Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/4/2020
02:00 PM
Fleming Shi
Fleming Shi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
0%
100%

Ransomware Attacks: Why It Should Be Illegal to Pay the Ransom

For cities, states and towns, paying up is short-sighted and only makes the problem worse.

When it comes to ransomware attacks on municipalities, paying hackers isn't the right solution. First, there's no guarantee hackers will return sensitive data. Second, there's no guarantee cybercriminals won't leverage and monetize the data anyway, returned or not. To effectively fight back, we need to make ransomware payments illegal, and develop a strong industry of cyber professionals, a digital army of sorts, to proactively increase security awareness and data protection.

Ransomware attacks on municipal governments, from large cities to small towns, have been crippling their IT operations nationwide, disrupting civilian lives and costing millions of dollars. Cybercriminals use malicious software, delivered as an email attachment or link, to infect the network and lock email, data and other critical files until a ransom is paid. These evolving and sophisticated attacks are damaging and costly. They shut down day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unbudgeted and unanticipated expenses.

While ransomware has been around for about 20 years, its popularity has been growing rapidly as of late, especially when it comes to attacks on governments. As of August 2019, more than 70 state and local governments had been hit with ransomware that year alone. Local, county and state governments have all been targets, including schools, libraries, courts, and other municipal entities.

In 2019, some smaller government entities paid ransoms, including two town governments and one county government. In Florida, Lake City paid roughly $500,000 (42 Bitcoin) and Riviera Beach paid about $600,000 (65 Bitcoin) after trying and failing to recover their data. In Indiana, La Porte County paid $130,000 to recover its data.

So far, none of the cities attacked in 2019 have paid a ransom, including Baltimore, which spent $18 million to recover from an attack. Unfortunately, Baltimore has been the victim of two ransomware attacks. In response to these attacks, Baltimore did something different from other cities, including Atlanta and Albany, NY, which have also fallen prey to advanced attacks recently. According to an October article in the Baltimore Sun, the city bought $20 million in cyber liability insurance to cover any additional disruptions to city networks over the next year. The first plan, for $10 million in liability coverage from Chubb Insurance, will cost $500,103 in premiums. The second, for $10 million in excess coverage, will be provided by AXA XL Insurance for $335,000.

Ransom payments fuel the efforts of the cybercriminals. Hackers use that money to become more capable, commit more crimes, and expand their operations. This helps feed into the activities of the Dark Web economy.

Organizations that pay the ransom are also at a higher risk for additional attacks. It's a winning situation for the hacker when the ransom is paid, so they are likely to target the same organization and individuals over and over again to get additional payments. Hackers purposely target the valuable personal records held by the government and other organizations, such as legal records, financial data, and construction applications, as well as assets critical to the day-to-day functions, such as database files, audit logs, and more. As long as the opportunity for payout remains, they will continue to target these organizations.

No organization, whether it's a municipal government or a private company, should lose sight of the fact that insurance isn't a replacement for trying to prevent attacks in the first place. Insurance is meaningless when it comes to solving the problem; it just helps pay the bill. It's also likely to increase the amount of ransom, especially in cases where the amount of cyber liability insurance coverage has been made public.

After a ransomware payment, and the potential reclamation of your data, hackers still have the information and will try to leverage and monetize it. That's why organizations handling the personal information of consumers — such as credit card information, Social Security numbers, and addresses — shouldn't be allowed to pay ransoms. It should be illegal to fund the bad actors, since paying up is ultimately the sale of personal and sensitive information, albeit an unwilling exchange.

Government leaders and executives should be held accountable for the safety of the data. There's a lack of interest and competence when it comes to defending data, yet our private information and our digital identities must be protected.

Defending Against Ransomware Attacks
Government organizations at all levels need preventative and defensive strategies in place, along with disaster and recovery capabilities. The rapidly evolving email threat environment requires advanced inbound and outbound security techniques that go beyond the traditional gateway. Government security professionals must work on closing the technical and human gaps, to maximize security and minimize the risk of falling victim to sophisticated ransomware attacks.

There are a number of solutions to help defend against ransomware attacks (Editor's note: The author's company is one of a number of companies that offer some of these services):

  • Spam Filters/Phishing-Detection Systems
    Spam filters, phishing-detection systems, and related security software can help block potentially threatening messages and attachments.
  • Advanced Firewall
    If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall provides a chance to stop the attack by flagging the executable as it tries to pass through.
  • Malware Detection
    For emails with malicious attachments, static and dynamic analysis can detect indicators that the document is trying to download and run an executable file.
  • User-Awareness Training
    Make phishing simulation part of security awareness training.
  • Backup
    If an attack happens, cloud backup can get your systems restored quickly.

Instead of paying ransoms, we need to build awareness and empower a workforce to help us digitally defend ourselves. This is an opportunity for America to lead the way in cyber protection and to build a strong industry of cybersecurity leaders by creating a variety of new jobs and opportunities to help us protect the data and build a stronger infrastructure.

Cybercriminals are going to keep launching attacks. More talent, skills, and training are needed to protect our governments, businesses, and individual citizens. It's time to think about cybersecurity in a new way.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "AppSec Concerns Drove 61% of Businesses to Change Applications."

Fleming Shi serves as Chief Technology Officer at Barracuda Networks. Fleming joined Barracuda in 2004 as the founding engineer for the company's web security product offerings, helping to create the first version of Barracuda's message archiving product and paving the way ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TomWool
100%
0%
TomWool,
User Rank: Apprentice
2/6/2020 | 7:58:44 PM
Re: Bad Advice from a Non-Involved Vendor
Making it illegal will make it less likely that attacks will be reported to authorities. Organizations will pay up and keep it quiet to avoid legal ramifications.   
acmcgregor
50%
50%
acmcgregor,
User Rank: Author
2/5/2020 | 11:37:53 PM
Re: Bad Advice from a Non-Involved Vendor
It is always a business decision first
christcpd@yahoo.com
80%
20%
[email protected],
User Rank: Strategist
2/5/2020 | 10:10:27 AM
Bad Advice from a Non-Involved Vendor
While it sounds great to make ransomware payments illegal, the author's perspective is one of being a non-involved vendor living and working in an ivory tower.  Real life, aka business, is not as simple.

It is easy to say that organizations should have good cybersecurity.  We all say it.  We all scream it from the rooftops.  Sadly, reality is far different when budgets and priorities enter the equation.

In reality, paying a ransom often presents the fastest return to operations.  Paying a ransom can drastically reduce the Mean Time To Repair resulting in less downtime and less risk of long term issues (like lawsuits and negative insurance claims.)

Paying a ransom is a business decision and should never be regulated by government.
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3138
PUBLISHED: 2020-02-19
A vulnerability in the upgrade component of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to install a malicious file when upgrading. The vulnerability is due to insufficient signature validation. An attacker could exploit this vulnerability by pro...
CVE-2020-3153
PUBLISHED: 2020-02-19
A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. A...
CVE-2020-3154
PUBLISHED: 2020-02-19
A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web-based management interface improperly validates SQL values. An authenticated attacker could exploit this vulnerabil...
CVE-2020-3156
PUBLISHED: 2020-02-19
A vulnerability in the logging component of Cisco Identity Services Engine could allow an unauthenticated remote attacker to conduct cross-site scripting attacks. The vulnerability is due to the improper validation of endpoint data stored in logs used by the web-based interface. An attacker could ex...
CVE-2020-3158
PUBLISHED: 2020-02-19
A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account. The vulnerability is due to a system account that has a default and static password a...