Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/4/2020
02:00 PM
Fleming Shi
Fleming Shi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Ransomware Attacks: Why It Should Be Illegal to Pay the Ransom

For cities, states and towns, paying up is short-sighted and only makes the problem worse.

When it comes to ransomware attacks on municipalities, paying hackers isn't the right solution. First, there's no guarantee hackers will return sensitive data. Second, there's no guarantee cybercriminals won't leverage and monetize the data anyway, returned or not. To effectively fight back, we need to make ransomware payments illegal, and develop a strong industry of cyber professionals, a digital army of sorts, to proactively increase security awareness and data protection.

Ransomware attacks on municipal governments, from large cities to small towns, have been crippling their IT operations nationwide, disrupting civilian lives and costing millions of dollars. Cybercriminals use malicious software, delivered as an email attachment or link, to infect the network and lock email, data and other critical files until a ransom is paid. These evolving and sophisticated attacks are damaging and costly. They shut down day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unbudgeted and unanticipated expenses.

While ransomware has been around for about 20 years, its popularity has been growing rapidly as of late, especially when it comes to attacks on governments. As of August 2019, more than 70 state and local governments had been hit with ransomware that year alone. Local, county and state governments have all been targets, including schools, libraries, courts, and other municipal entities.

In 2019, some smaller government entities paid ransoms, including two town governments and one county government. In Florida, Lake City paid roughly $500,000 (42 Bitcoin) and Riviera Beach paid about $600,000 (65 Bitcoin) after trying and failing to recover their data. In Indiana, La Porte County paid $130,000 to recover its data.

So far, none of the cities attacked in 2019 have paid a ransom, including Baltimore, which spent $18 million to recover from an attack. Unfortunately, Baltimore has been the victim of two ransomware attacks. In response to these attacks, Baltimore did something different from other cities, including Atlanta and Albany, NY, which have also fallen prey to advanced attacks recently. According to an October article in the Baltimore Sun, the city bought $20 million in cyber liability insurance to cover any additional disruptions to city networks over the next year. The first plan, for $10 million in liability coverage from Chubb Insurance, will cost $500,103 in premiums. The second, for $10 million in excess coverage, will be provided by AXA XL Insurance for $335,000.

Ransom payments fuel the efforts of the cybercriminals. Hackers use that money to become more capable, commit more crimes, and expand their operations. This helps feed into the activities of the Dark Web economy.

Organizations that pay the ransom are also at a higher risk for additional attacks. It's a winning situation for the hacker when the ransom is paid, so they are likely to target the same organization and individuals over and over again to get additional payments. Hackers purposely target the valuable personal records held by the government and other organizations, such as legal records, financial data, and construction applications, as well as assets critical to the day-to-day functions, such as database files, audit logs, and more. As long as the opportunity for payout remains, they will continue to target these organizations.

No organization, whether it's a municipal government or a private company, should lose sight of the fact that insurance isn't a replacement for trying to prevent attacks in the first place. Insurance is meaningless when it comes to solving the problem; it just helps pay the bill. It's also likely to increase the amount of ransom, especially in cases where the amount of cyber liability insurance coverage has been made public.

After a ransomware payment, and the potential reclamation of your data, hackers still have the information and will try to leverage and monetize it. That's why organizations handling the personal information of consumers — such as credit card information, Social Security numbers, and addresses — shouldn't be allowed to pay ransoms. It should be illegal to fund the bad actors, since paying up is ultimately the sale of personal and sensitive information, albeit an unwilling exchange.

Government leaders and executives should be held accountable for the safety of the data. There's a lack of interest and competence when it comes to defending data, yet our private information and our digital identities must be protected.

Defending Against Ransomware Attacks
Government organizations at all levels need preventative and defensive strategies in place, along with disaster and recovery capabilities. The rapidly evolving email threat environment requires advanced inbound and outbound security techniques that go beyond the traditional gateway. Government security professionals must work on closing the technical and human gaps, to maximize security and minimize the risk of falling victim to sophisticated ransomware attacks.

There are a number of solutions to help defend against ransomware attacks (Editor's note: The author's company is one of a number of companies that offer some of these services):

  • Spam Filters/Phishing-Detection Systems
    Spam filters, phishing-detection systems, and related security software can help block potentially threatening messages and attachments.
  • Advanced Firewall
    If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall provides a chance to stop the attack by flagging the executable as it tries to pass through.
  • Malware Detection
    For emails with malicious attachments, static and dynamic analysis can detect indicators that the document is trying to download and run an executable file.
  • User-Awareness Training
    Make phishing simulation part of security awareness training.
  • Backup
    If an attack happens, cloud backup can get your systems restored quickly.

Instead of paying ransoms, we need to build awareness and empower a workforce to help us digitally defend ourselves. This is an opportunity for America to lead the way in cyber protection and to build a strong industry of cybersecurity leaders by creating a variety of new jobs and opportunities to help us protect the data and build a stronger infrastructure.

Cybercriminals are going to keep launching attacks. More talent, skills, and training are needed to protect our governments, businesses, and individual citizens. It's time to think about cybersecurity in a new way.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "AppSec Concerns Drove 61% of Businesses to Change Applications."

Fleming Shi serves as Chief Technology Officer at Barracuda Networks. Fleming joined Barracuda in 2004 as the founding engineer for the company's web security product offerings, helping to create the first version of Barracuda's message archiving product and paving the way ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TomWool
100%
0%
TomWool,
User Rank: Apprentice
2/6/2020 | 7:58:44 PM
Re: Bad Advice from a Non-Involved Vendor
Making it illegal will make it less likely that attacks will be reported to authorities. Organizations will pay up and keep it quiet to avoid legal ramifications.   
acmcgregor
50%
50%
acmcgregor,
User Rank: Author
2/5/2020 | 11:37:53 PM
Re: Bad Advice from a Non-Involved Vendor
It is always a business decision first
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.