How Ransomware Attacks Are Forcing Big Payments From Cities, Counties
How Ransomware Attacks Are Forcing Big
Payments From Cities, Counties
Wielding malware called Ryuk, hackers make more
targeted attacks
Somewhere, likely far from U.S. shores, cybercriminals are
reaping handsome rewards by wielding malicious software called Ryuk to attack
places as random as LaPorte County, Ind., and Lake City, Fla.
The two locales recently paid
attackers about $132,000 and $462,000, respectively, mostly
through insurers to unlock government data after Ryuk attacks. The hackers also
forced a six-figure bounty from a Georgia county earlier this year and have
waged many more assaults on public- and private-sector victims, from California
to upstate New York.
Ransomware is a form of cybercrime that
involves locking up files and demanding bitcoin payments for the electronic
keys. Ryuk, which first appeared last year, is on the leading edge of more
targeted ransomware hacks that are calibrated to force big payments from
overwhelmed victims.
Ryuk
“was particularly insidious in that it jumped over all our firewalls and was
able to penetrate backup servers,” said Vidya Kora, president of the LaPorte
County Commission, after the county of 110,000 got hit this month.
Ryuk has fast become the most common form of ransomware,
accounting for about 24% of attacks in the second quarter of this year, up from
18% in the first quarter, according to a survey of clients by Connecticut-based
cybersecurity firm Coveware.
Some cybersecurity firms believe the Ryuk perpetrators are
a small group operating inside Russia or a country nearby. Their strategy
includes attacking bigger networks—rather than individual personal
computers—and extracting far heftier ransoms compared with other types of
ransomware.
“They’re going after big game rather than trying to shoot
a bunch of squirrels,” said Adam Meyers, vice president of intelligence at
cybersecurity firm CrowdStrike Inc. He said as recently as 2015, ransomware
attackers often locked up single PCs and demanded payments of around $500.
The Federal Bureau of Investigation declined to
specifically discuss Ryuk, but said there is a growing pattern of ransomware
attackers going after larger enterprises rather than individual users. Last
month, the U.K.’s National Cyber Security Centre said it was investigating Ryuk
campaigns targeting organizations globally.
The FBI says most ransomware cases in the U.S. aren’t
publicly reported and victimized companies are particularly eager to avoid the
negative publicity.
Ryuk was built from the source code of an earlier type of
ransomware called Hermes, which was available for purchase on Russian-language
cybercrime forums, according to some cybersecurity firms.
While Ryuk doesn’t use especially complex code, hackers
often deploy it through a multistep campaign designed to get deep into the
systems of large organizations. An attack might start with targeted phishing
emails aimed at installing software that can quietly harvest valuable
information, such as credentials for the enterprise’s IT workers.
That first stage may be waged by another set of criminals,
who then sell credentials to the Ryuk hackers, said Bill Siegel, Coveware’s
chief executive. Then, after disabling antivirus shields, the hackers install
the Ryuk ransomware. Victims may not know this is happening until their files
are locked, except for a note explaining how to contact the hackers to
negotiate the ransom.
The notes are often signed “Ryuk” with the warning that
“no system is safe,” according to several reviewed by The Wall Street Journal.
While the hackers are pursuing business and government
victims alike, government attacks are often more visible because they can
disrupt public services, including knocking city workers’ phones and email
offline.
The growing list of Ryuk victims includes Onondaga County
Public Libraries and the nearby Syracuse, N.Y., public-school system, which
local officials say were both hit this month. Imperial County, Calif., managed
to fend off a $1.2 million Ryuk demand in April, thanks to secure backup data,
while Jackson County, Ga., paid about $400,000 in bitcoin a month earlier to
resolve a disabling Ryuk attack.
Ryuk hackers struck the 10-library Butler County Federated
Library System in Pennsylvania on July 17, system administrator Cheryl Ferraro
said. A week later, the libraries still lacked internet access and had to log
checked-out books by hand. But they have declined to engage with the hackers,
she said.
Ryuk hackers last week struck Collierville, Tenn., a town
of about 50,000 outside Memphis. By Wednesday the town had recovered files from
backup systems and rebuilt needed servers, town spokeswoman Jennifer Casey
said. The town never followed the hackers’ instructions to see what the ransom
demand was, she said.
The FBI advises against paying hackers, as does the U.S. Conference
of Mayors, due to worries the payments fund a criminal enterprise
and may not work. But security professionals say payments are often the only
option when ransomware burrows into backup files, causing victims to lose
irreplaceable data or, in the case of businesses, potentially lose customers if
they can’t restore systems.
There
are chances to stop the hacks in the early stages, and the FBI’s
recommendations include more frequent security-patch updates and maintaining
secure backup files.
The Atlanta hack was linked to ransomware called SamSam,
which wasn’t used in fresh attacks at least temporarily after U.S. authorities
indicted two Iranian nationals late last year, even though they remain at
large, IT professionals said.
Ryuk victims are hoping for a similar outcome.
“I hope the FBI can identify ’em, shut ’em down, prosecute
’em or have the Air Force call in an airstrike,” LaPorte County commissioner
Richard Mrozinski said during a meeting last week. “Whatever it takes.”
Ransomware attacks are Threats for businesses. We should adopt cloud Backup to Stay away from them.
ReplyDelete