Coming to a City or Town Near You: Ransomware

September 16, 2019 • Monica Todros

There has been a growing number of ransomware attacks targeting cities and towns across the U.S. Once hit, cities and towns face a number of tough decisions — pay the ransom, restore from backup — and all of this happens with a backdrop of needing to provide vital services to citizens. To add insult to injury, many cities and towns face tight IT and security budgets. They’ve been asking for more security and better backup tools, but are quite often being told that the money is simply not there.

Recorded Future’s Allan Liska knows a thing or two about ransomware. He’s co-author of the book, “Ransomware: Defending Against Digital Extortion,” and he recently published the results of some ransomware research that he and his team at Recorded Future have been working on. He’ll share their findings, along with advice for keeping your organization safe.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 125 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

There have been a growing number of incidents of ransomware attacks targeting cities and towns across the U.S. Once they’ve been hit, cities and towns face a number of tough decisions. Pay the ransom, restore from backup, and all of this happens with a backdrop of needing to provide vital services to citizens. To add insult to injury, many cities and towns face tight IT and security budgets. They’ve been asking for more security and better backup tools, but are quite often being told the money is simply not there.

Recorded Future’s Allan Liska knows a thing or two about ransomware. He’s co-author of the book, “Ransomware: Defending Against Digital Extortion,” and he recently published the results of some ransomware research he and his team have been working on. He’ll share their findings, along with advice for keeping your organization safe. Stay with us.

Allan Liska:

We really started to see a big uptick in ransomware attacks in 2015 and ’16, it’s coincidental with the rise in Bitcoin popularity. Before you had solid Bitcoin infrastructure, ransomware was really hard to do. It was easy to encrypt people’s files, but getting money in a reliable way that couldn’t be drawn back by the authorities was a challenge. I mean, there’s only so many iTunes gift cards or Amazon gift cards that you could use. People were using MoneyPak and Western Union and MoneyGram, et cetera, but all of those had the problem that it was relatively easy to trace the money. You could get away with it for a little bit, but eventually those transactions were going to get caught and caught up.

So in 2013 … 2012 I think is when the Bitcoin actually started coming into use. 2013 is when we started saying some ransomware campaigns. But really 2015 and ’16 with Locky and Cerber, we started seeing just a huge increase in ransomware attacks. And then it fell off a little bit in 2017 and that was because most of the ransomware delivered in the early campaigns were delivered via phishing campaigns, large scale phishing campaigns where these ransomware actors would send out millions of emails a week. But eventually the mail providers … So your free mail providers, Google and Hotmail and Yahoo caught up to that and were able to quickly quash it so that for the most part that ransomware wasn’t getting through by the end of 2016. That spam wasn’t getting through and then slower to catch on, but still faster, the companies that provide email protection for small businesses, medium size businesses, et cetera, that have their own mail server they caught on and that was blocked.

It took awhile for the ransomware actors to transition tactics and they moved from large scale phishing campaigns to more small, handcrafted batches. I like to compare ransomware to fine craft beer. You want it done in small batches and seasonally done and so on. And then along with that, the advent of using remote access. Especially remote desktop protocol, your open remote desktop protocol servers, et cetera. Finding other ways to gain access. We saw a resurgence of ransomware in 2018 that’s continued into 2019.

Dave Bittner:

Now I seem to recall that there was also a shift to crypto mining that that was the hot thing for a while. Was there any cause and effect there or was that just coincidental?

Allan Liska:

Absolutely. As ransomware became less profitable, attackers were looking for other ways to make money. The thought was, especially in 2017, we’ll do crypto mining and we’ll get thousands and thousands of servers and we’ll start crypto mining and then we still have the benefits. Ransomware and crypto mining both have the same benefit, you basically start making money right away because with the mining you’re getting your Bitcoin or whatever it is that you’re crypto mining for. Whether it’s Monero or Jesus Coin or whatever. You get that money soon, you don’t have to wait to sell anything. You don’t have to compromise 100 million credit cards and try and sell that on the dark web or anything like that. That’s the benefit to both of them. It turns out it’s actually really hard to make money crypto mining. There are a few campaigns that were very successful. They infected hundreds of thousands, if not millions, of devices and they were very successful at crypto mining.

Most of the campaigns didn’t make a lot of money crypto mining. So the actors that switched from ransomware over to crypto mining, a lot of them had to switch back and find other ways to make money. That basically boiled down to how can I make money off of ransomware again and then readjust their tactics.

Dave Bittner:

And so where do we find ourselves today? What are the techniques that folks are finding success with when they’re sending this ransomware out into the world?

Allan Liska:

A lot of remote desktop protocol has gained in popularity. Then ransomwares become a second stage loader. We see this with, say the Emotet. Emotet will then, as a loader, will then deploy TrickBot and then TrickBot will then deploy the ransomware. So it’s not here’s Locky open up this email … Here’s this email, here’s this attachment, click on it and bam, there’s your ransomware. It may come in as a third stage in the attack format for the phishing campaigns that are being used. And those phishing campaigns have gotten a lot smaller. So a thousand identical emails instead of a million identical emails are being sent out to potential victims.

