Are the ransomware floodgates open in the US?

The US state of Texas is currently fighting a wave of ransomware attacks, with at least 23 local government agencies impacted. 

The speight of attacks began last Friday (August 16), according to the state’s Department of Information Resources (DIR), in what is believed to have been a series of “coordinated” attacks. 

The DIR said, “State of Texas systems and networks” had not been affected, and that while investigations into the origin of the attack were ongoing, “response and recovery” were current priorities.

Speaking to Dark Reading, Malwarebytes’ Director of Security Research, Adam Kujawa, called the coordination of the attacks “alarming”. 

“It is unclear what made the simultaneous attack possible. The same type of vulnerable systems could have been present in each network, or a third-party service provider could have been compromised.

“More than likely, most of these networks were already compromised by some other threat and the ransomware aspect just hadn’t been downloaded and launched until last Friday,” Kujawa said. 

Cyberattacks in Texas follow a number of ransomware attacks in recent months targeting US states, across New York, Florida, and Maryland. Government computers were paralyzed as a result, with email accounts disabled and online payments to city departments prevented. 

Officials in Baltimore refused to pay the ransom demands— instead manually processing thousands of transactions and slowly restoring access— with the disruption and repair costing the city an estimated at US$18 million. 

Paying the ransom

The comparatively smaller financial cost of paying ransoms has been too much to resist for some cities. 

Council officials in Riviera Beach, Florida, voted to pay US$600,000 worth in Bitcoin to attackers in June, while in the same state, Lake City met a US$500,000 ransom demand. There have even been reports of cybersecurity firms tasked with recovering paralyzed systems and data choosing to pay attackers instead, sometimes without their client’s knowledge. 

Experts are warning, however, that those cities that do pay ransoms could be increasing their susceptibility to future attacks, either from the same or new attackers— while helping to promote the dark industry as one that can pay off as a whole. 

“Not only have ransomware attacks been growing, but the amounts they have been demanding has been getting higher, and there has been more specific targeting of victims,” Javvad Malik, security awareness advocate at KnowBe4, told TechHQ.

On Riviera Beach paying the demanded sum, Malik said: “this coordinated attack against Texas may be as a result of seeing how cities or city departments are potentially willing to pay a ransom.”

‘Profitable’ attacks

Speaking to TechHQ, CEO of security analytics firm Gurucul, Saryu Nayyar said that ransomware attacks are becoming more common because they’re “usually profitable”, despite being one of the most basic “cyberattack vectors” to defend against. 

“[Ransomware] can be thwarted by a couple of tactics that have long been in use– patches and backups,” said Nayyar. “Ransomware usually relies on human errors or known, unpatched vulnerabilities to succeed. 

“When it does succeed, and the victim doesn’t have backups, the attacker’s extortion tactics often work.”

Attacks on government departments are currently seeing high rates of success among attackers. Many of these organizations may be using unsophisticated IT operations reliant on legacy technology and processes, and lack of cybersecurity awareness among large employee networks.

“Many overburdened IT departments don’t have the time or the tools to get the cybersecurity basics right,” said Nayyar.

Government departments are also less prepared to spot anomalous emails, communicating daily with ‘one-time contacts’ from a variety of businesses and individuals. 

“Every organization should use two-factor authentication [2FA] to block brute force attacks, perform regular backups of valuable data, deploy patches and updates immediately to stop known threats and provide each critical system with a unique and frequently updated password,” Nayyar said. 

Earlier this year, Norwegian firm manufacturing firm Hydro was lauded for its refusal to pay ransomware attackers. 

The multinational firm’s 170 sites across 40 countries were taken offline, with repairs costing an estimated US$57 million as 35,000 staff were forced to switch to manual operations.

“I think in general it’s a very bad idea to pay,” Hydro’s Chief Information Officer, Joe De Vliegher, told the BBC. “It fuels an industry and it’s probably financing other sorts of crime. It goes against our company values and we have good foundations and good people.

“But I understand why, for some companies who are less secure, this can be the only option,” he added.

According to a report by Mimecast, last year more than half of all organizations (53 percent) polled encountered a ransomware attack that impacted operations, according to the firm’s State of E-mail Security 2019 report.