In this final month, it’s time to declare 2019 the Year of Ransomware Escalation. The proliferation of attacks and the move by threat actors to target large companies and public institutions in the US and abroad marks a turning point in the evolution of this digital scourge. Throughout 2018 ransomware volumes had been on the decline. Turns out hackers were only refining code, performing recon in networks, and preparing for the biggest attacks of this malware class since the worldwide Wannacry attacks of 2017.
Armor published several threat intelligence reports this year concerning ransomware and was quoted frequently in the press. The following are our picks for the biggest ransomware stories of the year.
Baltimore Hit with Ransomware, Hacker Taunts City on Twitter
Tweets, Budget Woes, Pay-not-Pay
On May 7 the city of Baltimore had a rude awakening in the form of a ransomware attack that infected city servers across multiple offices. It was the biggest attack on a city since Atlanta in 2018. Like Atlanta, Baltimore refused to pay the ransom, at the time worth about $72,000 in bitcoin. And like Atlanta, which paid over $7 million to fix its problem, Baltimore has estimated a whopping $18.2 million in network fixes and lost income.
During the initial days of the attack, Armor discovered a Twitter account that was used by the threat actor and reported on the hacker’s communication with city officials.
“These recent tweets, apparently from the alleged City of Baltimore hacker(s) or their representative, are telling,” said Eric Sifford, a team member on the Armor Threat Resistance Unit. “The initial tweet from this Twitter account on May 12 included what looked to be usernames, passwords, and other sensitive-looking, internal documents from the City of Baltimore. However, that tweet apparently failed to achieve the response the hacker(s) desired, as the newest tweets take things a step further.” The tweet on May 25 taunts and chastises the city’s Mayor for not paying the ransom. The tweet on May 28 offers to decrypt one of the city’s computers for free if the Mayor sends hostnames of 5 affected machines.
“It is clearly an effort by the hacker(s) to prove they can decrypt the city’s files,” continued Sifford. “This might be an opportunity for the Mayor and Baltimore’s incident responders to determine if the threat actors truly have the capabilities to unlock their data. As a cybersecurity expert, I generally recommend against paying a ransom; however, each case is unique in its totality, and I understand sometimes an organization’s leadership may decide their best option is to pay.”
The Twitter profile contained the name “Robbinhood” in its profile, the name of the ransomware used in the attack, and one that had infected Greenville, NC in April. The Tweets tagged Maryland State Senators, six City of Baltimore council members, various news outlets, and other city leaders.
The Baltimore attack continued to make headlines throughout the year. Stories included the firing the IT director who allegedly warned the city, budget committees poaching funds from parks and recreation to pay for the fix, and the discovery of $5.6 million in unused funds from 2007 that might have been used to reduce exposure. Baltimore’s plight is one every US city should pay attention to. They were just one of 85 cities and municipalities to publicly report being struck by ransomware this year.
The Baltimore ransomware attack showed municipalities that the cost of a breach—and of not complying with demands—can be devasting to a city’s ability to conduct business and its maintenance of public trust. Unprocessed utility payments, dismissed court cases, and damaged real estate markets were just part of an estimated $8 million in lost revenue attributed to the attack.
But the cost to public confidence was immeasurable. Just a year earlier in March 2018, Baltimore suffered a cyberattack on its communications systems. Afterward, the city which saw four CIOs in five years failed to approve the information security manager’s recommendation for cyber insurance. By July 2018, new city CISO Frank Johnson presented a technology plan that provided little urgency for cybersecurity.
Shortly after the May 2019 attack, Baltimore Mayor Jack Young urged the nation’s mayors to sign onto a pact they would never pay ransom, a pact they agreed to at an annual Mayor’s Conference in Hawaii last. Together 226 mayors voted in solidarity to deny cybercriminals payment if it came to their towns. According to the attendee list, the Mayors of Riviera Beach and Lake City, Florida did not attend the conference.
Lake City and Riviera Beach Florida Open Ransom Floodgates
In Hollywood movies involving kidnappers, there are often oversimplifications and outright untruths. Schemes are always thwarted, victims are mostly returned, and criminals are taken into custody or eliminated to leave everyone with the morally comfortable, stand-your-ground posture that “we don’t make deals with terrorists.”
