Ransomware attacks are increasingly becoming a public affair.
During the height of ransomware attacks in 2017, especially as WannaCry and NotPetya rampaged, the majority of incidents targeted private businesses and enterprises. While some of these incidents became public, most companies did their best to keep these cyber attacks quiet. (See WannaCry: How the Notorious Worm Changed Ransomware.)
The notable exception was the UK's National Health Service (NHS), which was hit particularly hard, and the attack itself drew a good deal of public attention and scrutiny. It proved a black eye for the venerable British institution. (See WannaCry Was an Avoidable Mess for NHS.)
Now, more ransomware incidents are happening to more public institutions. In 2018, the cities of Atlanta and Baltimore each experienced cyber attacks, a fact many believe is related to a strain of malware called SamSam. (See SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains .)
In recent weeks, ransomware went public again, with attacks targeting two of the world's busiest ports. The first hit the Port of Barcelona, which affected servers and other computer systems that caused delays within in land operations, although ships continued to dock and unload cargo, according to local media reports.
The Port of San Diego was targeted in late September, and although the port authorities did not give out much in the way of specifics, it appears the cyber attack was some strain of ransomware.
"The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems," according to a September 26 statement
Both incidents remain under investigation as the two ports continue to recover and rebuild their IT infrastructure.
Public versus private
Since both ports are public entities run by local governments, each had at least some obligation to report the incidents, unlike a private business, which could quietly pay the ransom or throw money at security services to fix the systems and get backup systems working.
Taken together, the attacks in Atlanta, Baltimore, San Diego and Barcelona show that attackers are using ransomware to disrupt highly visible targets, whether it's for monetary gain or to sow chaos for a time.
"Ransomware of course plagues everyone, consumer and business alike, but businesses and organizations in the public sector are particularly vulnerable, given that many of them literally cannot afford to be offline or out of service for any time at all," Rik Turner, an analyst with Ovum, wrote in an email to Security Now. "It's the 'we couldn't give you a blood transfusion because our systems were down' scenario."
In its recent quarterly summary of cyber threats, McAfee Labs found
that ransomware remains a serious problem, although the total number of new samples of the malware continues to drop from its peak in the fourth quarter of 2017. In the last ten months, cybercriminals have increasingly turned their attention to cryptomining and cryptojacking, which is much more lucrative and requires less upfront investment and fewer technical skills.
Still, cybercriminals can make money off ransomware. A study by Sophos found that the threat actors behind SamSam have collected about $6 million so far, and the malware continues to infect victims, which included the city of Atlanta.
Ransomware attacks also cost organizations as they rebuild. Atlanta shelled out over $2 million to recover from the attack and to hire consultants to help rebuild its infrastructure. All told, ransomware is expected to cost businesses and other organizations about $11.5 billion by 2019, according to a study conducted by Cybersecurity Ventures. (See Atlanta's Ransomware Attack Cost Around $2.6M – Report.)
Also, Gartner recently estimated that the WannCry attacks of 2017 alone cost anywhere between $1.5 and $4 billion. (See Security Needs to Start Speaking the Language of Business.)
More than money
Not all ransomware attacks are designed to extract money from the victims. In many cases, especially with these more public incidents, the attackers could be looking for other vulnerabilities in the system, or use the ransomware to disguise an ongoing cyber espionage scheme or an Advanced Persistent Threat (APT).
"While the returns from targeting public organizations with ransomware is lower -- due to federal/local protocol that forbids payments of ransom or due to lack of resources -- attackers can cause a wider range of disruption by attacking these organizations," Abhishek Iyer, the technical marketing manager at Demisto, which provides security automation and orchestration and response tools, wrote in an email to Security Now.
"Halting operations at a port often has tangible and wide-reaching repercussions that affect multiple industries and countries; perhaps attackers hope this will force the victims' hand," Iyer added. "It should also be highlighted that attackers do not always have monetary gains in mind -- even in ransomware cases. If attackers are aiming for chaos rather than money, targeting public organizations is a potent way of reaching that goal."
Next page: Anticipating the next attack