Pre-coronavirus, cybersecurity vendors made pitches in scores of vendor expo halls. Microsoft, FireEye, RSA Security, McAfee, Palo Alto Networks — each promised next-generation defense.
There are no booths or installations for Oregon's Tillamook County or Colorado's Rangely District Hospital. They're not cybersecurity companies, and yet industry and consumers expect state of the art security from them.
Ransomware has gotten the best of organizations lining the U.S. critical infrastructure this year — just as it did last year. Victims exist on a spectrum, from Department of Defense contractors to regional hospitals.
Unlike last year, a pandemic is raging, raising the stakes of operational turbulence. And more ransomware groups added data exfiltration to their threat models.
"At the end of the last year, only one group was stealing data. Now, 15 or so do and one in four involve data theft," said Brett Callow, threat analyst at Emsisoft.
As ransomware juggles halting processes and exposing data, security professionals are expecting a cataclysmic hit on operational technology (OT) within critical infrastructure.
The Department of Homeland Security defines critical infrastructure as "the essential services that underpin American society." DHS' Cybersecurity and Infrastructure Security Agency (CISA) includes energy, water supply, communications, government facilities, healthcare, and IT among its critical infrastructure sectors.
"Our whole purpose is to avoid not only a cyber catastrophe, but a death by 1,000 cyber cuts," said Sen. Angus King, I-Maine, co-chair of the Cyberspace Solarium Commission during an August hearing.
Caught in the crosshairs of federal and enterprise critical infrastructure are public-facing smaller players: municipalities, educational institutions, and local healthcare organizations, each contributing to the 1,000 cyber cuts.
"We haven't had a catastrophic cyberattack, probably because of the deterrence that we've already had in place," said King. But "the problem is we're being attacked in a lower level way continuously … That's the area where we remain vulnerable."
As of September, at least 219 U.S. government, education and healthcare organizations were hit by ransomware, a small percentage of the global 170,000 known "successful attacks" in 2020, according to Emsisoft. The cybersecurity firm found at least 60 government entities were hit by ransomware in the first half of 2020.
With election day less than a week away, all eyes are on state-level critical systems. The impact of a Georgia-based ransomware attack, said to be DoppelPaymer, disclosed Oct. 7 is unfolding in real time. Security experts believe the incident is the first case of ransomware affecting 2020 election infrastructure.
When early voting got underway in September and expectations of ransomware spikes, CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a ransomware guide, for the IT professional though "every level of an organization" can use it, according to the agencies.
CISA notes that ransomware spares no one, and the agency has been working in tandem with the healthcare industry during COVID-19. Emsisoft found more than 40 healthcare providers were targeted by ransomware in the H1 2020.
CISA extended services to more cyber-mature healthcare organizations through Operation Warp Speed, but "just like everything else, there's a very complex set of dependencies and supply chains that support the public health sector," said Christopher Krebs, director of CISA, while speaking during the virtual National Cyber Security Alliance and Nasdaq Cybersecurity Summit earlier this month. "We needed to make sure that we were reaching as far down and into those supply chains as possible."
Not an endpoint game
Ransomware slips through defenses. More than 77% of organizations struck by ransomware had up-to-date endpoint protection, according to a 2018 Sophos report.
"In my opinion, people classify ransomware incorrectly. Ransomware is not the threat, it is the outcome that stems from poor IT and security controls," said Bill Swearingen, security strategist at IronNet.
Antivirus solutions usually stop initial payloads dropped by human-operated ransomware, including Doppelpaymer, Ryuk, Samas, REvil, according to Microsoft 365 Defender Threat Intelligence Team. However, the ransomware operators leverage administrative credentials or continue to deploy different payloads to circumvent the antivirus.
"In my opinion, people classify ransomware incorrectly. Ransomware is not the threat, it is the outcome that stems from poor IT and security controls."
cyber strategist at IronNet
"We've encountered people who had antivirus that might have caught it, but they didn't have the antivirus everywhere they thought they had it," said Chris Hallenbeck, CISO for the Americas at Tanium. "Most organizations have gaps" and adversaries only need to find one.
Human-operated ransomware invades servers lacking firewall protection and multifactor authentication (MFA), or "use non-randomized local admin passwords," said Microsoft. Organizations deploy these protections because they shouldn't impact operaterational performance.