In reality we often do, and 2019 ransomware payments began to set new precedent. Though not new, cyber insurance would become more common and premiums would begin to grow. Publicly, ten high-profile victims in the US paid ransom in 2019 totaling $2.3 million. That number may not seem very substantial for an entire year but consider those are only numbers from publicly reported payouts. While Kaspersky estimates millions of attacks go unreported and the FBI investigated 1,493 cases in 2018, evidence suggests that many of the ransoms are paid by victims.
Riviera Beach and Lake City, Florida were the first this year to report they had paid six-figure ransoms. Following attacks in May these small municipalities, made up of mostly retirees, had little recourse but to pay hackers. Riviera Beach paid $600,000 to decrypt communications systems and city servers.
Lake City paid $460,000 through their insurance carrier, but unfortunately didn’t get the encryption keys they needed, a reminder that criminals can’t be trusted to always fulfill their end of the bargain.
To put it in perspective, there are 19,429 municipalities in the US, with smaller cities operating on a council-manager form of governance, all sharing responsibility for the data of an estimated 329 million people, and usually on a limited or degraded budget.
Cyber insurance poses its own problem. Absence of reliable data to calculate premiums, lack of awareness among decision makers, misunderstandings about software vendor responsibilities, and invasive security evaluation procedures make it impossible to value. Meanwhile, businesses and consumers witness thousands or breaches exposing hundreds of millions of records every year. These new attacks and their response from insurers could help raise awareness, just as they also increase the motivation for threat actors to continue. When attacks are coming from North Korea or Russia, businesses should ensure policies include “war provisions.”
The Texas 22 Reveals MSP Threat
Among a cluster of Texas towns, the first multi-city ransomware attack occurred on August 17. It also revealed Managed Service Providers (MSPs) to be a new potential threat to business continuity. Twenty-two cities were attacked through TSM Consulting, an MSP that served multiple Texas municipalities. At first the attack was described as “coordinated” but it was soon revealed that the infection originated from the MSP.
During the attack, however—and ever since—victims kept mostly silent about details surrounding the infection. Based on OSINT, days after the attack was reported, Armor identified 9 Texas cities or law enforcement groups that had become victims. One victim, the Graham County Police Department revealed they had received a $5 million ransom demand, the largest demand up to that point, and the second highest demand all year.
MSPs Infect Dentists, Veterinarians
But the Texas 22 incident wouldn’t be the last attack on a critical MSP. It was the beginning of an escalation. Whether attacks were targets of opportunity, or well-planned attempts at creating untenable pain points to ensure payment, more of them followed. By December 1st, 19 MSPs had fallen victim to file and network encrypting malware in a series of one-to-many attacks that continues to reach hundreds of customers.
PerCSoft, makers of the Digital Dental Record, a file storage solution serving over 700 dentists across the US was infected on August 24, shutting down patient records and billing features to over 400 dental offices. Another MSP to the dental industry, PM Consultants, went out of business after infecting hundreds of dentists in Washington and Oregon. Finally Complete Technology Solutions was attacked in November, the third MSP this year to impact dentist offices. The technology provider of network security, data backups and VoIP communication services saw an infection that impacted 100 of its customers.
Other attacks through MSPs impacted accountants (INSYNQ, a QuickBooks provider), real estate agents (MetroList, serving 20,000 realtors), payment processors (Billtrust), and law firms (TrialWorks). SmarterASP.net, a provider that hosts Microsoft’s ASP.NET open-source web framework for over 400,000 customers, was also attacked in November.
“This uptick in successful ransomware attacks against MSPs and/or Cloud-Based Service Providers is a harsh reminder that organizations have to ensure that the third-party vendors they do business with are as equally protected against the current and emerging cyber threats, as they are,” said Chris Hinkley, Head of Armor’s Threat Resistance Unit (TRU)research team. “This is especially true, because as we have seen, a successful ransomware attack against a MSP/Cloud-Based Service Provider can be debilitating to their customers, as well as to their own company, as the attack can quickly shut down key systems which the customers depend on to run their organization.”
School’s Out on Ransomware
By the time many students returned to school this fall, ransomware was already teaching administrators a lesson. Schools in Arizona, Connecticut, and New York all delayed the first days of school due to ransomware. By December 1, a total of 75 US school districts have fallen victim to ransomware, impacting 1,041 individual schools and over 10,000 students.
