It has been almost two weeks since an attack with SamSam ransomware crippled much of the city of Atlanta and that city’s administration is still struggling. SamSam encrypted data at five of the city’s 13 departments, blocking employees and residents from accessing city applications and records. Officials had to rely on paper and telephones, and to work without records going back in some cases as far as 16 years. Recovery efforts are ongoing, but remain a challenge. The attackers demanded a ransom of $51,000 in bitcoin to decrypt all affected files, but that option, questionable as it was, is now gone. SamSam’s operators deleted the payment site after the address went public.
One small mercy for Atlanta is that emergency systems such as the 911 service were not affected. Unfortunately, Baltimore was not so lucky. On March 25, that city’s 911 system became the latest of dozens such system to be targeted by ransomware. The Baltimore attack caused a 17-hour shutdown of automated emergency dispatching and forced dispatchers to process requests manually.
Romanian antivirus company Bitdefender estimated that in ransomware payments exceeded $2 billion in 2017, and total damages are likely much higher, even before the Russia-linked NotPetya operation in June of that year caused more than a billion dollars in damage all by itself.
There is every reason to expect that the number of ransomware attacks will continue to grow, and the attacks on Atlanta and Baltimore are more of a beginning than an end. Unfortunately for government offices, they will likely find themselves a particularly popular target for ransomware, as Atlanta’s continuing difficulties highlights how vulnerable many administrations are.
Nor are governments the only ones at risks: Companies suffer when ransomware interferes with their operations, or when clients and suppliers are the ones slowed or stopped by ransomware. Individuals can be victims as well, either through direct infection or when ransomware takes out organizations that they rely on. Ransomware’s ever-growing list of victims includes governments, hospitals, schools, utilities, financial institutions, factories, media outlets, a vaccine manufacturer, and even a chocolate factory.
In May 2017, a particularly virulent strain of ransomware linked to North Korea called WannaCry infected 47 regional divisions of Britain’s National Health Service, locking access to patient records and hospital operations. The NHS was forced to cancel surgeries and delay treatments and asked all patients not suffering emergencies to please stay away.
In the U.S., the Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 after a week of failed efforts to regain critical data needed for hospital operations. During the downtime patients were transferred to other facilities that could provide the care that they needed and medical records could not be shared. The hospital was infected with a ransomware variant called Locky, which at its height infected roughly 90,000 devices per day and runs a dedicated campaign targeting hospitals.
A big part of the problem is how easy ransomware makes things for cybercriminals. Unlike in traditional cybercrime, when attackers must find and steal well-protected data or access and then also possibly find a buyer who wants it, ransomware attacks must simply block victims’ access to their own data. Most data and operations are valuable to their owners, even if they aren’t the sort of thing that could be easily sold to others.
Ransomware is also technically easy. It typically relies on relatively simple attacks using known vulnerabilities. Multiple versions are available online for sale or rent to attackers unable to develop their own. If any type of payment is too much, there are free versions, some posted as “research.” Even SamSam, which is sophisticated for ransomware, is particularly dangerous because of the time the attackers put into monitoring and responding to their victims, not the sophistication of their attacks.
Ransomware doesn’t have to be better because so many targets just don’t have good security. Many vulnerable organizations aren’t used to thinking of themselves as high-value targets and upgrading what are often older systems and operations is difficult for them. Particularly vulnerable sectors include government, health and, famously, much of critical infrastructure. They are easy targets that can’t afford much downtime, if any.
Also helpful for criminals, most ransom payments are made using cryptocurrencies. This allows cybercriminals to skip the extensive and risky money laundering efforts that are required when stealing fiat currencies. The ability to launder money is a chokepoint in the traditional cybercriminal transaction chain. Demand exceeds supply and good money laundering services are correspondingly expensive—the best charge up to 60 percent commission. Money laundering is also risky. It is where cybercriminals must connect to the outside world, and therefore where traditional law enforcement can connect to them.
Ransomware is so effective, and so common, that even nation states use it when they want to cover their tracks. This typically means something low-key, such as concealing evidence following a cyberespionage operation. Occasionally it can mean something more. Several countries, including the United States, accuse North Korea of using WannaCry to infect more than 230,000 computers in over 150 countries in its first day alone.
The United States is also among the countries accusing Russia of using what appeared to be ransomware to damage another country, Ukraine, through the use of malware called NotPetya. Despite efforts by its creators to restrict infections to Ukraine, NotPetya spread so effectively that infected organizations worldwide, including several multinational firms, causing months of downtime and estimated damages of 1.2 billion dollars.
Much attention is paid to the potential risks of destructive cyberattacks by sophisticated, capable nation states. Those risks are real and should be taken seriously. However, those nations are major countries with vulnerable targets of their own, and who will likely hesitate before launching a truly damaging attack. Low-level operations like most ransomware attention are not nearly as frightening in comparison, but there are people able and willing to cause significant damages now.
So, how can we fight ransomware?
The simplest answer is to say do not pay the ransom. Doing so encourages further operations and paying up won’t help all victims anyway, as many ransomware operations don’t ever decrypt data and some just destroy it to begin with. Others might start off seriously, but then revoke the payment option if they encounter difficulties, as happened with SamSam in Atlanta.
Unfortunately, too many victims need their data and continued operations enough that they do pay. Atlanta and Baltimore deserve praise for resisting the temptation to quietly pay and resume operations, but not all organizations are able to do that.
Although possible in theory, prevention is even more difficult for some. Although most ransomware infections are avoidable or easily mitigated with the up-to-date defenses and effective backup policies, for many organizations like the city of Atlanta, getting to that point would require rapid and extensive reform of security operations. That would require significant resources and expertise—things that many municipal governments like Atlanta lack.
Outside assistance could come from the federal government, and some does, but not at the levels required to effectively protect all at-risk public and private sector organizations in the United States. The federal government already struggles to protect its own departments and sectors designated as critical and itself lacks wherewithal to conduct the truly massive undertaking that would be required. Private sector cooperation is improving and there are structures in place to encourage it, but not at the level that could significantly and rapidly improve so many vulnerable organizations.
Which leaves an unfortunate truth: Ransomware is with us for the time being—and there are more serious attacks to come.