Dave Bittner:

Now in the past year or so, it seems as though we’re certainly seeing a lot of media attention to these governments, state and local governments that are being hit with ransomware. What are you finding there? This is something you dug into with your blog post on the Recorded Future website. It was really interesting for me because there are some things that you found out that weren’t what I would have thought. I think some of the common perceptions of this turned out to not be the case, so take us through what you discovered here.

Allan Liska:

One of the things that we discovered, we tracked over the course from 2013 through through September of 2019 now, we’ve tracked 223 ransomware attacks. These were all publicly reported. What we don’t know is, we don’t know what percentage of all ransomware attacks against state and local governments that comprises. We don’t know if that’s 10 percent of those attacks or 50 percent of those attacks. Because one of the first challenges we ran into is there’s no centralized reporting database. For example, most of these state and local governments, when they are hit, they wind up reaching out to their local FBI field office. But the FBI doesn’t centrally track all those reports that are being made, which means that we don’t have an idea of what the big picture is. That being said, 223 attacks from 2013 through September of 2019 is a pretty big number.

The other thing that we’re seeing is that it is a problem that is getting worse. For example, we were able to track 54 reported attacks in 2018, we’re already up to 73 reported attacks in 2019. That’s already a big gap and there are still three and a half months left in the year. We’re set to blow away the number of last year. Those are pretty big challenges.

The other thing that we found, which was kind of interesting is that state and local governments are actually less likely to pay the ransom than other entities. Research that has been done by other people have found that about 42 percent of all ransomware victims pay the ransom. When we first started doing the reporting, we were at 17 percent. That number’s actually dropped a little in 2019 so that we’re down to about 15 percent of ransomware victims, state and local government ransomware victims actually will say they paid the ransom. There’s 15 percent that we don’t know whether or not they paid the ransom. And then 70 percent definitely did not pay the ransom.

We thought that maybe there would be more that paid the ransom, but in our interviews and in talking to a lot of these state and local governments, it’s really hard to justify spending taxpayer money to pay the ransom. Even if there’s an inclination to do that, because that kind of expenditure needs to be approved by either the mayor or the board of supervisors or the city council or whoever, nobody who sits on those committees wants to be on record as having authorized paying a ransom to get the data back.

Dave Bittner:

That’s interesting. I can’t help thinking about if somebody had kidnapped the mayor and we’re holding the mayor for ransom, what would the city council do in that sort of situation?

Allan Liska:

Right? You’re absolutely right. The attitude would be very different.

Dave Bittner:

Well, one of the interesting findings though is that you looked into whether or not these governments were being specifically targeted or not.

Allan Liska:

So initially, no. Initially what we saw was that they weren’t being targeted. They just happened to be vulnerable to the ways the attackers liked to launch ransomware attacks. So, in other words … We talked about the shift from phishing to remote desktop protocol. Well, a lot of these state and local governments that don’t have big budgets rely heavily on remote desktop protocol for remote administration because they don’t have the funding for a full VPN solution or something like that. So what they’ll do … So their victim profile unfortunately matched almost perfectly with the attacker profile.

Now there’s been a little bit of a shift because even though state and local governments are less likely to pay the ransom, they get outsized news coverage. So when you look at the attacks in Atlanta, in Baltimore, the 22 cities and towns that were hit in Texas, that got a lot of coverage. And we’ve actually seen this in underground markets where people are trying to sell ransomware. What they’ll do is, they’ll post the latest news story about whatever city is the latest victim and then underneath they’ll post a tag with some of the big ransomware payouts. So when you saw in Florida with a Riviera Beach and Lake City that paid $460,000 and $600,000 respectively. Those will be mentioned in those ads for people trying to sell ransomware as a service, as a reminder that, “Oh yeah, you can make big money if you hit the right city.”

Even though logically speaking you’re less likely to get paid by hitting a city or state government. There’s this thought that, “Oh hey, I could make a lot of money if I hit the right city or state governments.”

Dave Bittner:

Right. Now, what are you seeing in terms of the type of ransomware that they’re using to go after these folks? Is there any consistency there or is it all over the map?

Allan Liska:

It’s all over the map. It really is reflective of the ransomware usage at the time. For example, right now we’re seeing a lot of Ryuk, but that’s because Ryuk is one of the most popular ransomware families that’s being delivered currently. We’re seeing a rise in Sodinokibi, which again, a lot of people view as the successor to GandCrab. And so we’d expect to see more of that. There hasn’t been a particular group that we can tell that’s specifically targeting cities and states, just in general there’s much more interest in them.

Dave Bittner:

Yeah, I mean it’s really an interesting insight that you have there. That with the cities not being able to pay the ransoms that it’s … I guess you could see it as almost a PR move for the folks doing the ransomware to raise their profile.

