Ransomware is skyrocketing – but we really shouldn’t be surprised. In fact, many in the cybersecurity community saw it coming.
To set the tone for what I’m talking about, here are just a few of the recent headlines pertaining to ransomware:
- https://www.cnbc.com/2019/08/19/alarm-in-texas-as-23-towns-hit-by-coordinated-ransomware-attack.html
- https://arstechnica.com/information-technology/2019/08/ransomware-wiper-malware-attacks-have-more-than-doubled-ibm-team-says/
- https://venturebeat.com/2019/08/07/vectra-ransomware-attacks-are-spreading-to-cloud-data-center-and-enterprise-infrastructure/
- https://www.govtech.com/security/Why-School-Systems-The-Rise-of-Ransomware-in-Public-Schools.html
- https://www.nytimes.com/2019/08/14/opinion/ransomware.html
I had to go to page 4 of the Google search to get to news from two weeks ago (August 7th). The following quote from the NY Times article is very telling:
But every time a victim pays hundreds of thousands of dollars to a cybercriminal, the payment reinforces the criminals’ faith in their business model. For this reason, it’s essential that victims stop paying these ransoms: Making ransomware unprofitable is effectively the only way, short of coordinated global regulation of cryptocurrencies, to stop these criminals.
A few years ago, ransomware attacks were focused on hospitals, and with “successful” results for the malware artists. But hitting municipalities appears to be much more effective than hitting hospitals, because it gets the same (or larger) payoffs, and puts pressure on local politicians, while affecting many, many more machines at once, and affecting more people than a hospital would. And as bad as hospital infrastructure can be, it appears that government infrastructure is even more poorly maintained.
As noted in the NY Times articles, and also those articles discussing the recent coordinated Texas attacks, municipalities in four US states paid the ransoms that were demanded of them in order to get back up “quickly”. Baltimore, notably, did not pay, but has paid out far more money than the four victim municipalities combined. In many ways, Baltimore appears to have made a stronger case in favor of paying ransomware, given that they are still piecing things back together months after the May 7 attack.
But all these payments are fueling an increased focus by the bad actors against the various government agencies, because it is clear that they are sitting ducks that lack the resources (people, technology and processes) to avoid being victims.
And until this changes, we can expect more attacks, and probably more payments, leading to even more attacks.
Finally, in 9, 12 or maybe 18 months, these local, city, state and federal agencies might realize that the full cost of managing the technology life cycle – including staffing, technology refreshes, configuration management, and overall security hygiene – is far less expensive that the alternative of losing access to all services for citizens, and having to recover under duress, and at a loss of millions of dollars. If the risk gets worse, we can expect that the costs to insure will also get worse, and the ransom demands will also go up.
And wait until some city or state government forks over $500,000 or $1,000,00 in ransom, only to find out that the data had been wiped, not encrypted, and they still have to pay out more to fix the issue for real.
Perhaps the realization will take 24-36 months – government is not exactly known for speed or responsiveness in these matters, unfortunately…
FACT: If governments continue to pay, the attacks will continue to come.
FACT: More importantly, if governments continue to allow their technology infrastructure to be improperly managed and under-resourced, the attacks will continue to come.
How long will we continue to ignore basic security practices? Your guess is as good as mine, but the slower we are, the more painful this situation is going to be.
There is currently no end in sight…