A couple years ago, it looked like crypto-ransomware attacks were falling by the wayside. Business email compromise (email account hijacking) and associated wire transfer fraud were becoming easier and more successful for cyber-criminals than ransomware. I made some predictions in this blog and in public presentations that ransomware had seen it’s day. Unfortunately, I was wrong. In 2018 and 2019, ransomware returned in a big way as ransomware gangs focused on bigger targets in government, education, healthcare, and business.
As I wrote back in July 7 2017, another change was that the ransom amount has been increasing. According to Symantec, average ransom amounts have increased from $294 in 2015 to $1077 in 2016. We have heard of ransoms paid that were much larger, such as the $17,000 ransom paid by Hollywood Presbyterian Hospital, on February 5 2016 In June 2017, South Korean web hosting company Nayana paid a ransom of $1 million. With these successes, ransomware attackers began to move up-market looking for bigger fish to fry. Ransomware attacks in 2019 are up 365% over the same period last year.
Some of the big fish include:
- March 22, 2018 City of Atlanta – ransom demand, $51K, recovery costs $2.7 million.
- May 7, 2019 City of Baltimore – ransom demand $76K (refused payment) recovery costs over $18 million
- June 21, 2019 – Riviera Beach, Florida pays $600 K in ransom.
- July 1, 2019 – Lake City, Florida pays $460K in ransom
- July 5, 2019 – Colorado gains the distinction of being the first state to declare a “cyber state of emergency.”
- July 26 – the State of Louisiana declares a “cybersecurity state of emergency.”
- July 26, 2019 – Johannesburg South Africa ransomware attack affedts electric utilities
- August 20, 2019 – Texas – 23 governmental and education entities affected by attack. Texas officially goes silent, refusing to let the perpetrators know how successful the attack might be. Also seems that Texas refused to pay.
Cybersecurity defenses and mitigation strategies include:
- Anti-malware endpoint software that includes encryption detection.
- Anti-spam and anti-phishing filtering and firewalls.
- Cloud DNS and security proxies such as Quad9 or Cisco Umbrella.
- Phishing simulation attacks and employee cybersecurity awareness training, to help employees learn when NOT to click.
The No More Ransom Project, which was founded in the Netherlands by the National High Tech Crime Unit and Interpol has helped companies, governments, and other organizations by publishing free decryption tools for the many different ransomware variants. They claim to have saved over $108 million in ransom that would have been paid to the cyber-criminals.
There is a fair amount of contention among cybersecurity professionals regarding whether to pay the ransom or to refuse. Paying the ransom is almost always the less expensive and quicker solution. But there is a vocal group who say that paying just encourages the attacker to continue, and every round sees the ransom amounts increasing. They advise non payment as the only solution to drive criminals out of this business..
Some companies and organizations are buying cyber-insurance policies to cover the cost of ransom or restoration from backups. This seems to lead to complacency on the part of some policy holders – why should we pay for expense defensive security solutions when the carrier will pay for our losses? But insurers are getting savvy to this trend, and are putting conditions or limits on ransomware protections, or increasing deductibles.
Crypto-ransomware is back and worse than ever.
Vulnerabilities originally discovered by US government security services have been used by cybercriminals against municipalities, costing taxpayers an estimated $11.5 billion in 2019.