Two years have passed since the outbreak of the ransomware attacks Petya and Wannacry, which had a devastating affect across the world. In 2018, there was a slight decline in their frequency and impact (especially towards the end of the year) as cryptojacking briefly became more attractive to unsophisticated cyber criminals, so you might have thought the worst was behind us as far as the ransomware threat was concerned. Unfortunately, it looks like 2019 could quite accurately be labeled The Year of the Ransomware Comeback.
Ransomware attacks worldwide have more than doubled over the past 12 months, with attacks in the U.S. responsible for more than half of all incidents recorded.
The situation has become so dire that it is now considered a threat to U.S. National Security. Ann Neuberger, director of the NSA’s cybersecurity division, said that ransomware (along with Advanced Cyber threats from nation states such as Russia, China, Iran and North Korea) are now the top cyber threats. US officials have stated their concerns that there is a high probability that ransomware attacks will interfere with the upcoming 2020 U.S. elections, either through voter database encryption or the disabling of voting machines through any one of an increasing number of ransomware strains.
As malware variants are becoming more and more sophisticated, so their use is becoming more diverse. Over the past year, the number of different types of ransomware discovered by security researchers around the world has doubled, and their sophistication and maliciousness has intensified.
The creators of the MegaCortex ransomware have combined a variety of elusive features that prevent legacy defense mechanisms from identifying and blocking this attack. Other types of ransomware increase the psychological pressure on victims in order to secure and hasten payment – such as the ransom malware called Jigsaw, which not only encrypts user files but also gradually deletes them over time. This means victims need to respond quickly – they only have 24 hours to pay the $150 ransom or the malware begins its slow but sure process of destruction, deleting the victim’s files with no possibility of recovery.
Hackers are also becoming more creative in their infection methods. In addition to traditional infection via phishing and spearphishing methods, the use of Remote Desktop Protocols (RDP) is increasing, leveraging stolen RDP certificates to obtain permissions for the distribution and execution of malicious activities on corporate networks.
Extremely creative hackers also use Managed Security Service Providers (MSSP) as intrusion channels into organizations – in one case hackers broke into the provision of such services and utilized remote-controlled security products to infect clients with Sodinokibi Ransomware.
Hackers are also testing new targets in addition to Windows-based systems. Ransomware is now a cross-platform threat: thousands of Linux servers have been infected and their files have been encrypted by a new breed of ransomware called Lilu that only attacks Linux-based systems, and there have even been examples of ransomware attacks targeting macOS users in the past.
The watershed moment for the ransomware attacks of 2019 was the attack against the Baltimore City computer systems that occurred in May 2019. The attack left the city offline for weeks, resulting in a costly recovery. Baltimore Municipality estimates the cost of the financial attack to be $18.2 million – the city’s Information Technology Office has spent $4.6 million on recovery efforts since the attack and expects to spend another $5.4 million by the end of the year. Another $8.2 million comes from potential lost or delayed revenue, such as money from property taxes, real estate fees and fine collection.
After this attack, there were many (sometimes coordinated) attacks on cities and municipalities. Most notable was a series of attacks against 22 cities and agencies in Texas.
In addition to the municipalities, the education sector has been hit hardest by ransomware. Since the beginning of 2019, there have been about 533 attacks against US public schools – more than the total number of attacks in 2018. Ransomware attacks have delayed the start of the school year and cost educational institutions a small fortune. Some school districts have been paralyzed for months because of such attacks.
In addition to restoring damaged reputation, the direct monetary damages caused by ransomware are on the rise. A Long Island school paid $100,000 to release its systems in August, and a New York state school paid $88,000 the same month. The Ryuk ransomware is largely responsible for the massive increase in ransomware payments. The malware operators demand an average of $288,000 for the release of systems, compared to the $10,000 price required by other criminal gangs. At times, the demands have been outrageous – the Riviera Beach City of Florida paid a $600,000 ransom in June 2019 to recover files following an attack, and another cybercrime gang demanded $5.3 million from New Bedford, but the city offered to pay “only” $400,000. Fortunately in that case, city officials were able to recover their data from a backup and escaped without paying anything.
The current ransomware epidemic is the latest in a series of cyberattacks that have hit organizations and posed a significant challenge to our modern way of life. Unlike some forms of cyber threats such as those conducted by nation states, the motive for ransomware attacks is purely financial. As such, this kind of threat can only be addressed through economic metrics, namely the post-incident cost of an attack (downtime + damage to reputation + insurance premiums + fees and other indirect expenses) versus the cost of investment in a strong preventive security solution.
Fortunately, a modern endpoint detection and response solution will provide an almost hermetic seal against the data-destructive rampage of ransomware and should be the first thing to consider when facing this challenge. It is rare enough in cyber security that the solution is simple, effective and readily available. Any organization that has not suffered from a ransomware attack should take advantage of this fact and deploy a robust endpoint security solution throughout the enterprise and avoid becoming the next sorry victim in a long line of organizational casualties.