Cybercriminals are increasingly hitting school districts, hospitals, government agencies and small businesses, forcing them to pay big money to unlock their systems and restore data, according to reports by the FBI.
(TNS) — The ransomware attack hit Sept. 1, crippling a network affecting thousands of users and employees.
Yet the cybercriminals who held a massive network hostage for more than a week to extort money weren't targeting a Fortune 500 company or a secret service agency.
They went after a suburban school district.
Cybercriminals are increasingly hitting school districts, hospitals, government agencies and small businesses, forcing them to pay big money to unlock their systems and restore data, according to reports by the Federal Bureau of Investigation and agencies that track cybercrimes.
"Criminals are moving from targeting individual users to launching more sophisticated attacks on enterprise-level victims, businesses and the public sector," said FBI Special Agent Adam Lawson, who reports the surge in ransomware attacks is happening across all sectors.
"Every institution is different in how they prepare for a cyber event, but it's not a matter of if ? it's a matter of when," Lawson said. "You'll be attacked by some cybercriminal at some point."
The September 2019 attack targeted the Souderton Area School District, locking the district out of its network. Students were told not to use school-issued laptops and district employees not to access their email.
To keep schools and offices running, Wi-Fi hotspots were brought in by Comcast and AT&T. It cost the district $800,000 and the hiring of a cybersecurity firm to "bring everything back to normal," Superintendent Frank Gallagher said.
The district had been hit by ransomware, a type of malicious software that infiltrates computer systems, locks them down, and encrypts all the files. Typically, with an attack, the network or system is then held hostage by encryption until payments are made.
Lawson has seen ransom requests as low as $300 for individual users and demands in excess of $5 million for larger enterprises. "We don't get feedback on some cases on whether they pay or not," he said.
More than just a financial loss is at stake, Lawson said.
"With ransomware affecting hospitals, encrypting patient records ... It could be pretty dangerous in an ER situation," he said. "And taking 911 centers out of automated mode, where they have to do things manually, has affected response times. It's had a profound impact on the American public."
In 2019, Emsisoft alone reported that ransomware hit 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges and school districts, affecting potentially more than 1,000 individual schools. Across Pennsylvania, criminals have infiltrated libraries, courts, prisons and housing authorities. At least one Bucks County municipality has been attacked recently, county officials said.
In October 2019, Cherry Hill School District in New Jersey was struck by ransomware , dismantling email services and the internet during the week that files were reportedly encrypted. Other victims of ransomware included Pinelands Regional School District, the city of Allentown, Northern Lehigh School District, Temple University Health System and The Ambulatory Surgery Center at St. Mary, affecting 13,000 patients, according to data collected by U.S. Department of Health and Human Services.
Lawson said the most common method of attack is through "spear phishing," where emails are sent to end users that result in the rapid encryption of files on a network. When the victim gets locked out, the cybercriminal demands the payment of a ransom, typically in virtual currency.
He said the FBI's Internet Crime Report shows that while the number of ransomware attacks dropped last year, the amount of losses increased, because of shifting targets to larger entities and fewer individual consumers. Recent months, however, show that attacks of ransomware are now spiking back up.
In 2019, the FBI received 2,047 complaints identified as ransomware costing consumers and businesses more than $8.9 million, according to the bureau's Internet Core Competency Certification (IC3) 2019 Internet Crime Report.
Tactics these criminals use make it extremely difficult for law enforcement to catch them, Lawson said. Oftentimes, cybercriminals hide their location and route communications through multiple countries, with many committing crimes in other countries where they cannot be prosecuted.
Michael Bannon, director of Bucks County Consumer Protection, said cyberattacks on small businesses in the region have skyrocketed recently. Local governments have been affected, too.
In past years, the bulk of cybercrimes reported to his office were from residents who had their computer locked down. Now, the targets are changing.
Of the spike in business and government cyberattacks, Bannon said: "We went from zero a few years ago to 200 a year now."
While ransomware attacks involving personal computers are still happening, he said, "Scam artists realize they can get bigger paydays by going after bigger fish like smaller businesses and government organizations."
Blake Lertzman, owner of Dtown Tech, a Doylestown Borough-based IT firm, said he too has seen a decline in the number of individual consumers targeted and an uptick in small businesses affected.
Lertzman said the losses can be devastating for a small business, as scammers lock access to contacts, calendars, billing records and details of company accounts. One customer, a local body shop, reported a case of ransomware that locked 30 years of company records.
Cybercriminals, Lertzman said, are following the money and are also well aware that these targets need their systems up and running and may be more likely to pay the ransom.
"For many people, if you don't pay ransom, you have to rebuild and start fresh," he said.
