Earlier this week, the city of Riviera Beach, Florida, faced a $600,000 demand from ransomware operators in order to regain access to the city's data. The ransom was an order of magnitude larger than the ransom demanded by the attackers that struck Baltimore's city government in May. Against the advice of the Federal Bureau of Investigation, however, the Riviera Beach city council voted to pay the ransom—more than $300,000 of it covered by the city's insurance policy.
Baltimore had refused to pay $76,000 worth of Bitcoin despite facing an estimated ransomware cost of more than $18 million, of which $8 million was from lost or deferred revenue. Baltimore lacked cyber insurance to cover those costs.
Riviera Beach is much smaller than Baltimore—with an IT department of 10 people, according to the city's most recent budget, and an annual budget of $2.5 million to support a total city government of 550 employees. (Baltimore has about 50 IT staffers supporting more than 13,000 employees by comparison.) It's not a surprise that Riviera Beach's leadership decided to pay, given that a full incident response and recovery would have likely cost two to three times what they've agreed to pay the ransomware operators, and half of that price tag is covered by insurance. So, Riviera Beach's decision to pay looks like the easiest way out. It's a decision that has been made by many local governmental organizations and businesses alike over the past few years.
Except, it probably isn't an easy way forward. Riviera Beach will still face the costs of fixing the security issues exploited by a phishing email opened by a police department employee. There's no guarantee that data was not stolen from the network, as apparently happened in Baltimore. And the paying of the ransom indicates the city doesn't have an effective disaster recovery plan. Without major upgrades, Riviera Beach could soon end up in the crosshairs of another ransomware attack—especially now that they've shown they'll pay.
Both the Riviera Beach and Baltimore ransomware attacks, along with the half-dozen known recent ransomware attacks against local governments, are indicative of just how unprepared many governments (and businesses) are for ransomware. Over the past few years, ransomware has exploded: data from the FBI shows that another organization is hit by ransomware every 14 seconds, on average. And this trend shows no signs of slowing—in fact, a new trend of targeted ransomware, seeking even bigger payouts, is emerging, in which more sophisticated organizations go specifically after businesses and other organizations more likely to pay out.
The dismal science of ransomware
"Ransomware before was mostly opportunistic," said Flashpoint Director of Intelligence Christopher Elisan. "But what the threat actor groups realized is that when they affected hundreds of thousands of users, it was difficult to manage."
Traditionally, Tor-based ransomware "panels" have allowed attackers to communicate with victims and prove they had the keys to unlock files, offering "try before you buy" decryption of a few files as proof. Dealing with large numbers of victims for relatively small payouts wasn't scalable with this approach. "Imagine you're the threat actor group," explained Elisan, "and you open the panel and you have hundreds of thousands of people submitting samples and reaching out on chat. For 100,000 infections, 10% would pay $200 to $300 in Bitcoin. The time and effort to manage all those infections is massive, and the payout is not that big."
The operators of these more opportunistic ransomware attacks—frequently using ransomware-as-a-service tools sold on forums—often have to hire English speakers to do "customer support." Some small organizations have talked these attackers down to fractions of their initial demands as well, meaning ransomware groups often have to discount their offers. If all that wasn't hassle enough, sometimes these attackers are even providing technical support in decrypting files. "So they started moving to more targeted attacks," Elisan said.
Targeted attacks mean only having to manage a few "customers"—two or three organizations a week—with much bigger potential takes. Some targeted demands have aimed for payouts as large as $6 million. Targeted attacks often don't have a deadline associated with them, but the ransom demands are priced to make companies pay up, based on the reconnaissance by the attacker. A demand might be for a significant fraction of the revenue a victim might lose in a day, for example.
In most cases, these attacks have moved away from using a Web panel for communications with victims and instead opted for communication through email. This approach makes payouts easier by keeping things quieter—a victim organization is more likely to pay out if it can keep the whole thing quiet. "If you don't have a Web link, it's only the threat actors and the victim company that knows what's going on," Elisan explained.
The science of selling yourself out
If organizations had effective disaster recovery plans that have actually been tested and verified, with full and incremental backups ready to load, good patch management, and other security practices, then ransomware attacks would be mostly a containable annoyance. But that is a very big "if," it turns out.
Baltimore's mayor claimed the city had backups, but the city did not have a concrete disaster recovery (DR) plan. Baltimore's CIO—who came to the city after being a sales and marketing executive at Intel and has no eRead More – Source