Cities are the New Ransomware Target
Print Issue: September 2019
It was not an ideal scenario. Over the course of 12 days in March, cyber actors launched an attack against the City of Atlanta and succeeded in infecting its systems with ransomware.
Iranians Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri allegedly coordinated to carry out a SamSam ransomware campaign on the city. Their efforts caused roughly 3,789 computers to be infected with ransomware—encrypting the data they stored, disrupting systems they operated, and demanding payment to have the data and services returned to normal.
The malicious actors also gave Atlanta options to decrypt their data—0.8 Bitcoin per computer or 6 Bitcoin to decrypt all affected computers, roughly $50,000.
“The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransom and supplied a Web domain that was only accessible using a TOR browser; the note suggested that the City of Atlanta could download the decryption key from that website,” according to the U.S. Department of Justice (DOJ). “In the days following the attack, the webpage that purportedly contained the decryption key became inaccessible, and the City of Atlanta did not pay the ransom.”
Instead, the city worked with local law enforcement, the FBI, and the U.S. Secret Service to respond to the incident and restore its systems—an effort that cost roughly $2.6 million, according to a WIRED analysis.
“The bulk of the expenditures relate to incident response and digital forensics, extra staffing, and Microsoft Cloud infrastructure expertise, presumably all related to clawing back the systems that the hackers had frozen,” WIRED found through the Atlanta Department of Procurement.
The DOJ later charged Savandi and Mansouri with intentional damage to protected computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer. They remain at large and their motive remains unclear.
Just over a year later, on 7 May 2019, the City of Baltimore was also hit with a ransomware attack that crippled the city’s roughly 7,000 users. The ransomware, known as “Robbinhood,” demanded 13 Bitcoin—approximately $100,000—to decrypt the data it held hostage.
Baltimore, like Atlanta, did not pay the ransom. In a fact sheet, the city explained that the FBI and Secret Service had advised it against paying the ransom. The city also added that, if it paid the ransom, there was no guarantee that it would get its data back, know for sure who the payment would go to, and uncover if there was other malware on its systems that could be used against Baltimore in the future.
Instead, under the direction of newly sworn-in Mayor Bernard C. “Jack” Young, Baltimore began the painstaking process of restoring its systems and working with law enforcement to investigate the attack. This effort has cost nearly $18.2 million so far, according to The Baltimore Sun.
“As part of our containment strategy, we deployed enhanced monitoring tools throughout our network to gain additional visibility,” Young said in a statement. “As you can imagine, with approximately 7,000 users, this takes time. Some of the restoration efforts also require that we rebuild certain systems to make sure that when we restore business functions, we are doing so in a secure manner.”
This is critical because municipalities seem to increasingly be targets for ransomware. Previously, malicious actors targeted healthcare institutions—which are particularly vulnerable to ransomware due to the value of the data they keep on record and the need to make that data readily available for life-saving measures.
For the second straight year, the 2019 Data Breach Investigations Report by Verizon found that “70 percent of all malware outbreaks” in the healthcare vertical were ransomware incidents. U.S. regulatory requirements mandate that healthcare organizations must treat ransomware like a confirmed data breach, so they are required to disclose them.
Now that Atlanta, Baltimore, and, as of Security Management’s press time, three cities in Florida have been hit by ransomware, it appears that attackers are pivoting towards municipalities for payouts based on their success in targeting the healthcare industry.
In a column for The Washington Post, Tyler Moore, associate professor of cybersecurity at Tandy School of Computer Science at the University of Tulsa, wrote that “system downtime” for hospitals is expensive and can have catastrophic consequences.
“Municipal governments are also expected to provide reliable services without downtime,” he explained. “IT budgets in government, at all levels, are usually tight. Governments operate on procurement cycles that are often out of step with the pace of IT innovation. In the marketplace battle for talent, governments struggle to offer competitive pay for IT professionals. Consequently, municipal-government computer systems tend to be old, and basic cyber hygiene is often neglected.”
When municipalities are hit with ransomware, they’re faced with a tough choice—pay the ransom or spend vast sums of resources to restore their systems. And if cities decide to pay the ransom, they could be funding future iterations of ransomware that are more damaging, says Craig Williams, Cisco’s director of Talos Outreach.
“Ransomware has been around since 1987 but did not see explosive growth until the invention of cryptocurrency and networks like TOR,” Williams explains. “These innovations made the ability to decrypt machines and accept payment relatively safe. Since that time, we have only continued to see things evolve like ransomware worms and wiper malware.”
In addition to funding future developments of ransomware, payments could also wind up in the hands of nation-states or terrorists—who could use them for malicious purposes.
“The source of the Baltimore attack isn’t known yet, but others’ perpetrators are known—for instance, U.S. intelligence agencies have identified North Korea as the source of some attacks,” Moore explained.
For example, the DOJ charged and sanctioned Park Jin Hyok, part of the North Korean Lazarus Group of hackers, for the WannaCry ransomware attack. Hyok was also charged for his alleged involvement in the 2014 cyberattack on Sony Corp.
Organizations also need to be cautious if they hire a data recovery firm in the wake of a ransomware attack. A recent ProPublica analysis found that two U.S. data recovery firms—Proven Data and MonsterCloud—paid ransoms to recover data and charged victims for it, without disclosing it to their clients. Other data recovery firms openly admitted that they paid ransoms to recover client data.
“The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion,” ProPublica wrote. “Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cyber criminals in countries hostile to the U.S., such as Russia and Iran.”
To protect themselves from a similar situation, Williams says he recommends organizations consider data recovery firms with extensive experience recovering ransomed data for similar organizations.
But he cautions that “there is no one-size-fits-all solution for recovery from ransomware. Organizations must balance their priorities and make the best decision in their particular case.”
And because municipalities are likely to be targeted in the future, Williams says those that haven’t been hit yet should design their network defenses with multiple layers to protect their crown jewels.
“If you can’t patch, for example, make sure things are as segmented as possible,” he explains. “Make sure endpoint protection is deployed and active, and make sure best practices—like two-factor authentication—are being followed.”