Imagine for a moment that you sit down at your desk, take a sip of your morning coffee, power up your computer, and then click on your document folder. Unanticipatedly, a message pops up: Oops, your files have been encrypted. At first, you feel a twinge of confusion as if a simple mistake has been made. Then a slow, searing panic sets in as you read the rest of the message: Send $300 in bitcoin to this address.
In 2017, one of the most infamous ransomware attacks, WannaCry, took over businesses, government agencies, and individual systems, knocking them offline and holding their files for ransom. Overnight, the virus seemed to spread across the globe. WannaCry was so effective that it made healthcare organizations in the United Kingdom come to a halt; patients had to cancel appointments, and medical staff was forced to restrict hospital visits.
But viruses like WannaCry are not new. In fact, they’ve been around for nearly 40 years, threatening the public and private sectors. However, Symantec notes that the first wave of modern ransomware attacks appeared in 2005.
Today, these kinds of threats are pervasive. According to the 2017 Internet Crime Report, nearly 2,000 IT complaints were identified as ransomware, equating to over $2.3 million in adjusted losses. With these attacks happening every day, it’s important to know who is at risk, how to prepare, and what your options are if an attack occurs.
Who is Targeted?
Cyber thieves choose their targets strategically. While high-profile business breaches often make headlines, government agencies also fall prey to malicious malware. In 2016 alone, nearly 31,000 cyber incidents occurred, 16 of which met the threshold for a “major incident,” according to the Federal Information Security Modernization Act Annual Report to Congress.
These aren’t just small local agencies either. In 2016, the Department of the Navy reported a serious breach where sensitive information, including names and social security numbers, of 134,386 sailors was accessed by “unknown individuals.” In the same year, Recorded Future, a threat intelligence firm, discovered the Election Assistance Commission was hacked by a “Russian-speaking actor” referred to as “Rasputin.” Although the damage of this attack was minimal, Rasputin attempted to gain unauthorized access again in 2017.
But that was only the beginning of a nearly record-shattering year of cyber breaches. By the end of 2017, hacked government agencies included the:
Department of Defense
Department of Energy
Department of Homeland Security
Department of Labor
Department of State
Fannie Mae, and Freddie Mac
Federal Deposit Insurance Corporation
National Institutes of Health
Securities and Exchange Commission
U.S. Armed Forces (ROK)
U.S. Army (INSCOM)
U.S. Postal Service
How Do Attacks Happen?
Ransomware attacks often start in the form of a phishing email or through a system vulnerability caused by outdated software. However, it’s also essential to consider threats within the organization. Case in point, Verizon’s 2017 Data Breach Investigations Report suggested that 25% breaches involve internal actors.
While there isn’t always malicious intent from insiders (about 14% were unexpected errors and privilege misuse), a staggering 60% of cases involved insiders absconding with data in hopes of converting it into cash (or cryptocurrency). For this reason, implementing a zero-trust policy is imperative. This kind of policy means limiting user access, assessing devices, and utilizing a multi-layer verification process.
Of course, in conjunction with strict policies, it’s also critical that government agencies keep their systems updated. According to a survey for Reuters, security ratings firm BitSight found that two-thirds of systems infiltrated by WannaCry were running Windows 7.
Specifically, WannaCry infected computers through a vulnerability in outdated Windows operating systems using code called EternalBlue. Interestingly, EternalBlue was actually developed by the United States National Security Agency. However, this code was stolen by a group called The Shadow Brokers. Microsoft President, Brad Smith, later addressed the issue in Microsoft’s blog, condemning both the CIA and NSA for “stockpiling” vulnerabilities.
What’s terrifying is that, according to Statcounter, Windows 7 still operates on rough 39% of desktops worldwide. Also, the Government Accountability Office (GAO) found that there are still government agencies actively using technology that is up to 56 years old!
What Precautions Can You Take?
While it’s almost impossible to guarantee complete protection from ransomware, it is possible to reduce your risk of a ransomware attack. Layer up your defenses by:
Updating antivirus software and have an active pop-up blocker
Using strong and unique passwords
Avoiding attachments or links that appear suspicious
Downloading software only from known and trusted websites
Backing up and store files offline to limit potential losses
Educating employees on ransomware attacks
Even when taking precautions, there is still a chance cyber attackers can penetrate your network. For this reason, agencies should have an action plan ready as well as a backup and disaster recovery plan in place should a ransomware attack occur.
To Pay or Not To Pay
It is essential to understand the risks associated with both options. There are no guarantees that if you pay the ransom, you will gain access to your data again. In fact, the FBI doesn’t support paying because it can encourage the attacker to come back and ask for more money.
Regardless of the FBI’s warning, IBM found that about 70% of ransomware victims are paying. Of the businesses that paid the ransom, about 20% paid as much as $40,000 for the return of their data.
Oftentimes agencies rush into paying the ransom as soon as possible to resume workflow. Hollywood Presbyterian Medical Center in Los Angeles paid their ransom of $9,000 because of the life-or-death risks a system lockout posed. However, when the hospital paid, the hackers came back for another $7,000.
In an NPR interview, Steve Giles said they didn’t know whether there would be a 3rd request for money. “It was a worthwhile bet, and we took a chance because we felt that the decryption codes would be a quicker way to bring the system backup.” Be here is the problem: By paying the ransom, hackers are getting positive reinforcement and are increasing the amounts requested.
The FBI responds to companies and government agencies anywhere in the world within 48 hours of a cyber-attack report. Their team, the Cyber Action Team (CAT), uses “cutting-edge tools” and a team of experts to identify a “hacker’s signature.” Within the cybersecurity landscape, these signatures are called TTPs—tools, techniques, and procedures.
If your agency has taken the proper precautions with a regular system backup, there is a chance you may lose very little data. A prime example of this resilience is Big Forks School District in Montana. The district didn’t pay their ransom even though the hacker only asked for about $3,000. Because their files were backed up two weeks prior, their losses were mitigated. After restoring their system, they used the opportunity to invest money into their cybersecurity.
Layer Up Your Protection
Ransomware attacks can be a catastrophe for government agencies. However, with proper preparation and a stronger IT infrastructure, those in the public sector can better ensure their security. If you’re interested in learning more about how to protect your network from possible ransomware attacks, click here to contact us today or call (703) 687-9787.