The victims of malware cover a diverse range of individuals and entities. Now let’s learn about how malware attacks are increasing in frequency within our local community.
The Rise of Ransomware in Cities, Municipalities, Healthcare & Government Organizations
According to the U.S. Conference of Mayors, the official non-partisan organization of cities, ransomware attacks have hit at least 170 county, city, or state government systems since 2013, and 22 of those attacks occurred in the first half of 2019.
Another recent study, performed by the cybersecurity firm Recorded Future, reported a rise of nearly 65% of attacks targeting public state and local governments and health care providers, this amounts to an average of almost three attacks each week.
Cybercriminals are always looking to maximize the profitability of their nefarious activities, and they can reap serious benefits from victimizing organizations over individuals who might yield, at best, a small one-time payout. Larger organizations also need to consider their reputations and may fear a loss of trust with the public or potential liability for civil damages should an individual’s personal information be compromised.
Unfortunately, many organizations choose not to report these incidents, as they hope to avoid news coverage of the attack and subsequent payout. This means that we don’t know how many of these attacks have been actually executed.
Municipal governments are sitting prey for hackers because they hold a lot of potentially valuable data, they’re moving most data systems online, they’re often slow to modernize their technology, and they don’t spend enough on security. There’s the constant risk that more organizations and networks are already suffering from undetected infections that, in time, will become full-blown ransomware attacks.
One of the most notable instances of a wide-ranging malware outbreak was 2017’s WannaCry ransomware attack. According to a report from the United Kingdom’s Department of Health, the attack crippled the U.K.’s National Health Service (NHS), potentially compromising the lives of thousands in addition to costing them over $120 million.
The economic impact of attacks like these is expected to reach more than $11 billion in 2019, according to Cybersecurity Ventures.
Even though strains of ransomware like Ryuk ransomware are far more targeted and tend to hit entities like newspapers, during periods of downtime, for example, the holidays when staff are distracted. These threats typically gain access in the same way as any other piece of malware.
An example of this was the December 7th attack that struck the city of Pensacola using a malware strain known as Maze.
This ransomware was delivered via email phishing.
Most ransomware attacks will start with a phishing email or a smishing or vishing scam. Part of the problem is that the initial infection, which will eventually play host to a ransomware attack, has already gone undetected. That’s why just conducting a security awareness program may not be enough. Entities need to analyze their endpoint detection and ensure that they have established a powerful security posture.
On August 20th, 2019, the Texas Department of Information Resources (DIR) stated that as many as 23 state-run services – including police departments and libraries – had been affected by file-encrypting ransomware. The attackers were demanding $2.5 million to unlock the files.
How can these types of attacks impact you?
Besides the fact that these attacks put governments at risk of losing control of stored classified, confidential and personal information, including social security numbers or credit card information, these attacks may also have operational impacts.
For example, a ransomware attack that can shut down payment platforms or citizen portals, could effectively bring municipal operations to a halt. Municipalities may also be forced to revert back to using pen and paper instead of the applications designed to streamline their operations, effectively taking them back decades technologically.
Even worse, a ransomware capable of shutting down 911 or 311 dispatch systems could even put lives at risk. This was painfully demonstrated when Baltimore, Maryland was hit with a ransomware attack in March of 2019. The ransomware attack shut down the city’s Cad system for approximately 22 hours, impacting the 911 system. Manual dispatching enabled public safety officers to respond to calls during this time period, but the city’s dispatch calls were not recorded.
Experts recommend local governments better train their personnel and enhance their technology to mitigate the damage from these types of attacks – and to prevent the need to shell out ransom money.
A triple Threat Campaign Using Emotet, Trickbot & Ryuk Ransomware
These threats can generally result in damage to the reputation of an organization, stifled productivity, as well as financial damages to both businesses and individuals.
The first step in a ransomware attack usually begins with a hacker penetrating a network and infecting it with a threat like Emotet. Then, the hacker waits patiently for that threat to spread to terminals connected to the network.
Emotet was primarily created as a banking Trojan that is useful on the so-called “Dark Web” as a means to steal credit card details. But lately, Emotet has gone through several alterations and can now be deployed as a means to spread other strains of malware – particularly ransomware.
Due to its stealthy and flexible capabilities, Emotet has become amongst the most prolific forms of malware delivered by spam emails using a technique called phishing.
The hacker group behind Emotet is adept at localization, or geographically specific attacks, and frequently distribute large-scale campaigns in a range of geographies and languages, increasing their global footprint.
According to Proofpoint researchers, between January and March 2019, Emotet accounted for almost two-thirds of all malware payloads delivered through phishing emails.
Emotet injects Trickbot into networks as part of its secondary infection. Trickbot is another banking Trojan that not only steals data but also downloads a third infection, the Ryuk ransomware.
The Emotet-Trickbot-Ryuk attack trifecta steals scores of data including passwords, browser history, personal data, registry info, and other sensitive information, before encrypting the victim’s computer and ransoming their data.
Because the potential profit grows with the range of the infection, hackers can wait weeks, months, or possibly even years for the threat to spread itself. The farther reaching it goes, the more difficult it is to trace the origination point for the infection, and the harder it will be to defend against the coming ransomware attack.
When the hacker is satisfied that the infection has a stronghold on the victim’s network, the hacker may lay low and wait for a time when the victim’s defenses are truly let down – perhaps a weekend during the holiday season, for example – and that’s the moment they will start to inject the ransomware strain. Before the victim even realizes what has just occurred, their entire system is locked, and the only way to regain access to their files is to pay the ransom.
