Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

10/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Ransomware Attacks Target Public & Government Orgs With More Frequency, Ferocity

For a while, ransomware attacks, and the actors behind them, targeted businesses and private enterprises. Now, since the start of 2018, it's increasingly a public affair.

Ransomware attacks are increasingly becoming a public affair.

During the height of ransomware attacks in 2017, especially as WannaCry and NotPetya rampaged, the majority of incidents targeted private businesses and enterprises. While some of these incidents became public, most companies did their best to keep these cyber attacks quiet. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The notable exception was the UK's National Health Service (NHS), which was hit particularly hard, and the attack itself drew a good deal of public attention and scrutiny. It proved a black eye for the venerable British institution. (See WannaCry Was an Avoidable Mess for NHS.)

Now, more ransomware incidents are happening to more public institutions. In 2018, the cities of Atlanta and Baltimore each experienced cyber attacks, a fact many believe is related to a strain of malware called SamSam. (See SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains .)

In recent weeks, ransomware went public again, with attacks targeting two of the world's busiest ports. The first hit the Port of Barcelona, which affected servers and other computer systems that caused delays within in land operations, although ships continued to dock and unload cargo, according to local media reports.

(Source: iStock)
(Source: iStock)

The Port of San Diego was targeted in late September, and although the port authorities did not give out much in the way of specifics, it appears the cyber attack was some strain of ransomware.

"The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems," according to a September 26 statement.

Both incidents remain under investigation as the two ports continue to recover and rebuild their IT infrastructure.

Public versus private
Since both ports are public entities run by local governments, each had at least some obligation to report the incidents, unlike a private business, which could quietly pay the ransom or throw money at security services to fix the systems and get backup systems working.

Taken together, the attacks in Atlanta, Baltimore, San Diego and Barcelona show that attackers are using ransomware to disrupt highly visible targets, whether it's for monetary gain or to sow chaos for a time.

"Ransomware of course plagues everyone, consumer and business alike, but businesses and organizations in the public sector are particularly vulnerable, given that many of them literally cannot afford to be offline or out of service for any time at all," Rik Turner, an analyst with Ovum, wrote in an email to Security Now. "It's the 'we couldn't give you a blood transfusion because our systems were down' scenario."

Calculating costs
In its recent quarterly summary of cyber threats, McAfee Labs foundthat ransomware remains a serious problem, although the total number of new samples of the malware continues to drop from its peak in the fourth quarter of 2017. In the last ten months, cybercriminals have increasingly turned their attention to cryptomining and cryptojacking, which is much more lucrative and requires less upfront investment and fewer technical skills.

Still, cybercriminals can make money off ransomware. A study by Sophos found that the threat actors behind SamSam have collected about $6 million so far, and the malware continues to infect victims, which included the city of Atlanta.

Ransomware attacks also cost organizations as they rebuild. Atlanta shelled out over $2 million to recover from the attack and to hire consultants to help rebuild its infrastructure. All told, ransomware is expected to cost businesses and other organizations about $11.5 billion by 2019, according to a study conducted by Cybersecurity Ventures. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

Also, Gartner recently estimated that the WannCry attacks of 2017 alone cost anywhere between $1.5 and $4 billion. (See Security Needs to Start Speaking the Language of Business.)

More than money
Not all ransomware attacks are designed to extract money from the victims. In many cases, especially with these more public incidents, the attackers could be looking for other vulnerabilities in the system, or use the ransomware to disguise an ongoing cyber espionage scheme or an Advanced Persistent Threat (APT).

"While the returns from targeting public organizations with ransomware is lower -- due to federal/local protocol that forbids payments of ransom or due to lack of resources -- attackers can cause a wider range of disruption by attacking these organizations," Abhishek Iyer, the technical marketing manager at Demisto, which provides security automation and orchestration and response tools, wrote in an email to Security Now.

"Halting operations at a port often has tangible and wide-reaching repercussions that affect multiple industries and countries; perhaps attackers hope this will force the victims' hand," Iyer added. "It should also be highlighted that attackers do not always have monetary gains in mind -- even in ransomware cases. If attackers are aiming for chaos rather than money, targeting public organizations is a potent way of reaching that goal."

Next page: Anticipating the next attack

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34202
PUBLISHED: 2021-06-16
There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640) 1.01B04. Ordinary permissions can be elevated to administrator permissions, resulting in local arbitrary code execution. An attacker can combine other vulnerabilities to further achieve the purpose of remot...
CVE-2021-32659
PUBLISHED: 2021-06-16
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombs...
CVE-2020-25755
PUBLISHED: 2021-06-16
An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authenticated users to execute arbitrary commands via the force parameter.
CVE-2020-25754
PUBLISHED: 2021-06-16
An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authentication. This module uses a password derived from the MD5 hash of the username and serial number. The serial number can be retrieved by an una...
CVE-2020-25753
PUBLISHED: 2021-06-16
An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml.