More and more governments, hospitals, educational institutions and other businesses are facing this crisis around the world, as the ransomware epidemic shows no signs of slowing.
Back in 2013, I described ransomware as a new, growing cyberthreat, and last year the online challenge became an emergency for many hospitals. However, a recent report by BitSightTech.com highlighted that ransomware was not just (or even mainly) a health-care problem, but rather education and government were the two top industries affected by ransomware.
“Education has the highest rate of ransomware of all industries examined in this report. In fact, these institutions have over three times the rate of ransomware found in Healthcare and more than ten times the rate found in Finance. Of the six industries examined, Government had the second-lowest security rating and the second-highest rate of ransomware. In fact, ransomware in this sector more than tripled over the last 12 months. …”
Indeed, I highlighted this accelerating ransomware trend in my 2016 year-end cyberhighlights summary, and most experts predicted even more (and different or evolving types of) ransomware in 2017.
A Deeper Dive: Government Ransomware
To take a deeper look at ransomware in government, I turned to Jack Danahy.
Jack Danahy is the co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009).
Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the director of advanced security for IBM, and led the delivery of security services for IBM in North America.
He was also highlighted in this interview with Wired magazine on ransomware, and in this SecurityWeek article on the changes in ransomware.
Dan Lohrmann (DL): How has ransomware evolved over the past few years?
Jack Danahy (JD): In some ways, ransomware has been forced to evolve by its own success. As successful ransomware campaigns have gained publicity, potential victims have become aware that they need to be more careful, and they need to improve their backup and restoration processes to be able to respond. When they feel that they can quickly recover from the data loss associated with a traditional ransomware attack, they are less likely to pay the ransom. As a result, ransomware writers have now begun to change their tactics.
In the Bingham County, Idaho, example, the attackers didn't rely on a traditional phishing attack or malicious link; they actively infected the system using brute force attack to gain access, then deployed a rapidly spreading version of ransomware that corrupted multiple systems, forcing the county to pay ransom on the few that could not be recovered.
These campaigns against multiple systems, using attack techniques from traditional hacking, disabling systems and not just threatening data, show that ransomware is going to remain an evolving threat for some time.
DL: What are some of the biggest ransomware incidents that you have seen affecting governments?
JD: Looking at their impacts, we have seen several that have actually shut down government services, like the example in Bingham County, another in Licking County, Ohio, and multiple events against police departments in places like Texas, Massachusetts, and even Washington, D.C. About a year ago, DHS described the seriousness of this issue for the federal government in their response to a Senate request for information on ransomware's impacts.
DL: The recent Bingham County (Idaho) ransomware incident got your attention for many reasons. Can you tell us why? Were there unique factors or common factors that other government entities need to be aware of?
JD: Bingham County was one of the few recent public examples where there was sufficient detail released to provide the opportunity for others to learn some lessons about the nature of the changing ransomware threat. Probably the most important was that Bingham County had done a good job with their protection and their backups, but that the attack was wide-ranging enough that it managed to infect three critical systems for which backups were either corrupted or nonexistent. The lesson here was to create a protection strategy that integrated good backup within a broader plan for ransomware.
DL: What lessons and/or actionable tips can help other towns, government agencies and businesses avoid these costly attacks?
JD: There are other new ransomware tactics, from corrupting disks to threatening the release of private information, and the first lesson is to consider all of the ways that ransomware may affect your agency. Even in the presence of an idealized 100 percent data recovery solution, there are still campaigns that can cause real havoc, downtime and damage.
The second lesson is that the battle for protection isn't over yet. When you look up "ransomware protection" online, you are mainly presented with recovery solutions, and that white flag doesn't have to be waved yet. Ransomware does a good job of avoiding signature-based protections by changing its appearance frequently and using fileless techniques, but these can be blocked by newer forms of runtime malware defense that recognize and block their behaviors.
The third lesson is to apply more resources to testing agency infrastructure against these attacks. Whether backups or prevention products, exercising the security strategy with simulated attacks and testing for full recoveries are the best ways to identify any gaps and provide organizational confidence.
DL: This ransomware trend has been growing fast all over the country, where do you see this going? Do you see the bad guys changing their tactics?
JD: Ransomware is accelerating in its growth because of the anonymity and profitability of its execution. The use of bitcoin payments and even hosted ransomware service sites provides a level of separation between criminal and crime that will keep ransomware attacks viable. The technology that underlies the successful campaign is where we can expect to see the most change. Already, as backups put a dent in the threat of lost data, doxxing ransomware adds the specter of private files released publicly.
Criminals seek to maximize their profits, so we can also expect to see advancements that increase the spread and virulence of campaigns. Given the breadth of these impacts and the cost of recovery, we should also expect to see a continuing rise in ransom demands, which we have already seen more than double in the last 12 months.
DL: Is there anything else you would like to mention about ransomware attacks in the public and private sector?
JD: Ransomware is going to be with us for a very long time. These attackers exist to monetize their computer skills in a criminal enterprise, and the value of traditional stolen data (credit cards, Social Security numbers, health-care records) has cratered because of the ongoing and remarkable success of thieves stealing it. The threat of downtime, data loss, or lawsuits and public humiliation from disclosure, remain potent, so we are going to see more, and more sophisticated, weapons that make this kind of crime a reality.
Finally, experienced security teams know that every piece of malicious software cannot be caught before it can run, and incidents like the Idaho county show how painful cleanup is. There is an urgent need for runtime malware defense solutions to fill this gap, and it is the next area of protection investment by both solution providers and their customers in the private and public sectors.
DL: Thank you, Jack, for taking the time to answer my questions on ransomware. I know that governments around the world can benefit by listening to and applying your advice.
