Ransomware Attacks Are a Large and Growing Threat — This Is How They Happen

As cities, businesses and organizations across the country continue to struggle with ransomware attacks the true scope of the threat is unknown

Ransomware is a family of malware that blocks access to a PC, server or mobile device, or encrypts all the data stored on that machine. It’s typically delivered via malicious email or infected third-party websites. To regain access or control of the data, the user must pay a ransom — more often than not via bitcoin.

In 2019, a ransomware attack wiped out 750 government computers across Texas in less than 90 minutes. When system attacks spread to municipal water systems, Governor Greg Abbott issued a disaster declaration, activating the State Operations Center – typically used during hurricane response and recovery.

As cities, businesses and organizations across the country continue to struggle with ransomware attacks the true scope of the threat is unknown.

A good place to start is the FBI’s Internet Crime Complaint Center (IC3), which collects voluntary reports from ransomware victims. The IC3’s 2020 Internet Crime Report shows a steady increase since 2018. 

But it's far from a complete picture as the FBI warns these numbers are voluntarily reported and represent a low estimate of the real cost to ransomware victims.

Cybersecurity Ventures projects the cost of ransomware attacks in 2021 will reach $20 billion globally.

“These attacks are starting to have real-life implications for individuals and communities,” says FBI Supervisory Special Agent Brett Leatherman. “Targeting hospitals, targeting government agencies elicits that emotional response – and the adversary hopes elicit quick payments.”

“When law enforcement agencies are hit, and investigative files are encrypted – it can represent the violation of somebody’s right to a speedy trial, or due process,” says Leatherman. “In some cases, it strikes at the heart of our democracy.”

When the ransomware attack struck Texas in 2019 The Department of Homeland Security, the FBI, and several state agencies responded – all led by the Texas Department of Information Resources and Nancy Rainosek, the state’s Chief Information Security Officer [CISO].

Rainosek says forensic teams traced the attack to a managed service provider, a three-man shop serving hundreds of local governments in Texas. “They got in through them,” she says. “They had a remote management software, they were able to get into their systems and then move through that remote management software to machines at the local governments.”

“They asked for $2.5 million,” she recalls.

“We didn’t pay. The recovery effort on the part of the state cost less than 10% of that amount so I think it was a good move to not pay,” says Rainosek. All municipal systems were recovered and operational after eight days. Additionally, state and federal intelligence agencies now had a clear picture of the attack method.

“They tested it two weeks before in one small town and determined it worked,” says Rainosek. “They had a script built to drop this in memory so it never hit the hard drive – so your standard antivirus would never catch it.” 

The FBI’s cyber team typically sees two different kinds of attacks. Leatherman calls them the "accidental insider," where someone accidentally allows access to their network, typically by clicking a malicious link, disguised to look legitimate, in an email. The other is "exploitation of a vulnerability," a weakness in authentication or at the network perimeter. 

“What we recommend is that organizations right now take preventive steps to protect themselves,” says Leatherman. “That means employing robust authentication like multi-factor authentication. It involves ensuring that you’re taking good backups of your systems and then you’re air-gapping those backups – you’re keeping them offline.”

IT security firm Sophos says 56% of organizations whose data was encrypted were able to recover from backups, and avoided paying a ransom and though there are some exceptions, the U.S. Treasury says you can be prosecuted for paying a ransom to sanctioned groups.

Over at the FBI, Leatherman says it’s never a good idea to negotiate with criminals. “What we would recommend is not relying on the bad guys to give you your data back.”

“Any organization that has a bottom line and makes a profit is subject to ransomware attacks and the criminal actors are indiscriminate in who they target,” says Leatherman. “Cybersecurity is national security. The FBI is investigating over 100 variants of ransomware right now, it’s unprecedented the number of ransomware variants and groups targeting US organizations.”