Ransomware is a very opportunistic crime. Hackers will take the time to research the pain threshold of institutions before they attack. If there is an increased likelihood that an organization will be desperate to regain access to critical files or services, rather than risk extended downtime, it is more likely that institution will pay the demanded ransom. Hackers will also target institutions that have historically neglected to invest in information security technologies. Within organizations like local governments, hospitals, and universities, there are often known security weaknesses and vulnerabilities, but mitigation efforts are not made a priority due to limited budgets and competing projects. Having to make these types of tradeoffs makes these institutions ideal targets for ransomware attacks.
In July of 2019, faculty and staff at Monroe College (Atlanta) were locked out of their email, the learning management system, and the college website following a ransomware attack that disabled many of the institution’s technology systems and platforms. Hackers demanded a hefty payment of approximately $2 million in Bitcoin in order to restore access to the systems, which is one of the highest ransom amounts seen thus far in higher education. Earlier this year, several other colleges had their admissions systems targeted and attacked with ransomware.
We also continue to see local governments targeted, with at least 22 cities reporting attacks in 2019. After its services were crippled in May by a ransomware attack demanding $76,000 in bitcoin, the City of Baltimore had to rebuild entire systems, with final costs from the attack exceeding $18 million in recovery costs and lost revenues.
On the heels of Atlanta, Baltimore, and many others, including two Florida cities who opted to pay the attackers in order to restore their networks, the US Conference of Mayors passed a resolution calling on city mayors to oppose paying ransomware requests. Not only is there no guarantee that if you do pay the ransom that you will regain access to your data, but giving into the attackers demands only rewards them for their crime and leads to more attacks. By paying the ransom, you have basically admitted that you aren’t capable of restoring the information yourself, and are now just waiting for the next attack to happen.
The primary reason organizations chose to pay the ransom is that they have no good alternatives due to the fact that they have not consistently backed up their data and systems. Instead of continuing to supplement the cyber criminals’ wallets, organizations should be doing more to prevent and prepare for these kinds of attacks.
Typically these attacks start with a phishing email, so the most important front-line defense against a ransomware attack is employee awareness and education. Staff should know how to recognize suspicious emails and phishing attempts, and report them immediately to the IT department. Implementing simulated phishing tests in which tailored phishing emails are sent out to faculty, staff, and students to test their response, can go a long way in training employees on the signs to look for and keep them alert.
It is also important to outline and practice how your institution would respond to a cyberattack as part of your incident response and business continuity planning. On the back-end, verify you have taken defensive steps to secure systems – things like segmenting networks, replacing outdated systems, patching existing software, vulnerability scanning, backing up critical information in separate and secure environments, etc.
It is critical to inventory all resources and services, and then actually test that if a system or systems were disabled by an external attack, would you be able to successfully restore those systems and how long would this effort take? If you wait to update your security systems and controls until you find yourself in the middle of an attack, you will be forced to do so in a much more frantic manner, with more people involved, more visibility, and at a much higher cost.
Is your organization an easy target for ransomware? If your systems were attacked, are you confident you could restore all data and services in a timely manner?
Additional guidance from our RedLens InfoSec team below:
[Sullivan]: Ransomware is so prolific because it typically results in a quick payoff for attackers, with minimal effort. We’ve seen more and more ransomware in recent years that is ‘wormable’, meaning once it’s inside your organization, it spreads as quickly as it can using any means available.
For this reason, it is just as important to maintain and treat the inside of your network as you would the external facing parts. Changing default passwords, restricting local admin access enforcing strong passwords, and patching all systems in a timely manner is extremely important. All it takes is one unpatched system, one weak password or one admin account to lead to a cascade of ransomware across your entire network.