How Ransomware Attacks Are Forcing Big Payments From Cities, Counties

How Ransomware Attacks Are Forcing Big Payments From Cities, Counties

Wielding malware called Ryuk, hackers make more targeted attacks


By Jon Kamp and Scott Calvert Updated July 25, 2019 3:04 pm ET

Somewhere, likely far from U.S. shores, cybercriminals are reaping handsome rewards by wielding malicious software called Ryuk to attack places as random as LaPorte County, Ind., and Lake City, Fla.
The two locales recently paid attackers about $132,000 and $462,000, respectively, mostly through insurers to unlock government data after Ryuk attacks. The hackers also forced a six-figure bounty from a Georgia county earlier this year and have waged many more assaults on public- and private-sector victims, from California to upstate New York.
Ransomware is a form of cybercrime that involves locking up files and demanding bitcoin payments for the electronic keys. Ryuk, which first appeared last year, is on the leading edge of more targeted ransomware hacks that are calibrated to force big payments from overwhelmed victims.
Ryuk “was particularly insidious in that it jumped over all our firewalls and was able to penetrate backup servers,” said Vidya Kora, president of the LaPorte County Commission, after the county of 110,000 got hit this month.
Ryuk has fast become the most common form of ransomware, accounting for about 24% of attacks in the second quarter of this year, up from 18% in the first quarter, according to a survey of clients by Connecticut-based cybersecurity firm Coveware.
Some cybersecurity firms believe the Ryuk perpetrators are a small group operating inside Russia or a country nearby. Their strategy includes attacking bigger networks—rather than individual personal computers—and extracting far heftier ransoms compared with other types of ransomware.
“They’re going after big game rather than trying to shoot a bunch of squirrels,” said Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike Inc. He said as recently as 2015, ransomware attackers often locked up single PCs and demanded payments of around $500.
The Federal Bureau of Investigation declined to specifically discuss Ryuk, but said there is a growing pattern of ransomware attackers going after larger enterprises rather than individual users. Last month, the U.K.’s National Cyber Security Centre said it was investigating Ryuk campaigns targeting organizations globally.
The FBI says most ransomware cases in the U.S. aren’t publicly reported and victimized companies are particularly eager to avoid the negative publicity. 
Note: Attacks can come in many forms, but experts say this is common methodology for Ryuk hackers.
Sources: U.K. National Cyber Security Centre; Coveware
Ryuk was built from the source code of an earlier type of ransomware called Hermes, which was available for purchase on Russian-language cybercrime forums, according to some cybersecurity firms.
While Ryuk doesn’t use especially complex code, hackers often deploy it through a multistep campaign designed to get deep into the systems of large organizations. An attack might start with targeted phishing emails aimed at installing software that can quietly harvest valuable information, such as credentials for the enterprise’s IT workers.
That first stage may be waged by another set of criminals, who then sell credentials to the Ryuk hackers, said Bill Siegel, Coveware’s chief executive. Then, after disabling antivirus shields, the hackers install the Ryuk ransomware. Victims may not know this is happening until their files are locked, except for a note explaining how to contact the hackers to negotiate the ransom.
The notes are often signed “Ryuk” with the warning that “no system is safe,” according to several reviewed by The Wall Street Journal.

“Oftentimes these attackers may have even better information than the administrators about the layout of their network,” said Keith Jarvis, senior security researcher at SecureWorks Corp. , an Atlanta-based cybersecurity firm.

While the hackers are pursuing business and government victims alike, government attacks are often more visible because they can disrupt public services, including knocking city workers’ phones and email offline.
The growing list of Ryuk victims includes Onondaga County Public Libraries and the nearby Syracuse, N.Y., public-school system, which local officials say were both hit this month. Imperial County, Calif., managed to fend off a $1.2 million Ryuk demand in April, thanks to secure backup data, while Jackson County, Ga., paid about $400,000 in bitcoin a month earlier to resolve a disabling Ryuk attack.
Ryuk hackers struck the 10-library Butler County Federated Library System in Pennsylvania on July 17, system administrator Cheryl Ferraro said. A week later, the libraries still lacked internet access and had to log checked-out books by hand. But they have declined to engage with the hackers, she said.
Ryuk hackers last week struck Collierville, Tenn., a town of about 50,000 outside Memphis. By Wednesday the town had recovered files from backup systems and rebuilt needed servers, town spokeswoman Jennifer Casey said. The town never followed the hackers’ instructions to see what the ransom demand was, she said.
The FBI advises against paying hackers, as does the U.S. Conference of Mayors, due to worries the payments fund a criminal enterprise and may not work. But security professionals say payments are often the only option when ransomware burrows into backup files, causing victims to lose irreplaceable data or, in the case of businesses, potentially lose customers if they can’t restore systems.
There are chances to stop the hacks in the early stages, and the FBI’s recommendations include more frequent security-patch updates and maintaining secure backup files.
Atlanta and Baltimore have both suffered debilitating ransom attacks that cost millions of dollars for repairs and to strengthen defenses. In both cases, hackers wielded non-Ryuk types of ransomware and made five-figure demands the cities refused to pay.
The Atlanta hack was linked to ransomware called SamSam, which wasn’t used in fresh attacks at least temporarily after U.S. authorities indicted two Iranian nationals late last year, even though they remain at large, IT professionals said.
Ryuk victims are hoping for a similar outcome.
“I hope the FBI can identify ’em, shut ’em down, prosecute ’em or have the Air Force call in an airstrike,” LaPorte County commissioner Richard Mrozinski said during a meeting last week. “Whatever it takes.”


  1. Ransomware attacks are Threats for businesses. We should adopt cloud Backup to Stay away from them.


Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

Visualizing The Power Of The World's Supercomputers

BMW traps alleged thief by remotely locking him in car