Ransomware attacks are increasingly becoming a public affair.
During the height of ransomware attacks in 2017, especially as WannaCry and NotPetya rampaged, the majority of incidents targeted private businesses and enterprises. While some of these incidents became public, most companies did their best to keep these cyber attacks quiet. (See WannaCry: How the Notorious Worm Changed Ransomware.)
The notable exception was the UK's National Health Service (NHS), which was hit particularly hard, and the attack itself drew a good deal of public attention and scrutiny. It proved a black eye for the venerable British institution. (See WannaCry Was an Avoidable Mess for NHS.)
Now, more ransomware incidents are happening to more public institutions. In 2018, the cities of Atlanta and Baltimore each experienced cyber attacks, a fact many believe is related to a strain of malware called SamSam. (See SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains .)
In recent weeks, ransomware went public again, with attacks targeting two of the world's busiest ports. The first hit the Port of Barcelona, which affected servers and other computer systems that caused delays within in land operations, although ships continued to dock and unload cargo, according to local media reports.
The Port of San Diego was targeted in late September, and although the port authorities did not give out much in the way of specifics, it appears the cyber attack was some strain of ransomware.
"The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems," according to a September 26 statement
Both incidents remain under investigation as the two ports continue to recover and rebuild their IT infrastructure.
Public versus private
Since both ports are public entities run by local governments, each had at least some obligation to report the incidents, unlike a private business, which could quietly pay the ransom or throw money at security services to fix the systems and get backup systems working.
Taken together, the attacks in Atlanta, Baltimore, San Diego and Barcelona show that attackers are using ransomware to disrupt highly visible targets, whether it's for monetary gain or to sow chaos for a time.
"Ransomware of course plagues everyone, consumer and business alike, but businesses and organizations in the public sector are particularly vulnerable, given that many of them literally cannot afford to be offline or out of service for any time at all," Rik Turner, an analyst with Ovum, wrote in an email to Security Now. "It's the 'we couldn't give you a blood transfusion because our systems were down' scenario."
In its recent quarterly summary of cyber threats, McAfee Labs found
that ransomware remains a serious problem, although the total number of new samples of the malware continues to drop from its peak in the fourth quarter of 2017. In the last ten months, cybercriminals have increasingly turned their attention to cryptomining and cryptojacking, which is much more lucrative and requires less upfront investment and fewer technical skills.
Still, cybercriminals can make money off ransomware. A study by Sophos found that the threat actors behind SamSam have collected about $6 million so far, and the malware continues to infect victims, which included the city of Atlanta.
Ransomware attacks also cost organizations as they rebuild. Atlanta shelled out over $2 million to recover from the attack and to hire consultants to help rebuild its infrastructure. All told, ransomware is expected to cost businesses and other organizations about $11.5 billion by 2019, according to a study conducted by Cybersecurity Ventures. (See Atlanta's Ransomware Attack Cost Around $2.6M – Report.)
Also, Gartner recently estimated that the WannCry attacks of 2017 alone cost anywhere between $1.5 and $4 billion. (See Security Needs to Start Speaking the Language of Business.)
More than money
Not all ransomware attacks are designed to extract money from the victims. In many cases, especially with these more public incidents, the attackers could be looking for other vulnerabilities in the system, or use the ransomware to disguise an ongoing cyber espionage scheme or an Advanced Persistent Threat (APT).
"While the returns from targeting public organizations with ransomware is lower -- due to federal/local protocol that forbids payments of ransom or due to lack of resources -- attackers can cause a wider range of disruption by attacking these organizations," Abhishek Iyer, the technical marketing manager at Demisto, which provides security automation and orchestration and response tools, wrote in an email to Security Now.
"Halting operations at a port often has tangible and wide-reaching repercussions that affect multiple industries and countries; perhaps attackers hope this will force the victims' hand," Iyer added. "It should also be highlighted that attackers do not always have monetary gains in mind -- even in ransomware cases. If attackers are aiming for chaos rather than money, targeting public organizations is a potent way of reaching that goal."
Next page: Anticipating the next attack
Anupam Sahai, the vice president of product management at Cavirin, which makes compliance and risk management tools for hybrid clouds, noted in an email that ports are one of 16 different critical infrastructures listed by the US Department of Homeland Security.
An attack against a port could be a test run of a bigger attack that is being planned.
"A compromised port facility may also provide easier entry for nuclear, biological, or chemical agents to be used in future physical attacks," Sahai wrote.
What complicates ransomware attacks on public institutions, besides the underlying motive, is the whole notion of money -- specifically, that government institutions lack the cash to pay ransoms or have strict rules prohibiting such action.
Many of these agencies and organization also lack the cybersecurity skills to fight off, or at least recover from, a ransomware attack.
Port of Barcelona
Ovum's Turner notes that the NHS knew it had systems that needed patching, but the IT and security staffs could not find the time or resources to conduct all the proper maintenance of its IT infrastructure. He noted:
Add to that the fact that some ransomware attacks such as WannaCry exploit common, well-known and well-documented vulnerabilities that should have been patched months beforehand, but which IT departments in places such as the UK's National Health Service were unable to patch across their entire infrastructure because they couldn't find the right moment to take down vital assets to perform the update. This makes for a perfect storm of "operationally justifiable vulnerability" that ransomware attacks can exploit at their leisure.
Still, state and local governments, along with other public agencies, need to take the security steps that they can, which includes developing a multi-layer program that can stop malware and other intrusion from coming onto the network to start, said Darius Goodall, pirector of product marketing at Barracuda Networks, who has worked with Miami, Oklahoma City and others on cybersecurity prevention.
While prevention is the key, Goodall concedes that ransomware can still get through. In that case, government agencies need specific backup plans to get systems restored and to ensure that services continue for the public.
"If data backup is not in place, there are a few steps one can take. First, find out what type of ransomware it is, e.g. encryption, screen-locking, etc., from there you can see if you're still able to access files, especially from another location like a mobile device. If so, then the ransomware is likely fake," Goodall wrote in an email.
"If it's encryption or screen-locking, disconnect from your network and use anti-malware or antivirus software to clean the ransomware and use a data recovery tool to help find those deleted files that are often trashed once ransomware encrypts new copies," he added.
Goodall adds that he never recommends any cyber attack victim negotiate with threat actors, but he understands the temptation of doing so. Instead, as the cliché goes, the best offense is a good defense.
"The real challenge many organizations face is implementing the security measures necessary to prevent your organization from ever finding itself in the position in the first place," Goodall wrote.
— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.