A city in trouble: is ransomware here to stay?

Image credit: Shutterstock (Image credit: Image Credit: Carlos Amarillo / Shutterstock)
About the author

David Higgins is the EMEA Technical Director at CyberArk.

Since the beginning of May, Baltimore has been crippled by a huge ransomware attack that has held many of the city’s IT systems hostage. The attack has ‘shut down’ thousands of government computers, causing everything from water bill payment disruptions to  real estate sales delays.

The hackers behind this have demanded 13 bitcoins — worth about $100,000 – in order to restore these critical IT systems. Baltimore City Mayor, Jack Young, has publicly stated that the city will not pay the ransom demand. But even though the FBI, Secret Service and a host of cybersecurity experts are working hard to restore things, new reports indicate the attack will ultimately cost the city more than $18 million.

A couple of weeks ago, a Krebs on Security post quoted a source who said “it’s not terribly likely” that the Eternal Blue exploit was used to propagate the Robbinhood ransomware, debunking earlier reports that linked the Baltimore ransomware attack to the hacking tool developed by the U.S. National Security Agency (NSA) and leaked online a couple of years ago.

Local governments and state departments need to prepare for a surge in ransomware

According to the latest Verizon DBIR report, ransomware accounts for nearly 24 percent of all malware-related attacks across industries. Meanwhile, a 2019 Beazley Group breach insights report notes a staggering 105 percent spike in ransomware notifications from the first quarter of 2018 to the same period this year. Payment demands are also increasing. The Beazley report indicates that the average payment in the first quarter of 2019 – $224,871 – has already far-surpassed 2018’s total of $116,324.

As shown by the Baltimore attack, state and local governments seem to be particularly vulnerable to ransomware. Cybersecurity research firm Recorded Future recently published an interesting study on the surge in state and local government ransomware attacks targeting essential infrastructure and processes. It revealed that reported attacks on state and local government skyrocketed by 39 percent in the US in 2018, and that many of these attacks were opportunistic: in most cases, attackers “stumbled” upon public-sector entities when looking for vulnerable targets.

While this is a worrying trend across the pond, the UK isn’t faring much better. The most recent Cyber Security Breaches Survey released by the UK government showed that 27 percent of businesses and 18 percent of charities who were victims of an attack last year were hit by ransomware, making it a significant threat. And while other attack techniques such as phishing are increasingly popular amongst hackers, the damage ransomware can inflict on organisations is much more significant. Indeed, 58 percent of businesses and charities are more likely to report negative outcomes from ransomware than from any other type of attack.

Image credit: Shutterstock

Image credit: Shutterstock (Image credit: Shutterstock)

How do we combat the ransomware threat?

While there is no ‘one size fits all’ approach for ransomware prevention, there are steps government agencies and enterprises alike can take to reduce the risk of malware (such as Robbinhood) from spreading and crippling systems.

1. Backup all critical data 

This may seem like a basic point, but it’s amazing how many organisations don’t do this on a regular basis. Prioritise data that is critical to your organisation and consistently back it up so that if files are locked and held for ransom, you can still keep (at least parts of) your business on the move.

2. Never stop patching

Consistently patching endpoints and servers will dramatically reduce the attack surface, making a compromise far less likely. If you haven’t already, stop what you’re doing and immediately disable the (very) outdated Microsoft SMB protocol version 1 or apply patch MS17-010. And take it one step further than that. Patch all vulnerable software regularly to help prevent ransomware infections – and make sure your antivirus, firewall and other perimeter protection tools are always up to date.

3. Beware of phishing 

According to the Verizon DBIR report, phishing is involved in 32 percent of today’s breaches and 78 percent of cyber-espionage incidents. Attackers often begin their malware attacks through targeted phishing campaigns. If you receive an unsolicited call, email, text message or chat, do not respond or click on any links – even if the person claims to be from a legitimate department – before confirming legitimacy.

4. Remove local admin privileges to contain and block attacks

While employee education around phishing is imperative, it cannot stop there. Removing local administrator rights is the foundation of effective endpoint security. By implementing a combination of least privilege and application control policies on endpoints and servers as part of a larger Zero Trust approach, you can mitigate the risk of malware like Robbinhood spreading from its initial infection point.

So, there we have it. Ransomware attacks are only set to increase, and the Baltimore example is a timely reminder of how damaging and widespread the fallout can be. There is too much at stake by government departments and businesses not taking the necessary measures to patch, back up sensitive data and educate employees as to the evolving threat.

David Higgins
EMEA Technical Director

David Higgins, Senior Director, Field Technology Office at CyberArk.