The body shop "dodged a bullet" because they had a software package that included backups, Lertzman said. "Otherwise they would have lost 30 years of client information."
In Souderton, Gallagher said no student information was compromised and the district restored all its data. In response, the district added a two-factor authentication for logging into its system and invested in "industry-level protections that we did not have before," said Gallagher, who is encouraging other districts to spend the extra money for stronger fortifications.
"We chose to contract with a cybersecurity company to get us through this," said the superintendent, adding that hackers are preying on public agencies because they often don't have the same level of resources dedicated to security as larger corporations.
"Now we're investing because it's essential. Technology is such a big part of everything we do."
Last spring, Pennsylvania Auditor General Eugene DePasquale urged state lawmakers to invest in helping school districts strengthen cybersecurity.
"With the number of cyberattacks continuing to rise, the state should make sure school districts have the resources they need to protect themselves," said DePasquale, who noted that no action has occurred at the state level since a 2017 survey by his office showed a majority of Pennsylvania school districts were concerned about cybersecurity and expected risks to increase.
"Cyberattacks on school districts could jeopardize Social Security numbers, tax data, student records ? a wide range of sensitive information," he said.
The extent of how ransomware has affected area institutions is unknown, since most organizations who fall victim are not eager to report the crimes, nor how they responded to them.
While regulations require U.S. health care companies that sustain a data breach to alert the government and public, no law requires non-healthcare entities to report instances of ransomware. Security data companies, however, piece together news reports, like a nationwide map of school incidents, to alert the public.
Alan Herr, owner HPT Systems in Upper Southampton, which offers IT services to several municipalities and police departments across Bucks and Montgomery counties, said that ransomware attacks are increasing and wreaking more havoc on local government agencies and businesses.
"They have gotten more and more severe through the years as they've gotten more clever in how they spread," said Herr.
For example, Bristol Borough and a few area police departments, were hit by a couple of ransomware attacks over the years, but they weren't "crippling attacks," he said.
"We caught it early at the workstation level," he said.
In 90% of ransomware cases, attacks come through a fraudulent email that appeared legitimate.
"Someone opens it, clicks on the attachment and that is how they start," he said.
But upon opening the attachment, Herr said, "Nothing immediately happens; it's a delayed reaction."
"They (the malware) usually lay dormant and start infecting at 9 at night or over the weekend. They are essentially time bombs."
Recent ransomware attacks have been far more destructive, "taking down entire networks."
A business client that was hit in 2019 was forced to rebuild the entire system from scratch.
"Every machine on the network was affected, taken offline and not just cleaned, but rebuilt from scratch," Herr said. "It was costly."
Severe cases have struck municipalities, in one case costing "tens of thousands of dollars," but he could not release client information without permission.
With attacks large or small, Bannon and Lertzman said victims face a difficult decision.
"Do they pay the ransomware to the bad guy and get their information back or bite the bullet and rebuild everything? That's up to the individual or individual businesses or organizations to decide," Bannon said. "Either way, it's a hard shot to call."
Ironically, Bannon said, the "bad guys" often do keep their word and unlock systems when the ransom is paid.
"We have heard that the bad guys tend to do what they say they are going to do if you pay them. But it's not for good intentions," he added. "They do this because they want to come back and do it again."
Lawson said the FBI recommends against paying the ransom. For many businesses, however, the cost of rebuilding and replacing equipment is not a practical solution, as the costs can escalate beyond the ransom demand.
The Wyoming Area School District in northeastern Pennsylvania paid a ransom of more than $38,000 to a hacker who used ransomware to lock the district's network in summer of 2019, but the district was responsible for $10,000 because it had insurance, according to a news report from The Citizens Voice.
One of Herr's clients also had cyber insurance, which covered the bulk of the costs to restore its network.
The financial loss from a ransomware attack on the city of Baltimore was estimated at more than $18 million. The city refused to pay the ransom of $76,000, according to news reports of the 2019 breach.
Herr said none of his clients chose to pay the ransom, he said.
And, paying the ransom doesn't eliminate the need to clean a network after it's been attacked.
"From a security perspective, you can't trust the equipment anymore. Though paying ransom may be appealing for larger organizations," he said. "You are dealing with thieves."
The best defense against ransomware is prevention, experts say. Yet that cybersecurity comes with a cost.
"Business owners get sticker shock when they see how much it costs to have protection properly set up," said Lertzman, adding that backup systems, not connected to the network, can help safeguard data.
"In the big picture, if a business spends $10,000 to set it up and $2,500 a year, it's better than the $50,000 ransom you'll face or the cost having to rebuild everything and lose what you have. You can't put a price on that."
©2020 Bucks County Courier Times, Levittown, Pa. Distributed by Tribune Content Agency, LLC.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.