Ransomware is hardly a cutting-edge form of malicious software. It infects a victim’s computer or phone, then encodes the data with a key that the attacker shares only after a ransom has been extorted from the victim. It has been around for nearly 30 years. Yet it manages to plague major organizations across the globe, from Boeing to Atlanta.
Ransomware remains a lucrative business for hacker extortionists, who typically target organizations such as hospitals or utilities they believe would have no choice other than to pay the ransom. Cybersecurity Ventures estimates that ransomware attacks cost organizations $5 billion in 2017—damages experts say are almost completely avoidable.
Ransomware attacks, of course, vary in severity. Baltimore’s 911 emergency call system was taken down for fewer than 24 hours. A “limited” number of systems at a Boeing production facility were infected. And when San Francisco’s public bus system was infected with ransomware for two days in 2016, system backups and limited access of its computers to other parts of the city’s network prevented the ransomware from spreading.
READ MORE ON RANSOMWARE
That robot, like your laptop, could get hacked with ransomware
How to avoid ransomware—or remove it
Ransomware is ‘blood in the water’ for hacker extortionists
Critical systems at heart of WannaCry’s impact
NotPetya’s lesson for infrastructure
Why ransomware increasingly targets the little guys
But Atlanta’s government systems have been in dire straits since March 22. City employees told Reuters last weekend that the ransomware attack still affects vast swathes of city data, including police files and financial documents. Residents are unable to pay water bills, and the municipal court system remains shuttered.
The Atlanta hackers, who infected city computers and networks with a variant of the SamSam ransomware, have demanded $51,000 worth of bitcoin in exchange for unlocking the files. In lieu of paying the ransom, city employees have resorted to using personal laptops and phones, as well as paper records, in attempts to continue working. Atlanta-based SecureWorks has identified, but not yet publicly released, the names of the hackers.
Atlanta officials declined to comment for this story.
The Atlanta attack came on the heels of a scathing analysis of the city’s computer infrastructure, published in January, determining that the city wasn’t dedicating enough resources to solving its IT problems. Atlanta’s government systems, it turns out, were compromised a year ago, and despite statements from city officials that they take cybersecurity seriously, experts are concluding that the municipal government isn’t doing enough to protect its computer systems, says Georgia-based Robert Graham, CEO of Errata Security.
“Criminal organizations using ransomware are only going after targets that lack in the basics” of security hygiene, Graham says. “Being hit by ransomware is evidence of lacking in the basics.”
The basics, he says, include regularly backing up databases, applying security software patches as they’re released, not leaving computer systems on for months at a time without maintenance, restricting end users’ rights to access network services and to install software on their computer workstations, and retaining system logs. It also includes having plans for dealing with a successful attack—to prevent it from crippling complex organizations like a major American municipality.
Without investing in technology and personnel to implement these preventative measures, experts say, ransomware will continue to wreak havoc across computer systems and networks.
Security company Malwarebytes said in a January report that ransomware against consumers and businesses is up more than 90 percent over 2016, with the monthly rate of attack in 2017 at 10 times the rate of attack in 2016. September 2017 had “the largest volume of ransomware attacks against businesses ever documented.”
These attacks coincide with a massive and growing employment gap in cybersecurity. In addition to 1.8 million cybersecurity desks left unfilled by 2022, more than 80 percent of respondents to a 2016 McAfee survey said IT hires lack the necessary cybersecurity skills needed. And an annual report from the Enterprise Strategy Group on cybersecurity skills finds that for the first time more than 50 percent of respondents have claimed a “problematic shortage” of cybersecurity skills, the fifth year in a row that number has increased.
“Being hit by ransomware is evidence of lacking in the basics.”—Robert Graham, CEO, Errata Security
One security expert, who requested anonymity because he works as a computer and network threat hunter for the IT department of one of the 10 largest cities in the United States, says a combination of poor security hygiene and lack of security investment by organizational leaders are the biggest contributing factors in the rise in ransomware attacks.
Organizations “don’t realize how much risk they are assuming by not taking a proper stance on security. Unfortunately, that doesn’t typically happen until they’ve had an incident,” says the expert, who has more than a decade of experience responding to ransomware attacks.
Maintaining good security hygiene is like driving a race car, he adds. “They’re not trying to get to first place; they’re just trying to improve their lap time. But that takes a lot of practice.”
Another problem, he says, is that executives from municipalities and businesses don’t take threats seriously until their computers have been struck by ransomware. “People who run systems need to push back on upper management, and upper management need to stop brushing off these issues.”
Organizations need to understand and accept that the cost of preventing these attacks is lower than the cost of succumbing to ransom demands or technological work-arounds, as Atlanta is attempting, says Tom Cross, an Atlanta-based security expert.
“The challenge is not technical; it’s organizational and political and economic,” says Cross, the Atlanta-based chief technology officer of Opaq Networks, a startup that makes a software product to help secure computer networks and is marketed as ransomware prevention tool. “It’s easy for people to rationalize that they don’t need to incur that cost because everything’s fine right now.”
Graham sounds a frustrated tone when discussing ransomware that he feels is eminently preventable—one of people and processes, not technology. “For ransomware, you don’t have to be that adept at cybersecurity; you just have to outrun the other guy. The bear’s looking for an easy meal here.”