States of Emergency-Louisiana
In 2007 Colorado was the first to declare a state of emergency due to a ransomware attack. Louisiana declared a state of emergency twice in 2019. Governor Bel Edwards first made the declaration in July when schools in New Orleans and the parishes of Tangipahoa, Morehouse, Quachita, and Sabine. He made the second declaration in November when the same ransomware strain Ryuk infected the Department of Public Safety, Office of Motor Vehicles, Department of Children and Family Services, the Louisiana Secretary of State, the Louisiana Public Service Commission, Louisiana Wildlife and Fisheries, and the Department of Health. The attack last month kept some systems down for more than two weeks. Initiating a state of emergency allowed states to call in state and federal resources including FEMA, the FBI, Homeland Security and the National Guard. In a city-wide declaration, New Orleans called for a state of emergency on Friday, December 13.
Georgia on Their Mind
If Louisiana was a primary target, Georgia was a close second. This year ransomware attacks impacted Georgia’s Administrative Office of the Courts and Judicial Council as well as the Department of Public Safety, which included the Georgia State Patrol, the Georgia Capital Police and the Motor Carrier Compliance Division. All told, 30 Magistrate Courts and 23 Municipal Courts were using systems victimized by the cyberattack. Seventeen probate courts were also impacted. It seems the state learned little from the March 2018 ransomware attack on Atlanta that demanded $52,000 in bitcoin but cost the city an estimated $7 million to eventually fix.
Ransomware Killed the Radio Star
This year 10 radio stations were knocked off the air in several states due to ransomware. Entercomm, the second largest radio group in the US, was attacked in September 2019, encrypting recorded programming and seizing communications. Radio station WWOW-A in Conneaut, Ohio was attacked with ransomware on October 5, knocking the station off the air for over a week. Max Media, which owns a network of radio stations in the U.S., had six Illinois radio stations fall victim to ransomware in September. Bicoastal Media in Portland, Oregon had five stations taken down at once October 21.
Déjà vu All Over Again
Some cities were so unlucky (or unprepared) as to be hit multiple times. The Middletown School District in Connecticut was hit in 2018 and again this year in May. The Daviess County Library in Owensboro, Kentucky was attacked this year in April and then again in July. The Lincoln County Sherriff in Lincolnton, North Carolina fell victim in both July and August. And the City of Cornelia, Georgia suffered attacks 3 times in 11 months. Recovery from an attack must include comprehensive forensic analysis to ensure the criminals don’t return following a successful attack.
Healthcare and the Unthinkable
Healthcare organizations were a rich target in 2019. One report by Vanderbilt University even correlated an uptick in fatal heart attacks at hospitals in the months and years following a cyberattack due to ransomware or data breaches. As of December, 45 healthcare organizations across the country have publicly reported attacks. The healthcare industry also holds the dubious honor of experiencing the largest ransom demand of the year—$14million—when Virtual Care Provider, Inc. of Milwaukee, Wisconsin was struck in November. The company, which owns 110 nursing and acute care facilities across the country, will not pay the ransom and fears it may go out of business.
Pets weren’t spared either: National Veterinary Associates of Agoura Hills, California was struck by Ryuk in November. The attack was reported to have impacted 400 veterinarian offices across the country.
The New Digital Kidnappers
As we enter a new decade, the problem of ransomware will likely only get worse thanks to the complexity, interconnectivity, and growing interdependence on connected devices and SaaS applications. Ransomware victims will face new challenges, ones rarely seen in the physical world, including cryptocurrencies that many victims don’t possess or even understand. New insurance models and third-party digital hostage negotiators will emerge. Companies will continue to struggle with the morality or business decision of paying ransom. And threat actors will continue to be located anywhere in the world, almost always escaping incarceration or imprisonment.
Armor Security Tips for Combating Ransomware
Offline Data Backups – users must have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.
White Listing Solution – limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list,
it’s not allowed.
File Integrity Monitoring—Monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys, and values. It also watches for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.
Practice Least Privilege Access Control–ensure the user has the least privilege for their job. This also applies to services.
Audit/Penetration Testing from Independent, Third-Party Experts—to ensure that you are implementing best practices.
IP Reputation Monitoring/Blocking—blocking known bad infrastructure and actors
Continuous Security Awareness Training– educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
Endpoint Protection Solution– includes protection, detection and response capabilities for laptops, workstations and mobile devices. Utilizes antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.