— including how to spot suspicious messages and attachments — and managing patches, configurations and workers’ identity credentials.
Although ransomware affects both the public and private sectors, the public sector is more vulnerable for several reasons, including the fact that its operations are often decen- tralized. Agencies in one city or state typically have their own chief infor- mation security officers, policies and IT systems.
“There are ways bad actors can target a particular sector of a gov- ernment, and if they are not as suc- cessful there, they can target a dif- ferent one,” Duvall said. “If they are successful there, they can piggyback on that one organization to another.”
Additionally, the public sector generally lacks the level of funding that the private sector devotes to IT and security. Often, government offi- cials must choose between buying, say, another fire engine or enhanc- ing cybersecurity. Duvall said they should do a cost/benefit analysis between protecting systems and providing services.
Given the decentralization and lack of protections, Vecci said attack- ers ask themselves: “Why go after the big bank that has every resource in the world to detect your attack, to prevent it from happening and to cor- rect it when it does? Go after the city of Baltimore, whose IT systems you know are probably five years behind everybody. They’re totally under- staffed, [and] the staff that they have [is] probably underpaid.”
Rising profitability and ease of distribution
The attack on Baltimore comes at a time when ransomware is gaining steam — 30 years after the first such attack took place. The uptick can be attributed in part to the fact that data is more valuable and plentiful.
“Many organizations 30 years ago
had about as much data as you have on your laptop right now,” Vecci said. “These days, they might have 1,000 times as much.”
Furthermore, attackers don’t need technical skills because they can use automated scanning and phish- ing platforms to launch widespread attacks. “If even 1 percent works, if it’s a large enough distribution, then you can get some pretty serious pay- out,” Duvall said.
That payout is why hackers turn to ransomware attacks in the first place. “They’re profitable,” Vecci said. “It’s as simple as that.”
And they seem to be getting more profitable. From the last quarter of 2018 to the first quarter of 2019, the average ransom increased by 89 per- cent to $12,762, according to Cove- ware’s latest Global Ransomware Marketplace Report.
Deciding whether to pay the ran- som requires a risk analysis. There are downsides to paying, Duvall said, including the fact that “you’re vali- dating the approach” and funding a nefarious group. Furthermore, even if the attackers provide the keys to decrypt the data they encrypted, that data might have been corrupted.
On the other hand, governments that refuse to pay the ransom often end up spending far more to regain access to their systems and data, as Baltimore is discovering.
The use of ransomware is not expected to slow down anytime soon. Recorded Future tallied 46 ran- somware attacks on state and local governments in all of 2016, while 21 attacks have been reported in just the first four months of 2019.
“It’s an easy form of crime, and you’re seeing an explosion both in terms of the availability of tools and the need to be less technically savvy,” Duvall said. “With the potential pay- outs and the ease of use, we think you’re only going to continue to see more of it.” n
July 2019 FCW.COM 37
based on blockchain that helps secure embedded devices. “We are able to lock down the operation of these control systems,” Falco said. “We do not allow them to
do anything beyond what they
are supposed to do. And if you
do something beyond what it is supposed to, it locks the system down.”
The ransomware threat to government agencies is growing, he added. “Attackers are realizing the destruction they are able to cause for these governments, and they are taking advantage of it,” he said. “Cyberattacks are inevitable, and even if agencies are prepared, they are going to experience losses. So dealing with attacks and learning from them is smarter than covering up the damage.”
It’s also important that organizations not “get bogged down in installing expensive technical solutions” when defensive social engineering tactics such as honeypots and other obfuscation techniques can reduce the scope and costs of cyberattacks, Falco said. “It helps to be interdisciplinary and mix and match methods for dealing with cybersecurity problems like ransomware.”
— Patrick Marshall