Because IT has firsthand control of these configurations, "IT pros should be part of security teams," especially because REvil, Samas, Bitpaymer, and Ryuk have similar assault strategies, according to Microsoft. "These attacks are often preventable and detectable."
Pays to be bad
Organizations will know immediately when their data is locked or operations are frozen. Mature organizations should have disaster recovery and backups for data held hostage by ransomware. When ransomware disrupts operations, "maybe I lose 12 hours to 24 hours in a day," and that's the extent of the cost, said Brian Kime, senior analyst at Forrester.
Attackers favor systems that directly affect "customer-facing revenue-generating business operations," with systems that "facilitate the deployment" of system backups, according to Palo Alto Networks' Unit 42.
"To ratchet up the pressure of making you pay, in some instances, they're actually killing off your backups and part of your resiliency," said Hallenbeck.
Organizations categorized as critical infrastructure don't have time to gamble. Federal agencies are threatening penalties for ransom payments, but fines just become part of the risk calculation. "If the nature of the ransom is existential to their continued existence as a business, they may say it's worth paying the cost of paying the ransom, and then whatever fine the government's going to hit them with, at least they'll survive as a business," said Hallenbeck.
Of the 133 organizations hit by ransomware Cybersecurity Dive tracked through September, at least 15 are known to have paid their attackers.
- In January, Tillamook County in Oregon consulted with ransom negotiation firm Arete Incident Response and paid its hackers $300,000.
- In February, San Miguel County in New Mexico reportedly paid $250,000 in bitcoin after county courthouse employees were told to disconnect from servers.
- In June, Florence, Alabama paid its attackers $291,000 to protect residents' personal data.
- In June, the University of California San Francisco (UCSF) School of Medicine paid hackers $1.14 million, though the IT department was able to prevent further spread. UCSF defended its decision to pay the ransom, saying the encrypted data was "important to some of the academic work we pursue as a university serving the public good."
- In September, the University Hospital in New Jersey was hit with SunCrypt and paid its hackers $670,000 in an effort to prevent 240 GB's worth of data from going public.
Of the 55 healthcare-related organizations Cybersecurity Dive tracked, at least four are said to have paid their extortionist.
In some cases, halted operations can cost more than a few hours of delay.
Last month an unpatched VPN led to a ransomware attack at University Hospital Düsseldorf in Germany. The hospital was a collateral victim of the malware, but the disruption forced the hospital to issue a diversion protocol. One patient, redirected to a hospital 20 miles away, died.
In the days following the cyberattack on the hospital, German prosecutors opened a manslaughter investigation pursuing the John Doe hackers, according to local reports. If law enforcement proves the ransomware directly led to the woman's death, it would be the first death caused by a cyberattack.
This is the worst case scenario in wake of a cyberattack — an outcome cybersecurity professionals have long feared but grimly anticipated. Gartner anticipates the cost of cyber-physical systems attacks resulting in casualties will surpass $50 billion by 2023. The projection is "10 times higher than 2013 levels of data security breaches."
Ransomware is forcing the physical world into becoming collateral damage of a cyberattack, said Wam Voster, senior director analyst at Gartner.
While backups give companies a headstart in recovery and operational continuity, they mean nothing if data is stolen.
Disrupted operations have more real-time implications, and recovery costs are more predictable. Ransomware attacks that led to breaches have ongoing breach-related settlements
"The problem with extortion is that it then lives on forever," said Allan Liska, senior security architect at Recorded Future. In certain sectors, including healthcare and government, "extortion becomes a much more compelling reason to pay … You're gonna take a really, really long time to recover from this."
The May ransomware attack on Blackbaud, a cloud computing company servicing nonprofits and healthcare organization, rippled through its customer base. The company paid the ransom, reportedly $350,000, to prevent the stolen data from leaking. In a September SEC filing, Blackbaud said it intends to "inform our customers, stockholders and other stakeholders of any such additional information or developments."
Blackbaud has already been handed a class action lawsuits for insufficiently protecting data. "Blackbaud has been hit with at least five of them," said Callow. "What this will do in terms of overall costs — and to insurance premiums — is impossible to say. There have been too few cases and court cases."