{"id":16151,"date":"2019-08-23T08:10:03","date_gmt":"2019-08-23T16:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/23\/news-9894\/"},"modified":"2019-08-23T08:10:03","modified_gmt":"2019-08-23T16:10:03","slug":"news-9894","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/23\/news-9894\/","title":{"rendered":"Ransomware continues assault against cities and businesses"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Fri, 23 Aug 2019 15:00:50 +0000<\/strong><\/p>\n

Ransomware continues to make waves in the US, forcing multiple cities and organizations into tough choices. Pressed for cash and time, local government organizations are left with few options<\/a>: Either pay the\u00a0<\/span>ransom as soon as possible and encourage criminals to continue bringing essential services to their knees, or refuse and be left with a massive cleanup bill<\/a>.<\/p>\n

When a $50,000 ransom becomes millions of dollars in cleanup, forensics, external tech assistance, and more, sadly more and more organizations are throwing up their hands and paying the ransom.<\/p>\n

Doing so almost certainly encourages the same or similar threat actor groups to come back around again at a later date, applying claims for their daily dose of extortion racket money. So what should these cities do?<\/p>\n

We take a look at the most recent attacks, how US and international cities have handled them, and our advice for dealing with the aftermath.<\/p>\n

A cone of silence: Texas<\/h3>\n

Twenty-three (23) local government organizations in Texas were recently hit by a coordinated attack<\/a> likely from a single threat actor. Unlike some previous assaults on city infrastructure where information was released quickly, here officials are keeping their cards close to their chest. No word yet as to which networks, devices, or other technological infrastructure were affected, which family of ransomware was behind the attack, how defenses were penetrated, or if a ransom was paid.<\/p>\n

According to WIRED, response teams from \u201cTDIR, the Texas Division of Emergency Management, Texas Military Department, Department of Public Safety, and the Texas A&M University System’s Security Operations Center\/Critical Incident Response Team SOC\/CIRT\u201d are all working to bring systems back online. This may suggest they held out on paying the ransom, and either the scam pages were taken down (meaning no ransom could be paid), or they missed a deadline and all systems were permanently locked out.<\/p>\n

Either way, it could be that Texas is trying a new tactic: regardless of outcome, prevent the endgame of the attack from gaining oxygen. Simply hearing that someone paid or held off and had their network crushed makes it a lot easier for future potential attackers to figure out what worked, what didn\u2019t, who paid up, and who is more likely to give nothing in return.<\/p>\n

While it\u2019s unlikely we won\u2019t hear more and at least find out which files were used in the attack, it will be interesting to see if this tactic pays off for at-risk organizations or simply digs them a deeper hole.<\/p>\n

Paying up: Florida<\/h3>\n

Florida has been hit particularly hard by ransomware attacks, and in just one month no less than three Florida municipal governments<\/a> have been dumped on by the triple threat of Emotet<\/a>, TrickBot<\/a>, and Ryuk ransomware<\/a>. Sadly, all three cases were triggered by the age-old trick of a booby-trapped attachment sent via email. Lake City was for all intents and purposes knocked out of digital commission, having to revert to pen and paper in place of locked-out computer systems. Emergency services remained untouched, but everywhere else\u2014from email and land lines to credit card payments and city departments\u2014chaos reigned.<\/p>\n

Eventually, they ended up paying some US$460,000 in Bitcoin to the ransomware authors to release compromised systems. Riviera Beach, struck by a similar attack, ended up paying a cool US$600,000<\/a> to fix their hijack. These are incredible amounts of money to send to attackers who may simply have lucked out getting their infection files on the networks of big fish targets, but a drop in the ocean compared to the clean up costs\u2014and that\u2019s why cybercriminals keep getting away with it.<\/p>\n

Some of these payments are covered by insurers<\/a>, with many offering ransom protection as part of their services. As many have noted, paying the ransom is bad enough in that it essentially encourages attackers to keep going. Turning payments into an accepted cost of doing business removes much of the threat from organizations and probably means many simply won\u2019t bother to spend on upgrading their network protection. After all, if the insurance companies are going to pay, then why bother?<\/p>\n

However, complacency from organizations will only result in bigger and bigger fines from emboldened cybercriminals, who will most certainly capitalize on the opportunity to squeeze more money out of cities and companies. Eventually, insurance companies will drop organizations or require excessive monthly payments if the attacks keep happening.<\/p>\n

Anthony Dagostino, global head of cyber risk at Willis Towers Watson, told Insurance Journal<\/a> magazine, “We\u2019re already getting word that some insurance companies are not providing the coverage or are adding to the deductibles.”<\/p>\n

A state of emergency: Louisiana<\/h3>\n

Regardless of who pays and who doesn\u2019t, make no mistake: People are taking these attacks seriously. We\u2019re at the point where governors are declaring a state of emergency when these assaults on crucial infrastructure take place. After attacks on multiple school districts<\/a>, Louisiana Governor John Bel Edwards called it in<\/a>. Prior to that, Colorado gained some level of cybersecurity fame by issuing the the first-ever state of emergency executive order for a computer-centric attack.<\/p>\n

A global threat: Johannesburg<\/h3>\n

The US may be grappling with the lion\u2019s share of ransomware attacks, but let\u2019s not forget this is a truly worldwide problem. In July, Johannesburg in South Africa found itself unable to respond to power failures after a successful ransomware attack<\/a>. It potentially affected up to a quarter million people, preventing customers from buying electricity, causing issues with electrical supplies, and even stopping energy firms from dealing with localized blackouts.<\/p>\n

Businesses under ransomware threat<\/h3>\n

Unlike the hugely-popular band Radiohead, who can choose to give away their ransomed music<\/a> instead of succumbing to extortion attempts, organizations faced with a ransomware attack have no similar alternative. Pay up, or deal with the mess left behind is all that\u2019s available. And as attacks ramp up, if they don’t look at preventative action<\/a>, they may be forced to make a call between bad and worse.<\/p>\n

As our most recent quarterly report<\/a> highlights,<\/p>\n

\n

Over the last year, we\u2019ve witnessed an almost constant increase in business detections of ransomware, rising a shocking 365 percent from Q2 2018 to Q2 2019.<\/em><\/p>\n<\/blockquote>\n

That\u2019s quite a bump. Some other key findings:<\/p>\n