ran•som•ware
noun /ˈransəmˌwer/
a type of malicious software designed to block access
to a computer system until a sum of money is paid.
“Although ransomware is usually aimed at individuals,
it’s only a matter of time before business is targeted as well.”
The curse of ransomware
Ransomware, software that locks systems and files with virtually unbreakable encryption until tens or hundreds of thousands of dollars are paid to attackers for a decryption key, is a huge and growing problem for governments and private enterprise across the nation. Other than the FBI, no one in the public sector seems to be paying much attention to the escalating national problem or its potentially dire consequences.
The public sporadically pays attention to headline news like the three Florida municipalities hit with ransomware in June—Key Biscayne, Lake City, and Riviera Beach (pop. 35,000). Lake City paid 42 bitcoins (almost $500,000) to attackers, and Riviera Beach paid 65 bitcoins (almost $600,000). In March 2019, ransomware hit the court system in rural Jackson County Georgia, between Atlanta and Athens. Jackson County paid attackers $400,000.
In March 2018 a ransomware attack paralyzed the City of Atlanta for weeks. In April 2019 ransomware struck email and baggage systems at Cleveland Hopkins International Airport. In May, it was the Philadelphia City Court’s First Judicial District. Also in May Baltimore had to shut down essential city systems as a result of a phishing email. Hackers responsible demanded 13 bitcoins (around $76,280 at the time The FBI advised not to pay the ransom. It’s estimated that the attack has cost the city no less than $18 million.
And just recently 25 cities in Texas were affected in an orchestrated attack.
In 2019 more than half a dozen cities and public services across the country have fallen to ransomware on nearly a monthly basis.
Continued from the emailed newsletter
The ransomware attack on Baltimore is a case study of the vulnerabilities of the nation’s cities and other communities. The amount of the ransomware is less of an issue today than the potential future threat of cyberterrorism. First, protecting city systems may prove to be impossible. The functions of cities are siloed in a patchwork of legacy systems and in ways that are perfect to facilitate attacks. Cities rely on networks of third-party vendors that all have different cyber systems.
Several months after the “Robin Hood” ransomware attack in Baltimore, citizens still can’t pay their water bills online. The city’s property market has all but ground to a halt due to the ransomware attack, hobbling a multi-million-dollar real-estate market. Fully restoring systems in Baltimore may take months and still may render hardware and databases unusable, leading to millions in unrecoverable losses. In Atlanta’s case, ransomware also crippled payment systems in the city, including police and first responder capabilities.
Hackers have used ransomware to extort individuals for years. Hacking and ransomware demands on larger businesses and public entities get most of the attention, but colleges and even school districts across the nation have become targets. Why? Schools have large repositories of sensitive information about students (see link) and typically lack the expertise to protect it. Cybercriminals aim to get at this information to extort money from the school systems—and also parents! Many school districts in Idaho, Connecticut, New Mexico, New York, Oklahoma and now Louisiana have been hit with ransomware attacks, shut down, and have paid ransom.
Ransomware afflicts both for-profit and non-profit sectors. The ever-growing trend of ransomware attacks spans numerous industry sectors. There’s no specific pattern—government agencies of every kind at every level, manufacturing, credit unions, utilities—wherever returns can be maximized. As exemplified by Baltimore and Atlanta, the cost of not paying can run well into eight figures. And during the recovery, municipal services can be spotty to nonexistent. (See lists of ransomware attacks in 2018 and 2019.)
The trend of homes filling with smart Internet of Things (IoT) gadgets of all kinds, along with voice-controlled digital assistants presents another kind of ransomware opportunity and threat. Cybercriminals view IoT devices as gateways into homes, exploiting the lack of security in routers and smartphones/tablets. As discussed later in this article, smartphones especially will become a top target for cybercriminals, not only to hijack routers and the IoT devices connected to them, but their connections to personal information stored in various clouds. Every form of malicious invasion of homes has to be viewed as possible based on the remarkable level of technical capabilities, agility, and innovation that cybercriminals have demonstrated in ransomware attack schemes.
Other than money, what are the criminals’ motives? No one knows, although there’s speculation that bad actors in nation-states might be among the culprits trying to create chaos and dysfunction, together with the obvious motive of money. Demanding payment in cryptocurrency makes it virtually untraceable, with little chance of being caught or prosecuted.
Ransomware attacks by nation-states recently were confirmed by Microsoft, which warned about 10,000 of its customers that they had been “targeted or compromised by nation-state attacks,” with the majority coming from Iran, Russia and North Korea. The company said 781 of those attacks were against “political campaigns, parties, and democracy-focused nongovernmental organizations (NGOs),” with 95% of them based in the U.S. We know that two of the most dangerous kinds of ransomware have been SamSam from Iran and WannaCry from North Korea.
Government agencies typically are soft targets for ransomware. At least as a political gesture, over 225 mayors across the U.S. backed a resolution at the annual Conference of Mayors to not pay ransoms to hackers in the event of an IT security breach. According to the statement, at least 170 county, city, or state government systems (including at least 45 police and sheriff’s offices) have been targeted by ransomware attacks since 2013.
Advanced ransomware threat defense features are showing up in more antivirus products, but that is not sufficient. Countless hackers are a market for stronger and stronger brands of malware/ransomware-as-a-service (RaaS) that offer cybercriminals higher infection rates and more operational security. And even more dangerously, cybercriminals are leveraging artificial intelligence to innovatively design ransomware that more successfully evades detection and penetrates defenses, analyzes environments to be infected, and even automates target selections based on vulnerabilities.
In other words, not only are ransomware versions of cyberthreats increasing, they are becoming more adaptive and effective in multifaceted responses to threat defenses. Cybercriminals are not using just one form of ransomware at a time, focusing on a target, but multiple forms of malware that can change synergistically at different stages of attack in response to mitigation efforts.
Phishing emails are on the rise. They are easy to send and lead to a faster return on investment (ROI) for cybercriminals. Phishing emails are created to look like they come from a trustworthy sender, but link to fraudulent websites waiting for user input of sensitive information, or else contain malicious content that executes as soon as users click it, encrypting their data and asking for the ransom. Phishing by linking to websites attempts to obtain sensitive information such as usernames, passwords, and credit card details.
Phishing is so successful today because it takes advantage of the information users share about themselves through social media, and because many users simply are not sufficiently skeptical when it comes to receiving requests to do things like transfer funds, open attachments, or provide sensitive information. “Spear-phishing” emails are so personalized and believable that conventional spam filters fail to detect malicious content.
Another ominous aspect of the evolution of ransomware threats is that it is following data into the cloud. As government and enterprises increasingly adopt cloud-based software, significant increases in attacks are following data into the cloud.
Ransomware is spyware combined with extortion. It is an international business that will continue to grow, perhaps exponentially, along with increasingly sophisticated and effective threats to national security. Not just governments but nongovernmental groups of every description are purchasing spy tools with ransomware capabilities.
For many years, retirees from national security agencies around the world have been going into the increasingly lucrative spyware business. Consequently spyware technology born and grown in the U.S. is being used against its own citizens. The first step in what is likely to be a long and complicated process of regulation and control is for U.S. lawmakers is to treat spyware and ransomware as weapons that require both effective legal and technological remedies.
St. James Faith Lab will continue to monitor the ongoing challenges of ransomware both now and in the future. Our suggestion is to be diligent with whom you send and receive emails, secure your passwords, and be vigilant about your personal data.
Share your ideas with us!
The Rev. Canon Cindy Evans Voorhees
President
St. James Faith Lab