U.S. cities have a big ransomware target on their backs
Last year, Atlanta’s systems were crippled by a ransomware attack that cost the city $17 million to clean up. Earlier this year, city systems in Baltimore were held hostage by hackers who used the ransomware RobbinHood to encrypt hard drive data and prevent access. Baltimore balked at paying the $76,000 ransom demanded by the hackers, but eventually spent more than $18 million recovering from the attack.
Atlanta and Baltimore have had plenty of company, as the leaders of the Cleveland Hopkins International Airport, the Georgia courts system, Key Biscayne, Florida and dozens of others can attest. Ransomware attacks have been mushrooming in recent years, with estimates on the costs from ransomware ranging from $8 billion globally in 2018 to $75 billion a year for just for small and mid-size U.S. businesses.
In November, the Department of Justice charged two Iranian citizens with a nationwide spree of ransomware attacks that totaled more than 200 victims—Atlanta among them—for which they allegedly collected over $6 million in ransom payments and caused over $30 million in losses.
Ransomware Continues to Have Appeal
Ransomware has been gaining steam as an attack vector, but it’s not a new trick. Essentially, it follows the age-old pattern of kidnappers and hostage-takers. Hackers break into a system (phishing is still the most reliable way to get a foot in the door, including for as much as 90% of ransomware attacks), and encrypt essential files, leaving the victim unable to get to their data and applications. They then demand ransom for unlocking the data, usually to be paid in cryptocurrencies such as Bitcoin.
For hackers, ransomware holds the appeal of being profitable (if victims pay up) and easy to do. And because they can conduct attacks under a digital hoodie of anonymity, they figure they have little chance of being caught. Already common, ransomware has surged lately as another popular attack — cryptojacking — has cooled off amid an uncertain cryptocurrency market.
The latest rise of ransomware is another result of the expanding and increasingly complex attack surface organizations create with their move to greater use of mobile computing, the Internet of Things and migration to the cloud. The future of cities is moving more and more towards connected, data-driven infrastructures for things like traffic control, public transport, street lighting, security, and city resource management. This technology trend of “smart cities” will continue to lead to more “smart hackers” who will have more opportunity to look for and exploit weaknesses in cloud computing, software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and other shared environments.
Governments at Risk
For cities, municipalities and other government organizations, the damage comes not just in the potential exposure of constituents’ personal information and other sensitive data, but the loss of services for days or weeks. And then there are the clean-up costs, which will be significant whether they’ve paid a ransom or not. In addition to mitigating the damage and trying to recover their systems, cities also face an essential question when hit by ransomware: To pay or not to pay.
Baltimore refused to pony up the ransom for its system on the advice of the FBI, which contends that paying only encourages hackers to strike again elsewhere and won’t save victims any money on the cost of restoring systems. However, the FBI’s position has evolved over the past few years. In 2015, the Bureau leaned more toward paying up, out of concern that ransomware victims might not recover their files if the hackers didn’t unlock them. It could depend on the situation. In the case of hospitals, for instance, unlocking files could be a matter of life or death. In other instances, organizations could be able to wait it out.
The FBI’s current position urges victims to considers the “serious risks” of paying. Among the risks is that you’re dealing with criminals who might not play fair. Some victims that have paid never got the decryption keys after making payment. Others were told to pay more in order to free their data. And some victims who paid were targeted again since hackers apparently considered them a profitable mark.
The U.S. Conference of Mayors voted unanimously on July 10 to refuse to pay ransom to hackers. Not paying removes criminals’ top priority — money. If the crime doesn’t pay, they’ll stop doing it. With a few exceptions, cities are deciding to take the FBI’s advice. The prevailing wisdom is that governments should be reluctant to encourage ransomware as a business model for cybercriminals. Paying encourages them to strike again.
If attacked, the FBI and other security experts recommend isolating the affected computer as well as any systems that haven’t been corrupted, protecting backup data and systems by taking them offline and contacting law enforcement. They also can analyze the type of ransomware being used and see if decryptors for it are already available.
Meanwhile, ransomware gives government organizations one more reason to practice good cyber hygiene. They achieve this by enabling strong anti-phishing measures, better managing of privileged accounts, keeping up with anti-malware measures and by not ignoring software patches. Organizations should also invest in strong security staff and employ machine learning to improve security measures.
They should also start looking into identity management and zero trust programs being implemented in industry and the federal government.
Cybercriminals don’t want to have to work too hard for their money, so making it as difficult as possible can help keep them from trying an attack in the first place.
About the Author:
Tom Weithman is the Managing Director of CIT GAP Funds and Chief Investment Officer for MACH37. Weithman formed CIT GAP Funds in 2005, which has gained national recognition as one of the nation’s most active early-stage venture funds and a premier provider of capital to cybersecurity start-ups. CIT GAP Funds has provided early funding to early-stage cybersecurity companies including Invincea (acquired by Sophos), ADI (acquired by Silicom), SpydrSafe (acquired by Okta) and 4Front Security (acquired by Symantec). CIT GAP Funds’ active cybersecurity portfolio includes Distil Networks, DivvyCloud, ID.me, PFP Cybersecurity and ThreatQuotient. As a founder of the MACH37 cyber accelerator, Weithman also brings 12 years of early-stage and cybersecurity investment experience. Through MACH37, Weithman has funded 50+ seed stage cybersecurity companies.