Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Ransomware rakes in $1 million in a week

CHRIS LOUIE - Sales Engineer
July 01, 2019 - 6 min read

So many brilliant and outrageous news headlines start with the words “Florida man…” that it has officially become a meme. Here are a few zingers from the past week.

In other Florida news, two municipalities were forced to pay over $1 million to recover from devastating ransomware attacks that sent their city infrastructure back to the stone age. The 911 response systems went down, payroll staff wrote checks by hand, citizens could not pay their water bills, and (of course) no proper backups were in place. In all, attackers earned $1.13 million for the cost of sending out a few emails to unsuspecting city workers.

There is a reason why the United States has taken a stance against negotiating with terrorists. If the United States agrees to pay a ransom in exchange for a hostage or to prevent an imminent attack, it will encourage other bad actors to do the same since it is now profitable to perform acts of terror. For the same reason, the FBI, the country’s top domestic law enforcement agency, has advised American businesses not to pay the ransom when they become victim to a ransomware attack. Recently, I had the privilege to speak on a panel with a Supervisory Special Agent from the FBI’s cybercrime division and he spelled out the reasons against paying a ransom.

  1. Ransom is somewhat similar to blackmail. If an organization pays a ransom, the attackers know the organization is willing to pay and can come back asking for more money before releasing the decryption key.
  2. There is no guarantee the files will be decrypted once the ransom is paid. Surprise, surprise—criminals by definition do not follow the law and have no obligation to release the decryption key after payment is made.
  3. Assuming an organization gets the decryption key after the ransom is paid, it has become a future target since it is now known that it will pay the ransom.
  4. Paying the ransom makes all organizations more attractive targets for ransomware attacks now that it is seen as a profitable endeavor.

Frequent visitors of my blog know that I make predictions on the direction of the cyberwars based on current events, new and innovative technologies, and the cyber adversaries’ ability to continually think of creative and unconventional ways to attack their targets. I take no pleasure in having my predictions come true, especially when it comes to worst-case scenario cyberattacks. In April, I predicted that after a steady decline, ransomware attacks would resurge as a result of companies acquiring cybersecurity insurance and having riders on those policies to cover the payment of a ransom should the policyholder become a victim of a ransomware attack. 

In JanuaryFebruary, and June of this year, I posted advisories of new and ingenious phishing attack methods, often the first stage in a ransomware attack campaign. Getting someone to click on a link to steal credentials or install unauthorized software can easily lead to a ransomware outbreak. In March, I documented the dwindling trust in antivirus software to prevent ransomware attacks. All of these predictions culminated in the news out of Florida.

With no other options available, the Florida cities of Lake City and Riviera Beach authorized their cybersecurity insurance companies to pay 42 bitcoins (approximately $330,000 at the time) and 65 bitcoins (approximately $520,000 at the time), respectively, to attackers to regain access to their locked systems. Not wanting to follow in the footsteps of Baltimore, which had just spent $18 million to recover from a similar ransomware attack, or Atlanta, which is expected to pay over $10 million after the SamSam ransomware outbreak. In the case of Atlanta, the ransom was $52,000, a small percentage of the recovery costs, but the city took the stand not to pay the ransom. Lake City and Riviera Beach also budgeted for increased expenditures in IT to rebuild their networks and cybersecurity knowing they will become the targets of increased attacks.

It is too soon to know whether paying the ransom was the right move for the Florida cities and if their systems get restored promptly to avoid significant rebuilding costs, but time will tell. The cities also hit a stroke of fortune as the price of Bitcoin skyrocketed more than 40 percent since the payment was authorized.  

The UK National Cyber Security Centre recently released an advisory that Ryuk ransomware is increasingly targeting organizations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a statement that cyberactivists based in Iran will be ramping up attacks against the U.S. and her allies in retaliation for the escalating tensions between the two countries. Iran is known for using disk-wiping malware disguised as ransomware, as seen in the Shamoon attack against the Saudi-owned petroleum company Saudi Aramco, and even more nefarious malware to blow up gas pipelines and gas processing plants using the Triton malware.  

In April, I pledged not to say, “I told you so,” but these very costly attacks should serve once again as a wake-up call to municipalities and organizations to take the threat of ransomware seriously. It is not enough to have a backup strategy in place. Those backups must be regularly tested to ensure they work once the primary data systems go down. It is not enough to have “good enough” security that only examines the DNS record or HTTP traffic, bypassing “trusted” websites such as CDNs, cloud file storage, and HTTPS traffic. It is not enough to tell users not to click on links in emails from unknown senders. Proper security awareness training extends beyond once-a-year online training classes and must extend to phishing tests, red teaming, and security controls to protect users against themselves. With a 400% increase in phishing attacks utilizing SSL or TLS encryption, it becomes essential to inspect this traffic for malicious data. Security is everyone’s responsibility and working with users and enabling them to be extensions of the security team will be the only way to effectively prevent the next ransomware outbreak. 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Christopher Louie, CISSP, is a sales engineer at Zscaler


Explore more Zscaler blogs

Technical Analysis of CryptNet Ransomware
Read Post
Trigona ransomware
Technical Analysis of Trigona Ransomware
Read Post
Nevada ransomware
Nevada Ransomware: Yet Another Nokoyawa Variant
Read Post
Ransomware hacker
Nokoyawa Ransomware: Rust or Bust
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.