Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

10/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Ransomware Attacks Target Public & Government Orgs With More Frequency, Ferocity

For a while, ransomware attacks, and the actors behind them, targeted businesses and private enterprises. Now, since the start of 2018, it's increasingly a public affair.

Ransomware attacks are increasingly becoming a public affair.

During the height of ransomware attacks in 2017, especially as WannaCry and NotPetya rampaged, the majority of incidents targeted private businesses and enterprises. While some of these incidents became public, most companies did their best to keep these cyber attacks quiet. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The notable exception was the UK's National Health Service (NHS), which was hit particularly hard, and the attack itself drew a good deal of public attention and scrutiny. It proved a black eye for the venerable British institution. (See WannaCry Was an Avoidable Mess for NHS.)

Now, more ransomware incidents are happening to more public institutions. In 2018, the cities of Atlanta and Baltimore each experienced cyber attacks, a fact many believe is related to a strain of malware called SamSam. (See SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains .)

In recent weeks, ransomware went public again, with attacks targeting two of the world's busiest ports. The first hit the Port of Barcelona, which affected servers and other computer systems that caused delays within in land operations, although ships continued to dock and unload cargo, according to local media reports.

The Port of San Diego was targeted in late September, and although the port authorities did not give out much in the way of specifics, it appears the cyber attack was some strain of ransomware.

"The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems," according to a September 26 statement.

Both incidents remain under investigation as the two ports continue to recover and rebuild their IT infrastructure.

Public versus private
Since both ports are public entities run by local governments, each had at least some obligation to report the incidents, unlike a private business, which could quietly pay the ransom or throw money at security services to fix the systems and get backup systems working.

Taken together, the attacks in Atlanta, Baltimore, San Diego and Barcelona show that attackers are using ransomware to disrupt highly visible targets, whether it's for monetary gain or to sow chaos for a time.

"Ransomware of course plagues everyone, consumer and business alike, but businesses and organizations in the public sector are particularly vulnerable, given that many of them literally cannot afford to be offline or out of service for any time at all," Rik Turner, an analyst with Ovum, wrote in an email to Security Now. "It's the 'we couldn't give you a blood transfusion because our systems were down' scenario."

Calculating costs
In its recent quarterly summary of cyber threats, McAfee Labs foundthat ransomware remains a serious problem, although the total number of new samples of the malware continues to drop from its peak in the fourth quarter of 2017. In the last ten months, cybercriminals have increasingly turned their attention to cryptomining and cryptojacking, which is much more lucrative and requires less upfront investment and fewer technical skills.

Still, cybercriminals can make money off ransomware. A study by Sophos found that the threat actors behind SamSam have collected about $6 million so far, and the malware continues to infect victims, which included the city of Atlanta.

Ransomware attacks also cost organizations as they rebuild. Atlanta shelled out over $2 million to recover from the attack and to hire consultants to help rebuild its infrastructure. All told, ransomware is expected to cost businesses and other organizations about $11.5 billion by 2019, according to a study conducted by Cybersecurity Ventures. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

Also, Gartner recently estimated that the WannCry attacks of 2017 alone cost anywhere between $1.5 and $4 billion. (See Security Needs to Start Speaking the Language of Business.)

More than money
Not all ransomware attacks are designed to extract money from the victims. In many cases, especially with these more public incidents, the attackers could be looking for other vulnerabilities in the system, or use the ransomware to disguise an ongoing cyber espionage scheme or an Advanced Persistent Threat (APT).

"While the returns from targeting public organizations with ransomware is lower -- due to federal/local protocol that forbids payments of ransom or due to lack of resources -- attackers can cause a wider range of disruption by attacking these organizations," Abhishek Iyer, the technical marketing manager at Demisto, which provides security automation and orchestration and response tools, wrote in an email to Security Now.

"Halting operations at a port often has tangible and wide-reaching repercussions that affect multiple industries and countries; perhaps attackers hope this will force the victims' hand," Iyer added. "It should also be highlighted that attackers do not always have monetary gains in mind -- even in ransomware cases. If attackers are aiming for chaos rather than money, targeting public organizations is a potent way of reaching that goal."

Next page: Anticipating the next attack

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...