Ransomware…It Doesn’t Have to Be This Hard

Ransomware has wreaked havoc around the globe for the past several years, encrypting data and denying access to systems until a demanded ransom has been paid.

The heist works unless the victim organization can pull backup files and restore its systems. Why does ransomware keep happening? Because companies are not funding and developing fully tested backup and recovery plans. It is that simple.

The Bad Guy Wins

Here is what usually happens with ransomware:

1. Malware enters the system because someone opens a phishing email file or clicks on a malicious link; sometimes malware enters a system by exploiting vulnerabilities in out-of-support hardware/software.
2. The malware encrypts all data in the system and may even encrypt backup data in instances where backup data is online (such as when companies are replicating data in real time from one location to another). Alternatively, some ransomware does not encrypt data, but it may compromise or corrupt it or make it otherwise unavailable to users.
3. The criminals behind the attack make a ransom demand for payment, often in bitcoin, with the promise that a key to decrypt all of the files will be provided to the payer upon receipt of the ransom.
4. The company pays the ransom and receives the key to decrypt its data.
   1. If the key works, the company is able to decrypt its data and restore systems. The company conducts a forensic investigation to detect the malware and eradicate it from its system.
   1. If the key does not work, the company scrambles to rebuild its files and systems, using old backups or paper files.
5. If 4.a., the business goes on…until the next ransomware attack (and they do come back, as long as the company cannot restore its data and pays the ransom); if 4.b., the company may go out of business or incur large business interruption losses.

The Bad Guy Loses

When cyber-criminal activity no longer works or it becomes less profitable, criminals invent new cyber crimes. Here is what should happen with ransomware:

1. Same as above.
2. The company ignores the ransom demand and restores its systems and data. The company conducts a forensic investigation to ensure the ransomware malware does not remain in the system.
3. Business goes on. The cyber criminal looks for a weaker target.

The Ugly Truth

The ugly truth behind the success of ransomware is that the criminals are winning and cashing in at the bank because companies are not allocating necessary resources to ensure their business data and systems can be fully restored if operations are disrupted. This is not a unique situation: systems need to be restored due to causes other than ransomware, such as floods, fires, theft of data, etc.

Government Bullseye

Cyber criminals behind ransomware attacks look for vulnerable targets. State and municipal government systems have been in the bullseye the past several years. According to a recent report by Recorded Future, ransomware attacked 53 state and municipal governments in 2018 and 24 state and municipal governments in the first four months of 2019.

One reason state and municipal governments are targeted may be the media coverage these attacks receive. The Recorded Future report notes that, “Although state and local governments do not pay ransoms nearly as frequently as other targets, they generate outsized media coverage because of the effect these attacks have on the functioning of essential infrastructure and processes.”

The May 2019 ransomware attack on Baltimore demonstrates a lack of understanding about how to respond to these attacks. A new form of ransomware, RobbinHood, attacked Baltimore’s city systems and encrypted all files except those related to essential services. The criminals demanded a ransom payment of 13 bitcoin (about $76,000). Baltimore refused. For two weeks, Baltimore residents were unable to pay parking tickets, water bills and property taxes, and critical business functions, such as real estate closings, were held up. Things got uglier from there. Ultimately, Baltimore’s refusal to pay the ransom cost the city’s taxpayers an estimated $18 million instead of $76,000.

The New York Times quoted Baltimore’s mayor Bernard Young as stating, “We’re not going to pay criminals for bad deeds. That’s not going to happen…there’s no guarantee that if you pay, you reset your system.” Presumably, he meant that, even with payment, there is no guarantee that a key will be provided that actually unlocks the data and enables the systems to be restored.

Baltimore’s response reveals a common misunderstanding about how to protect against ransomware attacks. If an organization has good, offsite backups and can restore its systems without making any payment, the criminals will go elsewhere because they aren’t getting paid. Developing robust backup and recovery plans—and executing them—is an expense many organizations keep putting off.  

The Baltimore attack reveals what happens when cyber-security programs are underfunded and necessary activities are not treated as essential to business operations. Sean Gallagher noted in ARS Technica that Baltimore spends about half of what other cities spend on IT and had terminated or pushed out four chief information officers before CIO Frank Johnson came on board in 2017.

Plus, this was not Baltimore’s first ransomware rodeo. It suffered a serious ransomware attack in 2018 that shut down capabilities in its 911 emergency response system. The city serves as a poster child for ransomware because it so simply highlights the high risk associated with not developing a fully tested backup and recovery plan (with offsite backups) and refusing to pay a ransom that will enable operations to continue.

It is clear, however, ransomware is far from understood within state and local governments. Following the Baltimore attack and all of the surrounding publicity, the U.S. Conference of Mayors adopted a resolution opposing ransomware payments. The Wall Street Journal reported that Baltimore’s Mayor Young supported the resolution, exclaiming that, “Paying ransoms only gives incentive for more people to engage in this type of illegal behavior.” Actually, it is the reverse; organizations that are unable to restore their systems incentivize cyber criminals to come back and attack other organizations.

The mayors’ vote again reveals that municipal management does not understand how to deal with ransomware. It would have been far better—both for the municipalities and their taxpayers—if the mayors had voted to support a resolution to fund the development and testing of backup and recovery of their data and systems.

The Wall Street Journal reported that Baltimore is purchasing $20 million in cyber insurance and other cities were also looking to purchase it. Agents and brokers will serve all clients well, but especially their city officials and communities, if they advise them to perform a cyber risk assessment, close the gaps and deficiencies in their cyber-security program, and fund a fully tested backup and recovery plan. Insurance is part of a risk transfer plan. In the current threat environment, buying cyber insurance just makes sense, but it should not be in lieu of appropriate risk management and incident response measures.