So many brilliant and outrageous news headlines start with the words “Florida man…” that it has officially become a meme. Here are a few zingers from the past week.
In other Florida news, two municipalities were forced to pay over $1 million to recover from devastating ransomware attacks that sent their city infrastructure back to the stone age. The 911 response systems went down, payroll staff wrote checks by hand, citizens could not pay their water bills, and (of course) no proper backups were in place. In all, attackers earned $1.13 million for the cost of sending out a few emails to unsuspecting city workers.
There is a reason why the United States has taken a stance against negotiating with terrorists. If the United States agrees to pay a ransom in exchange for a hostage or to prevent an imminent attack, it will encourage other bad actors to do the same since it is now profitable to perform acts of terror. For the same reason, the FBI, the country’s top domestic law enforcement agency, has advised American businesses not to pay the ransom when they become victim to a ransomware attack. Recently, I had the privilege to speak on a panel with a Supervisory Special Agent from the FBI’s cybercrime division and he spelled out the reasons against paying a ransom.
Frequent visitors of my blog know that I make predictions on the direction of the cyberwars based on current events, new and innovative technologies, and the cyber adversaries’ ability to continually think of creative and unconventional ways to attack their targets. I take no pleasure in having my predictions come true, especially when it comes to worst-case scenario cyberattacks. In April, I predicted that after a steady decline, ransomware attacks would resurge as a result of companies acquiring cybersecurity insurance and having riders on those policies to cover the payment of a ransom should the policyholder become a victim of a ransomware attack.
In January, February, and June of this year, I posted advisories of new and ingenious phishing attack methods, often the first stage in a ransomware attack campaign. Getting someone to click on a link to steal credentials or install unauthorized software can easily lead to a ransomware outbreak. In March, I documented the dwindling trust in antivirus software to prevent ransomware attacks. All of these predictions culminated in the news out of Florida.
With no other options available, the Florida cities of Lake City and Riviera Beach authorized their cybersecurity insurance companies to pay 42 bitcoins (approximately $330,000 at the time) and 65 bitcoins (approximately $520,000 at the time), respectively, to attackers to regain access to their locked systems. Not wanting to follow in the footsteps of Baltimore, which had just spent $18 million to recover from a similar ransomware attack, or Atlanta, which is expected to pay over $10 million after the SamSam ransomware outbreak. In the case of Atlanta, the ransom was $52,000, a small percentage of the recovery costs, but the city took the stand not to pay the ransom. Lake City and Riviera Beach also budgeted for increased expenditures in IT to rebuild their networks and cybersecurity knowing they will become the targets of increased attacks.
It is too soon to know whether paying the ransom was the right move for the Florida cities and if their systems get restored promptly to avoid significant rebuilding costs, but time will tell. The cities also hit a stroke of fortune as the price of Bitcoin skyrocketed more than 40 percent since the payment was authorized.
The UK National Cyber Security Centre recently released an advisory that Ryuk ransomware is increasingly targeting organizations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a statement that cyberactivists based in Iran will be ramping up attacks against the U.S. and her allies in retaliation for the escalating tensions between the two countries. Iran is known for using disk-wiping malware disguised as ransomware, as seen in the Shamoon attack against the Saudi-owned petroleum company Saudi Aramco, and even more nefarious malware to blow up gas pipelines and gas processing plants using the Triton malware.
In April, I pledged not to say, “I told you so,” but these very costly attacks should serve once again as a wake-up call to municipalities and organizations to take the threat of ransomware seriously. It is not enough to have a backup strategy in place. Those backups must be regularly tested to ensure they work once the primary data systems go down. It is not enough to have “good enough” security that only examines the DNS record or HTTP traffic, bypassing “trusted” websites such as CDNs, cloud file storage, and HTTPS traffic. It is not enough to tell users not to click on links in emails from unknown senders. Proper security awareness training extends beyond once-a-year online training classes and must extend to phishing tests, red teaming, and security controls to protect users against themselves. With a 400% increase in phishing attacks utilizing SSL or TLS encryption, it becomes essential to inspect this traffic for malicious data. Security is everyone’s responsibility and working with users and enabling them to be extensions of the security team will be the only way to effectively prevent the next ransomware outbreak.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Christopher Louie, CISSP, is a sales engineer at Zscaler