theDocumentId => 746811 Ransomware Attacks Target Public & Government Orgs ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

10/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Ransomware Attacks Target Public & Government Orgs With More Frequency, Ferocity

For a while, ransomware attacks, and the actors behind them, targeted businesses and private enterprises. Now, since the start of 2018, it's increasingly a public affair.

Ransomware attacks are increasingly becoming a public affair.

During the height of ransomware attacks in 2017, especially as WannaCry and NotPetya rampaged, the majority of incidents targeted private businesses and enterprises. While some of these incidents became public, most companies did their best to keep these cyber attacks quiet. (See WannaCry: How the Notorious Worm Changed Ransomware.)

The notable exception was the UK's National Health Service (NHS), which was hit particularly hard, and the attack itself drew a good deal of public attention and scrutiny. It proved a black eye for the venerable British institution. (See WannaCry Was an Avoidable Mess for NHS.)

Now, more ransomware incidents are happening to more public institutions. In 2018, the cities of Atlanta and Baltimore each experienced cyber attacks, a fact many believe is related to a strain of malware called SamSam. (See SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains .)

In recent weeks, ransomware went public again, with attacks targeting two of the world's busiest ports. The first hit the Port of Barcelona, which affected servers and other computer systems that caused delays within in land operations, although ships continued to dock and unload cargo, according to local media reports.

(Source: iStock)
(Source: iStock)

The Port of San Diego was targeted in late September, and although the port authorities did not give out much in the way of specifics, it appears the cyber attack was some strain of ransomware.

"The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency's information technology systems," according to a September 26 statement.

Both incidents remain under investigation as the two ports continue to recover and rebuild their IT infrastructure.

Public versus private
Since both ports are public entities run by local governments, each had at least some obligation to report the incidents, unlike a private business, which could quietly pay the ransom or throw money at security services to fix the systems and get backup systems working.

Taken together, the attacks in Atlanta, Baltimore, San Diego and Barcelona show that attackers are using ransomware to disrupt highly visible targets, whether it's for monetary gain or to sow chaos for a time.

"Ransomware of course plagues everyone, consumer and business alike, but businesses and organizations in the public sector are particularly vulnerable, given that many of them literally cannot afford to be offline or out of service for any time at all," Rik Turner, an analyst with Ovum, wrote in an email to Security Now. "It's the 'we couldn't give you a blood transfusion because our systems were down' scenario."

Calculating costs
In its recent quarterly summary of cyber threats, McAfee Labs foundthat ransomware remains a serious problem, although the total number of new samples of the malware continues to drop from its peak in the fourth quarter of 2017. In the last ten months, cybercriminals have increasingly turned their attention to cryptomining and cryptojacking, which is much more lucrative and requires less upfront investment and fewer technical skills.

Still, cybercriminals can make money off ransomware. A study by Sophos found that the threat actors behind SamSam have collected about $6 million so far, and the malware continues to infect victims, which included the city of Atlanta.

Ransomware attacks also cost organizations as they rebuild. Atlanta shelled out over $2 million to recover from the attack and to hire consultants to help rebuild its infrastructure. All told, ransomware is expected to cost businesses and other organizations about $11.5 billion by 2019, according to a study conducted by Cybersecurity Ventures. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

Also, Gartner recently estimated that the WannCry attacks of 2017 alone cost anywhere between $1.5 and $4 billion. (See Security Needs to Start Speaking the Language of Business.)

More than money
Not all ransomware attacks are designed to extract money from the victims. In many cases, especially with these more public incidents, the attackers could be looking for other vulnerabilities in the system, or use the ransomware to disguise an ongoing cyber espionage scheme or an Advanced Persistent Threat (APT).

"While the returns from targeting public organizations with ransomware is lower -- due to federal/local protocol that forbids payments of ransom or due to lack of resources -- attackers can cause a wider range of disruption by attacking these organizations," Abhishek Iyer, the technical marketing manager at Demisto, which provides security automation and orchestration and response tools, wrote in an email to Security Now.

"Halting operations at a port often has tangible and wide-reaching repercussions that affect multiple industries and countries; perhaps attackers hope this will force the victims' hand," Iyer added. "It should also be highlighted that attackers do not always have monetary gains in mind -- even in ransomware cases. If attackers are aiming for chaos rather than money, targeting public organizations is a potent way of reaching that goal."

Next page: Anticipating the next attack

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.