransomware attacks and iterations of the malware to improve its efficiency. The only silver lining is that, while corporations have been battling these styled attacks for years, the sweeping ramifications of rolling municipalities will pressure governments to join the fight in defending city departments and aiding in recovery.