December 30, 2019//Tony HowlettLast Updated: November 19, 2020
2019 was supposed to be the year that ransomware began to gradually decline and we expected it to be replaced by some newer, more virulent form of cyberattack. But that wasn’t the case. Cryptojacking (the act of taking over computers for using in crypto-coin mining) was one of the candidates to be the new champ. However, the collapse of the Bitcoin valuation last year, along with some new techniques, have made 2019 a banner year for ransomware attacks instead of its postscript.
According to a study by Trend Micro, ransomware attacks surged 77% in the first half of 2019, with no slowdown in sight. In addition to increasing in volume, cyber-gangs have figured out how to make their attacks far more profitable by using several new diabolical strategies:
Previously ransomware attackers were going after small fish, mass targeting small businesses, and asking for relatively small ransoms. This quantity over quality was easy, but yielded small amounts ranging from hundreds to thousands of dollars, most often paid directly by the victim. However, they soon figured out that some entities such as small government and healthcare organizations would make for better targets. These organizations tend to have weaker cybersecurity controls than other enterprises of their size but control important infrastructure either in the form of patient care systems or government IT systems that support things like local 911 emergency systems and utility payments.
If hackers spend a little extra effort to truly infiltrate one of these organizations and even wipe out their backups, the victims often have no choice but to pay the ransom. In one example, a local hospital had to revert to paper systems to treat patients when the electronic medical records systems was down due to ransomware. These entities don’t have the luxury of time to negotiate with cybercriminals; they must pay or risk massive fines and penalties under government regulations like HIPAA. In the first 9 months of 2019, there were 621 recorded attacks on these types of entities, including 68 on state and local government entities and 491 on healthcare organizations. Expect these types of attacks to continue as the hackers are far from done mining this rich vein of vulnerable victims.
Another force multiplier for criminals using ransomware was hacking third parties that service many businesses, to infect many of their clients, all at once. The first big example of this was in Texas in August of this year when 22 local city governments were taken down by ransomware spread through an MSP that they used. Using a poorly secured desktop management tool that the MSP used, the hackers were able to launch ransomware in all locations at once, overwhelming both local and state resources and making payment much more likely. This new angle highlights the need for better third-party risk management and strong technical controls over vendor access using technologies such as PAM and VPAM.
2019 was also the year that saw ransomware become the number one cause for a cyber-insurance payout for many insurers; reaching 18% of claims for Chubb and 25% for AIG, according to a recent article in HealthITSecurity. This is due to the increasing attacks on critical infrastructure as mentioned above, which cannot wait for traditional recovery operations. Also, attackers are getting more savvy and brazen, often being aware of exactly how much a company is covered for and negotiating directly with insurance companies, rather than the covered company. This may change as insurers start getting smarter about writing policies. In order to cut their losses, they may require stricter underwriting guidelines, insert exclusions for gross negligence on the part of the provider (i.e. a large retailer who isn’t 100% compliant with PCI-DSS), and deny claims where proper due diligence isn’t taken by the claimee. But for now, this stream of payments will only cause the ransomware fire to spread and intensify.
These factors, along with the general increase in cybercrime overall has troubling implications for our most sensitive systems and critical infrastructure. Indeed, these new attacks have proved deadly for many entities who lose significant portions of their systems and data. Several medical offices and clinics have shut down after ransomware deleted all, or most, of their patients’ medical records. And service providers that are used for some of these attacks have also failed in the aftermath, unable to withstand the loss of customers and the inevitable lawsuits that come from them. And it is only a matter of time before ransomware claims its first human victim after a failure in some public safety system or healthcare service. Hopefully, the government and other industries will come up with an effective, collective response before that happens. Check out our blog that talks about the importance of implementing a collective defense against ransomware.