Allan Liska:

Right. And it absolutely does. So you look at the RobbinHood ransomware that hit Baltimore. RobbinHood had had one or two other successes and that’s it. We hadn’t seen a whole lot, but suddenly there’s a groundswell in the underground markets of people who had RobbinHood trying to sell that as ransomware as a service because every time Baltimore was mentioned, the RobbinHood ransomware was mentioned alongside it.

So, even though it hadn’t been widely distributed and probably would have been one of those ransomware that are one hit wonders, it gained a lot more traction in the underground markets, at least, because of the noise and the news that was associated with the Baltimore attack. Now that being said, we still haven’t seen a whole lot of additional RobbinHood successful attacks. So it’s still not a very good variant of ransomware. It’s just that there’s a lot more interest in underground markets from it.

Dave Bittner:

Do you have any sense looking at these statistics … I’m a city manager, I’m a mayor, or I’m on a city council, those sorts of things, is the amount of fear that I have of this in line with the actual odds of this happening to my city?

Allan Liska:

Yes. Unfortunately there’s not a whole lot of money going around for security in most of the smaller cities and towns. Even if you’ve been yelling about this for years. That’s one of the other things we saw in some of the interviews we did was we’d have city managers or IT managers who would say, “Look, I’ve been trying to get the budget approved for this security feature or that security feature for three years and it keeps getting pushed aside.” So there is a fear, and I think a justified fear, that each city could be next and that the right protections aren’t in place to stop it.

Dave Bittner:

What are your recommendations then, for the folks who feel like they’re at the center of the bullseye for this? What should they be doing to protect themselves?

Allan Liska:

I always tell people, and it sounds defeatist, but make sure you start with a good backup and make sure you’re testing your backup regularly. Because ransomware actors are always changing their tactics and as they jump from one tactic to another, you may not have protections in place. For example, we talked a little bit about the change from remote desktop protocol, but then the Texas attacked happened. And Texas happened because the attacker infected a managed service provider and then used that access to infect the cities.

We’ve seen that happen before. The first time with municipalities, but we’ve seen that happen before to other places. If you didn’t have two factor authentication in place for your managed service provider, you could potentially be impacted by that. So have a good backup. Test that backup regularly to make sure that you can do a restore and that the data … What all is backed up and so on. That’s number one.

Make sure you’re doing continuous phishing training to ensure that your employees know what to look for, not look for in these emails and to be overly cautious with external emails.

Make sure that you are enabling two factor authentication wherever possible. For example, if you have to keep a remote desktop protocol, although with BlueKeep now being … With a now active exploit for BlueKeep, I would recommend disabling remote desktop protocol whenever possible. But if you have to keep it open, make sure you’re using two factor authentication. In fact, use two factor authentication wherever you can.

And then inside of your networks, make sure you’re doing proper segmentation. That was the other thing that we saw in a lot of these attacks where a ransomware attacker will land in, say the accounting department, but then they have full access to the police department and the court system.

Even in Atlanta, when the Atlanta attack happened, Hartsfield Jackson had to shut down its WiFi for a day because the backend infrastructure for the WiFi was connected to the city network and completely unobstructed. So make sure you’re putting that segmentation in. There’s no reason that anybody in accounting should be able to see all the servers and all the workstations in the police department or in the court’s department or in the court system. That doesn’t stop the ransomware attack. It does keep it from spreading.

Dave Bittner:

Were there any cases where these cities actually paid the ransom?

Allan Liska:

Oh yeah. Yeah. We talked briefly about the two cities in Florida. One right after the other, Riviera Beach and Lake City that paid the ransom. And then we also talked about … Or we didn’t talk about, but LaPorte County in Indiana paid $130,000 ransom in July. The Rockville School District in New York paid a $100,000 ransom earlier this month. The Wolcott School District in Connecticut paid a $10,000 ransom. So yes, I mean there are definitely places. And the Wolcott School District basically had no choice because they got hit right when school was starting and they would have had to delay the opening of school if they didn’t pay the ransom.

Dave Bittner:

I see. Yeah. I can’t help wondering if communities will start putting together war chests or covering themselves with insurance to cover themselves for this, but also shift that moral hazard as well.

Allan Liska:

Right. We’ve definitely seen that increase in cyber insurance. We saw in July, New Bedford, Massachusetts was hit with a $5.3 million ransom. They brought in their cyber insurance company who tried to negotiate that down to $400,000 the attackers refused and so they just didn’t pay a ransom. We’re definitely seeing an increase in awareness of cyber insurance in cities and states and using the cyber insurance to pay it. Because again, if you’re the mayor or the city councilor or board of supervisors, all you then have to do is authorize the $10,000 or $20,000 premium payment. So you’re not authorizing to pay a ransom, you’re just authorizing the premium payment to your insurance company who then takes care of everything for you.

Dave Bittner:

Our thanks to Allan Liska for once again joining us. You can find his review of state and local government ransomware attacks on the Recorded Future website.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...