In October 2020, the FBI and two federal agencies issued a joint warning of “an increased and imminent cybercrime threat” to hospitals and healthcare providers in the US.  The method of the attack was Ryuk – a particular strain of ransomware.  The program scrambles a target’s data and renders it unreadable until a ransom is paid.  The warning came a month after a ransomware attack on Universal Health Services and its 250 facilities.  As the world’s been grappling with the global coronavirus pandemic, the frequency of ransomware attacks has increased, impacting the quality of patient care and putting people’s lives in even more danger.

So, today, let’s discuss ransomware: what it is, how to minimize the risk of your organization’s data being held hostage, and what you should do in the event of a successful attack.

What a ransomware attack looks like

Ransomware is a type of malware, a malicious piece of software, designed to gain access to data and remove the data owner’s access to it.

Basic ransomware removes the owners’ and users’ access to data without modifying the data itself.  The more advanced ransomware encrypts data, making them incomprehensible.  Attackers then demand payment for the decryption key.  This is known as “cryptoviral extortion.”  Victims are threatened either with the destruction of data or its publication.

In 2019, the FBI’s Internet Crime Complaint Center received 2,047 complaints identified as ransomware with adjusted losses of over $8.9 million.  These are just the official numbers based on voluntary complaints.  The truth is that many organizations and individuals that fall victim to ransomware do not report the attacks, fearing the negative impact of making such information public will have on their revenue, clients, and reputation.  Many hire private cybersecurity firms to investigate the attack or negotiate the payment, while others opt to make the payment to resolve the problem as quickly and quietly as possible.

Local governments – a frequent target

44% of global ransomware attacks in 2020 targeted municipalities.  15% of the targeted municipalities paid the ransom in the average amount of $1,652,660.  These numbers should serve to sound the alarm for any local and state government agency that has not made cybersecurity a top priority.

Local and state governments are going through hard times.  The pandemic has put a massive strain on their already limited financial and human resources with state and local taxes declining 4.7% in 2020 with a further projected 7.5% decline in 2021.

Shelter-in-place orders have further increased the vulnerabilities of local governments with many employees working remotely, and often using not secure tools to transfer and communicate information.

Getting infected with ransomware

For a ransomware attack to succeed, the attacker needs to gain access to the system.  According to Statista, spam and phishing emails are the most common delivery methods of the attack, accounting for 67%.  36% of the respondents believe the attackers successfully make it into the system due to a lack of cybersecurity training.

Embed this graph and provide the following footnote credit: https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/ 

• Phishing attacks use email to trick a user into clicking on a link or an attachment.  Emails are disguised to appear from a credible source – a colleague, a vendor, etc.  Clicking on the link or opening the attachment then installs malware on the user’s device.  Back in March of 2020, just as the pandemic was attracting global attention, hackers started using the fear of the pandemic to trick users into opening emails, and clicking on the links or downloading attachments.  The message claimed to offer advice from the World Health Organization (WHO) in the form of a Word document.  Once users enabled macros, their device got infected with the Trickbot malware.
• Spear phishing is a more elaborate phishing attack.  It often targets a specific person or organization.  The emails are highly personalized, and the attack can unfold over weeks, if not months, slowly building up trust and gaining access to more and more information.  High-priority individuals are often targeted for spear phishing attacks.
• Attackers often use baiting, another form of social engineering.  They dangle a “bait” in front of users to gain access to data.  These attacks can be both digital (in the form of emails, text messages, and popups) and physical (in the form of a mailed or “left behind” USB drive, for example).
• Some ransomware is designed to exploit the technical weaknesses of a piece of software.  Once attackers gain access to software, they can install their malware through a round of “updates.”
• Attackers can exploit Remote Desktop Protocol (RDP) vulnerabilities.  RDP is a network protocol that allows one user to control a device of another user.  Users’ credentials can be easily purchased on the dark web. (Link to Dark Web Article)

How to protect your organization from ransomware

A robust cybersecurity system is a combination of rigorous employee training, reliable monitoring and anti-malware solutions, and round-the-clock vigilance.

1. Educate your employees on the dangers of social engineering (Link to Social Engineering article) as well as the ways in which their online behavior could lead to security breaches.
2. Have a strong system and hierarchy of user access.  Be very cautious about who you give administrative rights to as those users have the highest level of access to your network.
3. Install powerful anti-virus and anti-malware software and keep it up to date.  Such software is now often classified as “endpoint security” – an approach to the security of computer networks that are remotely bridged to client devices.  They are being increasingly encompassed by endpoint detection and response solutions, which, in addition to covering both functions, also detect host intrusions, set up personal firewalls, and more.
4. Regularly audit your system for vulnerabilities.
5. Encrypt (Link to Encryption article) your data.  Furthermore, develop and implement a data security policy.  When approached systematically, it will allow you to identify the types of data your organization stores, whether that data should be stored, which staff members should have which type of access level, evaluate which specific data requires encryption, and implement measures to wipe specific records clean in compliance with relevant regulations – GDPR, for example.
6. Consider switching data storage from locally, on your systems, to securely in the cloud.
7. Regularly conduct sensitive data scans to ensure that PII is not being stored in a non-compliant manner.
8. Use monitoring solutions to regularly check whether your organization’s credentials are spotted on any marketplaces.
9. Deploy file integrity monitoring and change detection solutions, which will constantly monitor your files for any changes, helping you identify files that may have been corrupted or otherwise tampered with.
10. Design a strong backup system.  Offline backups that are disconnected from your network are the safest way to maintain access to data and not risk having it accessed by attackers.  Depending on the size of your data, though, offline backup may not always be a feasible option.
11. Set up security information and event management (SIEM) and security orchestration automation and response (SOAR) systems, which will alert of verified threats and automatically trigger response actions.
12. Make sure to have a security operations center (SOC) or MDR team in place that will respond swiftly and effectively to incoming threats.
13. Purchase cyber insurance, which will cover your organization’s liability in the event of a data breach.

How to respond to a ransomware attack

The FBI strongly discourages organizations from paying a ransom.  Government agencies’ cybersecurity reporting is guided by federal and state laws.  For example, Florida’s Cybersecurity and Data Breach Law requires certain disclosures to be made when data containing personal information has been breached or accessed without authorization.

While many local governments had made the decision in the past to pay the ransom, this may no longer be an option soon as the federal government is looking into the possibility of making or facilitating such payments illegal.

To mitigate the extent of the damage caused by ransomware, isolate the impacted systems.  Disconnect your backup system from the network immediately.  Temporarily block users’ and employees’ access to the network.  If you don’t have the know-how to correctly and safely execute these procedures internally, contact a reliable cybersecurity firm, such as Gamma Defense.

Most importantly, do not panic.  Follow your breach protocol, and coordinate with the relevant authorities and cybersecurity agencies.