The $1.5 Million Email
Ransomware has been around since the late 1980s, but in recent years, it has emerged as one of the largest financial threats facing the public and private sector alike. According to the U.S. Department of Homeland Security, ransomware is the fastest-growing malware threat—and according to a report by Recorded Future in May, more than 170 state and local governments have been the victims of ransomware attacks since 2013.
In addition to improved ransomware capabilities, such as military-grade encryption algorithms, two key factors have emboldened cybercriminals to launch such attacks: the rise of hard-to-trace cryptocurrency such as Bitcoin, and the tendency of unprepared targets to continue meeting scammers’ demands, even as these demands become increasingly audacious.
One such target was the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach, which recently paid a near-record 65 Bitcoins to a gang of hackers after a ransomware attack brought the city to a halt.
On May 29, a city employee opened an email containing a piece of malware, which quickly infected nearly every city computer network. With the municipal computer system held hostage, all operations were hobbled—everything from the city’s website, email server and VoIP phones to the water utility pump stations. 911 dispatchers were forced to take down caller information on paper, employees and vendors had to be paid with paper checks, utility payments could only be accepted by snail mail or in person, and police officers had to resort to digging through closets at headquarters to find paper traffic citation pads.
City leaders were told they could make all of these problems go away—if they simply complied with the ransomers’ demand to remit 65 bitcoin (roughly $600,000) in exchange for the decryption key.
While the city had originally decided not to pay the ransom—opting instead to invest $914,000 into purchasing hundreds of new desktop and laptop computers and other hardware in an attempt to circumvent the issue—these measures ultimately failed. Three weeks after the original attack, based on the advice of an outside security consulting firm, the city council met to discuss next steps—and unanimously decided, after just two minutes of discussion, to acquiesce. The total cost, including the unbudgeted-for hardware, the consultation, and of course, the ransom itself, amounted to more than $1.5 million. For a city of just 35,000 residents, the cost was staggering, even after insurance paid its percentage.
While Riviera Beach was among the latest targets, it certainly won’t be the last, or the largest—according to a 2018 Deloitte-NASCIO survey, nearly half of states lack a separate cybersecurity budget, and a majority allocate under 3% of IT budgets to cyberthreat prevention.
But with ransomware attacks continuing to unleash a post-internet world on any unsuspecting target at any time, many targets are finding that, as much as they thought they lacked the resources to prevent such attacks, they’re even less prepared for the aftermath. Once infected, they’re left with two unsavory options: Pay the ransom, knowing that there’s no guarantee the hackers will decrypt the systems or that they’ll be decrypted perfectly. And even if they are, there are still the moral implications: When governments pay such ransoms, they’re not only putting taxpayer dollars directly into the hands of criminals, they’re also encouraging future ransomware attacks. The alternative, of course, is to try to rebuild…often from the ground up.
While cyberinsurance policies can give the illusion of protection, this solution will likely become less viable as the frequency of attacks continues to rise and the amount demanded continues to skyrocket. The goal, then, becomes for companies, government entities and individuals to prepare for and prevent these attacks before they’re targeted. While large-scale legislative solutions, such as outlawing the payment of ransomware demands, may eventually offer some relief, here are some steps that companies, individuals and government entities can take right now to prevent being victims:
- Learn: Resources such as NoMoreRansom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.
- Educate: When it comes to ransomware, knowing isn’t half the battle—it’s the entire battle. When millions of dollars hinge on your employees’ decision whether or not to open an email, organization-wide training on how to spot malicious emails and social engineering schemes may pay for itself many, many times over.
- Backup: There’s no reason to pay criminals to decrypt your data if you have access to a copy. Frequently back up essential data, ideally storing it both locally and on the cloud.
- Update: Always downloading the newest version of your operating system or apps helps you stay ahead of threats
- Defend: Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected.