In early May, the city of Baltimore was hit by a massive ransomware attack which crippled city employees and residents from their day-to-day tasks for weeks, ultimately costing millions in taxpayer dollars. Ransomware, a type of malware or malicious software that weaponizes encryption, is used by hackers to first encrypt data on a victim’s machine, blocking access to a computer system or service. Afterwards, the hackers demand payment of a ransom, usually in bitcoins, to decrypt the data.
Ransomware is typically distributed through phishing attacks, spamming thousands of fake messages to targets, looking for the one employee who will click on a malicious link. According to Verizon’s latest data in the 2019 Data Breach Investigations Report, ransomware is now the second most common malware threat behind command and control.
So, what exactly happened during the Baltimore ransomware attack, and how can your organization avoid falling victim to the same fate?
Recap of the Latest Ransomware Attack in Baltimore
The Baltimore ransomware attack began on May 7, 2019, shutting down city computer systems and seizing approximately 10,000 Baltimore government computers. The attacked affected hospitals, factories, airports, ATMs, and more—completely stopping city operations. For over a month, residents were unable to access the websites where they pay water bills, property taxes, and parking tickets. The attack also hurt Baltimore’s real estate market, as officials could no longer access the systems necessary to complete property sales.
By early June, nearly four weeks after the attack, recovery was still in the early stages, with only a third of Baltimore employees having regained access to their computers. On June 4th, Baltimore Mayor Bernard “Jack” Young stated, “All city services remain open, and Baltimore is open for business." However, many departments, including municipal payment and financial systems, were still relying on paper documents and manual workarounds.
In early July, The Baltimore Sun reported that email access for employees had been restored, along with most electronic payments. However, email archives of city officials are still unavailable, which can be a problem when it comes to compliance, as these emails are typically released in accordance to the Maryland Public Information Act.
The Hidden Reason Behind the High Cost of Ransomware Attacks
The attackers behind the incident in Baltimore used a ransomware strain known as RobbinHood to encrypt city data and demanded payment of 13 bitcoins or just over $100,000 to unlock the files. However, Mayor Young refused to pay up, stating, “We’re not going to pay criminals for bad deeds. That’s not going to happen.”
With such a dire situation lasting for so long, residents were quick to wonder why the city refused payment. The truth is, the FBI advised city officials not to pay the ransom, knowing this would only encourage attackers to ramp up attacks. Even worse, many victims pay the ransom and are still unable to retrieve their data.
While the $100,000 ransom may seem like a large sum, it’s estimated that the attack will actually cost the city $18.2 million.
So, why is the estimated cost so much higher than the ransom?
The reality is, the initial ransom can be dwarfed by the costs of disinfecting machines, stabilizing systems, and restoring data. In this case, $10 million of the $18.2 million in estimates is due to direct costs to restore the city’s systems, while the remaining $8 million is from lost or deferred revenue.
Ransomware is a Threat Prevalent Across All Industries
Unfortunately, attacks like the Baltimore incident all too common, and cities of similar size, such as Greenville, North Carolina, have also been brought down by recent attacks. But Ransomware attacks aren’t limited to government organizations.
The 5 most cyber-attacked industries over the past 5 years are healthcare, manufacturing, financial services, government, and transportation. Cybersecurity Ventures predicts that retail, oil and gas, energy and utilities, media and entertainment, legal, and education (K-12 and Higher Ed), will round out the top 10 industries for 2019 to 2022.
By 2021, global ransomware damage costs are predicted to reach $20 billion. So why is ransomware exploding? It’s clear that many organizations, across industries, are failing to put the necessary security measures in place to prevent or minimize the risks associated with access, from both internal and external sources.
Protect Your Organization with Robust Identity and Access Management
So what can you do to make sure your organization is prepared to fend off ransomware stick-ups? The first easy precautionary measure is to make sure your data is backed-up on a daily basis. The 3-2-1 principle is a good rule of thumb here: Keep at least three copies of your data, back up your data on at least two different storage types (cloud and on-premises, for example), and keep at least one backup copy off site. You don’t have to pay hackers to get access to what you still have.
Beyond regular back-ups, limiting the damage ransomware can have on your organization comes down to enforcing least privilege access with identity and access management (IAM). When manually provisioning access, human error is a fact of life. Accidental over-assignment of permissions, access granted to improper data—these things happen, and they make hackers’ jobs easier. But by enforcing least privilege access with identity lifecycle management, access changes and deprovisioning processes are automated. Users only get access to resources they need for their day-to-day tasks, and nothing more, which in turn, restricts the damage an attacker can do once inside your systems.
Even better than limiting the damage an attacker can do is preventing an attack altogether, and one of the easiest ways for an attacker to gain access to your systems is by hijacking static passwords. At this point, we should all be well-aware of the security limitations of traditional passwords.
Simply put, eliminating dependency on passwords can help protect your organization from ransomware attacks. One report found that by 2020, the world will need to cyber protect 300 billion passwords globally. James Litton, CEO of Identity Automation recommends you eliminate passwords altogether, if possible. “By eliminating passwords, you’re eliminating an all-too-easy access point for hackers to take advantage of passwords that are weak or breached,” says Litton, adding, “If you must use passwords, make sure they are complex and unique for each account.”
Multi-Factor Authentication helps overcome the limitations of traditional passwords by replacing or augmenting passwords with a second or third form of verification that renders an attack harmless in the event that a user’s credentials are stolen.
For more best practices on protecting yourself from ransomware, check out our action plan.
No End in Sight: Ransomware Attacks are on the Rise
Ransomware is a major problem for individuals and organizations, and unfortunately, this threat isn’t going away anytime soon. In fact, Cybersecurity Ventures predicts that by the end of this year, there will be a ransomware attack targeted to businesses every 14 seconds. The city of Baltimore was only one target in 2019; don’t let your organization be the next.
In the end, there's no silver bullet for stopping ransomware attacks. But by following the best practices above and implementing some complete IAM, you can put your organization in a much less vulnerable position. It’s your decision: Invest in security today or invest in bitcoins tomorrow.