Ransomware Research Reveals 2019 Trends, Potential 2020 Action Items
The cyber extortionists tied to the Maze ransomware wanted it known with certainty that while they claimed responsibility for the recent cyber attack affecting the City of Pensacola, Florida they had nothing to do with the mass shooting at the Naval Air Station (NAS) Pensacola (FL) in December.
In emails exchanged with BleepingComputer, the Maze ransomware kidnappers said they stole and encrypted the city’s data and demanded a $1 million ransom for a decryptor, but they were not affiliated nor did they know anything of the NAS terrorism.
What does that have to do with Emsisoft? The security provider had initially planned to release its State of Ransomware in the US: Report and Statistics 2019 on January 1, 2020 but elected to move the schedule ahead following the Pensacola cyber attack by the Maze crew. “We have decided to release it immediately due to a recent incident in which a ransomware attack may have resulted in a municipal government’s data falling into the hands of cybercriminals,” Emsisoft wrote in a blog post.
So here we are now with an early release of the report. “We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks,” Emsisoft said. “If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.”
Here’s some supporting data:
In 2019, the U.S. was hit by a record number of ransomware attacks that impacted at least 948 government agencies, educational institutions and healthcare facilities at a cost of more than $7.5 billion by a conservative estimate. The impacted organizations included:
- 103 federal, state and municipal governments and agencies.
- 759 healthcare providers.
- 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
Still, it could have been worse. “The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020,” said Fabian Wosar, Emsisoft’s chief technology officer.
How did we get here? A “near-perfect storm,” said Emsisoft, that combined organizations’ security vulnerabilities with more sophisticated methods of attack by bad actors, compounded by a lack of statewide audits and governments’ failing to implement basic best practices.
Can we stop it? “There is no single silver bullet,” Emsisoft said. “Multiple initiatives are necessary in order to make public entities more secure and less susceptible to ransomware attacks and other security incidents.”
Here’s the abridged list of what’s needed (in Emsisoft’s words):
More guidance. A small municipality needs a similar level of security to a large city, but has fewer human and financial resources with which to achieve it. The smaller the organization, the bigger the challenge. Baseline security standards need to be established.
Security debt and funding. Under-investment in IT has resulted in many organizations accruing a security debt, and security weaknesses are the result of that debt. Resolving the problem may simply require that organizations reallocate their existing budgets, or it may require that additional funding be provided either by federal or state government.
Closing the intelligence gap. Information such as the ransomware strain used, the attack vector, the vulnerability exploited and the financial impact of incidents is critical as it can help other organizations better understand the threat landscape and better assess their security priorities.
Better public-private sector cooperation. Establishing stronger channels of communication between the public and private sectors is important for coordinating anti-ransomware efforts.
Legislative restrictions on ransom payments. Government should consider legislating to prevent public agencies paying ransoms when other recovery options are available to them.
Vendors and service providers must do more. Vendors and service providers need to step up to the plate, innovate, collaborate and do more to protect both their customers and their customers’ customers.
Cyber insurance. Organizations with cyber insurance may be more inclined to pay ransom demands, which results in ransomware being more profitable than it would otherwise be and incentivizes further attacks. Insurance should not be considered an alternative to properly funded and resourced security programs.
Incidents are preventable. If government agencies were simply to adhere to industry-standard best practices…that alone would be sufficient to reduce the number of successful attacks, their severity and the disruption that they cause.
Backups are not a panacea. Emphasis needs to be placed on prevention and detection…Organizations should assume their perimeters will be breached and monitor their environments for signs of compromise.
Data exfiltration. This is an extremely concerning development, especially given the extreme sensitivity of the data that public sector agencies hold, and further demonstrates the need for emphasis to be placed on prevention and detection.
“Given that ransomware attacks against governments, healthcare providers and educational institutions have indeed been proven to work, these sectors are likely to continue to be heavily targeted in 2020,” Emsisoft said. “Payments are the fuel that drive ransomware. The only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid. Governments must act, and they must act now.”