October 31, 2019

Lessons Learned from Recent Ransomware Attacks

A Quick Recap on Recent Spates of Ransomware

If you’ve been keeping pace with the information security world, you’ve heard about the significant uptick in ransomware attacks. Most notably, the attack which targeted the South African City of Johannesburg last week, on October 24. The attack has disabled municipal services, similar to an incident in July which targeted a city-owned electric utility, City Power (also affected in this case) (BankInfoSecurity). While details are still emerging, the incident has forced the municipal government’s primary website offline, immobilized several departments, and disabled payments and other transactions for many city agencies.

This is just one major example that has taken place this year. The springtime ransomware attack in Baltimore remains notorious. City employees were locked out of email accounts and other critical systems, while citizens were unable to access government services, such as the ability to pay water bills, parking tickets, and property taxes via Baltimore’s online portals. The attack took place on May 7, 2019, when hackers seized around 10,000 Baltimore government computers, demanding nearly $100,000 in bitcoin in ransom. Attackers allegedly used the malware, RobbinHood, to target what is now outdated Microsoft Windows software (Fortune).

As a result of the undeniable uptick in ransomware attacks, particularly against critical infrastructure, the FBI released an alert in early October, bringing attention to the rising occurrences across all sectors. The PSA defines ransomware, outlines attack techniques and cyber defense best practices (FBI).

The Two Main Types of Ransomware Attacks

Clearly, the rise of ransomware in recent years is growing at an unprecedented speed.

  • In the U.S., ransomware attacks targeting local municipalities, city governments, school districts, and healthcare organizations are on the rise (Emsisoft).
  • In 2019, a new organization will fall victim to ransomware every 14 seconds. In 2021, that number is expected to fall to 11 seconds (Cyber Security Ventures).
  • Ransomware attacks are growing more than 350% annually (Cisco).

It’s important to be aware of the main types of ransomware attacks in order to establish a strong position of defense. No combination of people, processes, and technology is foolproof, but it’s certainly possible to reduce risk with the right training and security measures.

1. Typical run-of-the-mill attack

The majority of ransomware attacks start with an end-user downloading a phishing email or visiting an infected website.

In some cases, certain types of ransomware are created as a “time-bomb attack,” designed to delay execution for weeks or months rather than stealing, wiping, or extorting data as soon as a computer or server is breached. This variation of ransomware is more difficult to track.

2. More sophisticated attackers have been targeting government entities and agencies, using hacking tools and other components allegedly stolen from government sources.

The recent attack on Baltimore is a prime example of this emerging paradigm. The attack is still having an impact to this day, and it’s born of a significantly higher level of sophistication. EternalBlue code leaked online as a result of the efforts of an unidentified entity called the ShadowBrokers in 2017 and has since been used to power several destructive cyberattacks including WannaCry ransomware in 2017.

“There was a brief period when attackers were trying to be “upstanding” about their ransomware demands by following through on giving targets the key to decrypt data as promised upon payment. Sadly, this follow-through served to further these operations, as targets were more apt to pay the ransom. Now, the attackers are just shredding assets for the sake of it. A targeted enterprise might give in to the ransom demand, yet still not receive the decryption key. It’s not a good situation. There’s no honor amongst thieves.”

-Tyler Treat, Security Architect, DataBank

What Really Reduces the Risk of Ransomware? How You Use Your Systems.

Fortunately, there are proven strategies to reduce the risk of ransomware attacks. Typically, in an enterprise or government environment, numerous IT professionals are handling servers and data; there are many cooks in the kitchen, so to speak. A multi-layered defense, separation of duties, and comprehensive end-user training are all key components of an effective security strategy that can mitigate the risks of ransomware attacks.

“The biggest risk I see in a corporate setting is your end-users including customers. Once a workstation is infected with ransomware, it’s only a matter of time before it spreads.”

-Mark Houpt, CISO, DataBank

If these are lacking within your organization, it may be worth considering data protection services, where the separation of duties and multi-layered defenses are natively built-in. Here at DataBank, backups, network, infrastructure, and security are separate practice areas managed by expert engineers, covering the collective zones of potential vulnerability to prevent attacks on customer environments. Monitoring is ongoing at multiple points in the network infrastructure, platform, and application layers, so if we detect potentially nefarious activity, we’ll open a ticket and make a phone call to the customer immediately.

Best Practices for Prevention and Remediation

Ransomware isn’t going anywhere anytime soon. In fact, it will only continue to increase in frequency and sophistication. The best you can do for your business is to maintain a strong position of defense and know what to do in the event of an attack. A few best practices for prevention and remediation:DataBank-Ransomware-Infographic-v2

Key Takeaways from Recent Attacks

Security hygiene is an incredibly important and effective defensive practice, so don’t overlook its importance. If your business or agency falls victim to a ransomware attack, there are two key takeaways you should always keep in mind:

1. Do not pay the ransom. There is no guarantee for the delivery of the decryption key or the safe return of your data.
2. Involve law enforcement when appropriate to get the proper go-forward direction.

Interested in learning more? Join DataBank’s Chief Information Security Officer, Mark Houpt, on December 5th for a webinar on Ransomware Defense – Understanding the threat and building intentional protection for your enterprise and data center. Register here and reserve your spot today!

If you are looking to increase your defenses against ransomware, give DataBank a call at 800.840.7533.