Ransomware: Why cities have become such a big target for cyberattacks - and why it'll get worse

A number of US cities have paid ransoms of hundreds of thousands of dollars after getting caught out by hackers -- and if the business model is working, cybercriminals will keep exploiting it.
Written by Danny Palmer, Senior Writer

Ransomware once seemed to be on the decline, but it's now gained a new lease of life -- and additional notoriety -- after crooks identified a lucrative new set of targets for their file-encrypting malware.

Once content to target individuals' PCs, cybercriminals have extended their reach upwards after realising that they can make tens of thousands of dollars a time by encrypting the entire networks of small and medium-sized businesses and other organisations, and holding them to ransom.

2017 saw an incident that changed this particular brand of cybercrime forever: the WannaCry ransomware attack. Powered by a leaked NSA hacking tool, WannaCry had worm-like capabilities which enabled it to quickly spread around the world. Organizations across the globe fell victim to the malware campaign, with parts of the UK's National Health Service among the most high-profile victims.

The attack, attributed to North Korea, only generated around $130,000 in bitcoin payments, but demonstrated the severity of damage that ransomware could cause for businesses and even critical infrastructure.

While some cybercriminal gangs shifted away from using ransomware in favour of other attacks such as cryptojacking or trojan malware, those specialising in file-locking campaigns kept plugging away, developing more highly targeted -- and much more effective -- attacks.

Now, by taking advantage of internet-facing Remote Desktop Protocol (RDP) ports, default credentials, and lateral movement, attackers can stealthily bide their time and gain access to whole networks before pulling the trigger and dropping a ransomware payload.

While some major organisations -- such as Norsk Hydro -- have fallen victim to this kind of attack, cities and local governments, particularly those in the US, have fast become regular victims of ransomware campaigns.

Recently, a number of affected cities have paid hundreds of thousands of dollars to cyberattackers. In June, Riviera Beach City, Florida -- population 34,000 -- paid $600,000 in bitcoin to hackers after data and services were lost to a ransomware attack. Not long afterwards, Lake City, Florida -- population 12,000 -- paid a ransom of $500,000 after ransomware took down almost all of the city council's IT services and systems.

A few months before the two Florida cities were hit, Jackson County, Georgia -- population 70,000 -- was also hit by a ransomware attack and officials paid $400,000 to regain access to IT systems.

"They're paying because it's the quickest way to get your operations back up and running. If you look at some incidents that have impacted critical services, those are highly disruptive and definitely felt by the citizens of the city. That's probably factoring in to cities decisions to pay," says Kimberly Goody, manager for intelligence analysis at FireEye.

SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

While some cities, such as Baltimore and Atlanta have opted to spend millions on rebuilding systems rather than giving into the demands of attackers, others have made the decision to pay, authorising their insurers to negotiate with the cybercriminals because it appears to be the simplest short-term option.

It's possible that criminals aren't targeting cities on purpose, rather they're searching for any internet facing vulnerabilities they can find. However, it's also possible that groups have become aware that cities are easy pickings.

Councils running small and medium-sized cities aren't flush with funds, meaning IT security doesn't have the investment it requires and security holes are left open. And, with a population totalling over 327 million people, there are thousands of small cities in the USA which make perfect targets for attackers.

"These organisations are usually less secure then private institutions, they're not as cybersecurity-orientated. They're very prone to cyberattack -- and if something goes wrong, they can lose everything," says Marina Kidron, director of threat intelligence at Skybox Security.

SEE: 10 tips for new cybersecurity pros (free PDF)

And, because targeting cities is bringing in lucrative paydays, cybercriminals are going to keep attacking them with ransomware.

"Ultimately, these guys are conducting these operations because they want to make a profit -- they wouldn't be doing so if it wasn't working," says Goody.

Cybercriminals dealing in ransomware are successful. Recently the operator of GandCrab ransomware announced their retirement, claiming affiliates had made over $2 billion from their ransomware as a service.

While some malware gangs do get traced by the authorities, identifying attackers is rare -- another factor leading to file-locking malware being such a huge problem for cities and other victims.

"How many many cases of cybercriminal gangs which operate in ransomware which have been caught? Maybe a handful," says Liviu Arsene, senior e-threat analyst at Bitdefender.

"Sometimes with ransomware it's more difficult to make someone accountable and find the guys -- they pop up overnight and disappear. Ransomware is a really lucrative business and it has become a really low hanging fruit for the cybercriminal community," he adds.

If there is a silver lining from this, it's that city administrators are now hopefully aware of the threat posed by ransomware. That should provide an incentive to protect against the attacks, because cities are unlikely to want their name added to the list of those who paid hundreds of thousands in bitcoin ransoms.

The best option for such cities -- and the one which protects their budgets in the long run -- is to invest in security before falling victim to an incident. That's not without cost and pain, however.

"Whatever pain you go through to rebuild, you're going to have to do it anyway when you upgrade your security controls," says Dan Wiley, head of incident response and threat intelligence at Check Point Software. "Maybe it isn't as bad having to rebuild all your servers, but you're still going to have go through a lot of effort to remediate your environment against these attacks."

The good news is there are several relatively simple steps -- aside from the obvious one of employing endpoint security software -- that cities and other organizations can take to ensure they're protected from ransomware attacks.

The first is to ensure all software and all operating systems are fully patched with all necessary security updates. Software vendors put out security patches to combat vulnerabilities which can be exploited by attackers -- if an organisation is still running software which hasn't been patched for months or even years, it's asking for trouble. One of the reasons the WannaCry ransomware was so successful was because so many organisations hadn't applied a critical patch almost two months after it was issued.

In addition, organizations should ensure RDP is exposed to the internet only when necessary -- and, if is deemed as vital, then the passwords that secure it shouldn't be set to default or simple to crack. Multifactor authentication should also be enabled, so in the event of attempts at unauthorised access, easy lateral movement isn't possible.

Finally, one of the most important defences when it comes to ransomware is to ensure systems are regularly backed up, so if the worst does happen, the network can be restored relatively simply and without giving in to the demands of cyberattackers.

But the unfortunate truth is that some organizations still won't heed the lessons of the recent spate of attacks -- and more will become victims before things start getting better.

"It's going to get worse. Lessons are repeated until they're learned," says Wiley. "They're very simple lessons and if you don't take them on board, you're screwed."


Editorial standards