How Ransomware Attacks Are Forcing Big Payments From Cities, Counties

How Ransomware Attacks Are Forcing Big Payments From Cities, Counties

Wielding malware called Ryuk, hackers make more targeted attacks

 


By Jon Kamp and Scott Calvert Updated July 25, 2019 3:04 pm ET

Somewhere, likely far from U.S. shores, cybercriminals are reaping handsome rewards by wielding malicious software called Ryuk to attack places as random as LaPorte County, Ind., and Lake City, Fla.
The two locales recently paid attackers about $132,000 and $462,000, respectively, mostly through insurers to unlock government data after Ryuk attacks. The hackers also forced a six-figure bounty from a Georgia county earlier this year and have waged many more assaults on public- and private-sector victims, from California to upstate New York.
Ransomware is a form of cybercrime that involves locking up files and demanding bitcoin payments for the electronic keys. Ryuk, which first appeared last year, is on the leading edge of more targeted ransomware hacks that are calibrated to force big payments from overwhelmed victims.
Ryuk “was particularly insidious in that it jumped over all our firewalls and was able to penetrate backup servers,” said Vidya Kora, president of the LaPorte County Commission, after the county of 110,000 got hit this month.
Ryuk has fast become the most common form of ransomware, accounting for about 24% of attacks in the second quarter of this year, up from 18% in the first quarter, according to a survey of clients by Connecticut-based cybersecurity firm Coveware.
Some cybersecurity firms believe the Ryuk perpetrators are a small group operating inside Russia or a country nearby. Their strategy includes attacking bigger networks—rather than individual personal computers—and extracting far heftier ransoms compared with other types of ransomware.
“They’re going after big game rather than trying to shoot a bunch of squirrels,” said Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike Inc. He said as recently as 2015, ransomware attackers often locked up single PCs and demanded payments of around $500.
The Federal Bureau of Investigation declined to specifically discuss Ryuk, but said there is a growing pattern of ransomware attackers going after larger enterprises rather than individual users. Last month, the U.K.’s National Cyber Security Centre said it was investigating Ryuk campaigns targeting organizations globally.
The FBI says most ransomware cases in the U.S. aren’t publicly reported and victimized companies are particularly eager to avoid the negative publicity. 
Note: Attacks can come in many forms, but experts say this is common methodology for Ryuk hackers.
Sources: U.K. National Cyber Security Centre; Coveware
Ryuk was built from the source code of an earlier type of ransomware called Hermes, which was available for purchase on Russian-language cybercrime forums, according to some cybersecurity firms.
While Ryuk doesn’t use especially complex code, hackers often deploy it through a multistep campaign designed to get deep into the systems of large organizations. An attack might start with targeted phishing emails aimed at installing software that can quietly harvest valuable information, such as credentials for the enterprise’s IT workers.
That first stage may be waged by another set of criminals, who then sell credentials to the Ryuk hackers, said Bill Siegel, Coveware’s chief executive. Then, after disabling antivirus shields, the hackers install the Ryuk ransomware. Victims may not know this is happening until their files are locked, except for a note explaining how to contact the hackers to negotiate the ransom.
The notes are often signed “Ryuk” with the warning that “no system is safe,” according to several reviewed by The Wall Street Journal.

“Oftentimes these attackers may have even better information than the administrators about the layout of their network,” said Keith Jarvis, senior security researcher at SecureWorks Corp. , an Atlanta-based cybersecurity firm.

While the hackers are pursuing business and government victims alike, government attacks are often more visible because they can disrupt public services, including knocking city workers’ phones and email offline.
The growing list of Ryuk victims includes Onondaga County Public Libraries and the nearby Syracuse, N.Y., public-school system, which local officials say were both hit this month. Imperial County, Calif., managed to fend off a $1.2 million Ryuk demand in April, thanks to secure backup data, while Jackson County, Ga., paid about $400,000 in bitcoin a month earlier to resolve a disabling Ryuk attack.
Ryuk hackers struck the 10-library Butler County Federated Library System in Pennsylvania on July 17, system administrator Cheryl Ferraro said. A week later, the libraries still lacked internet access and had to log checked-out books by hand. But they have declined to engage with the hackers, she said.
Ryuk hackers last week struck Collierville, Tenn., a town of about 50,000 outside Memphis. By Wednesday the town had recovered files from backup systems and rebuilt needed servers, town spokeswoman Jennifer Casey said. The town never followed the hackers’ instructions to see what the ransom demand was, she said.
The FBI advises against paying hackers, as does the U.S. Conference of Mayors, due to worries the payments fund a criminal enterprise and may not work. But security professionals say payments are often the only option when ransomware burrows into backup files, causing victims to lose irreplaceable data or, in the case of businesses, potentially lose customers if they can’t restore systems.
There are chances to stop the hacks in the early stages, and the FBI’s recommendations include more frequent security-patch updates and maintaining secure backup files.
Atlanta and Baltimore have both suffered debilitating ransom attacks that cost millions of dollars for repairs and to strengthen defenses. In both cases, hackers wielded non-Ryuk types of ransomware and made five-figure demands the cities refused to pay.
The Atlanta hack was linked to ransomware called SamSam, which wasn’t used in fresh attacks at least temporarily after U.S. authorities indicted two Iranian nationals late last year, even though they remain at large, IT professionals said.
Ryuk victims are hoping for a similar outcome.
“I hope the FBI can identify ’em, shut ’em down, prosecute ’em or have the Air Force call in an airstrike,” LaPorte County commissioner Richard Mrozinski said during a meeting last week. “Whatever it takes.”
https://www.wsj.com/articles/how-ransomware-attacks-are-forcing-big-payments-from-cities-counties-11564078222

Comments

  1. StoneFlymenOctober 31, 2019 at 4:19 AM

    Ransomware attacks are Threats for businesses. We should adopt cloud Backup to Stay away from them.

    ReplyDelete

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more