Ransomware: Is the worst yet to come?

Data hostage-takers are innovating quickly, Raytheon experts warn


Computer systems around the world are falling victim to ransomware, a type of malware that locks up data and demands payment for its return. Recent attacks have targeted transportation systems, media outlets and municipal governments.

For hackers, it's close to a perfect crime.

Ransomware offers plenty of easy targets, lots of money and virtually no way to trace it. It's become a favorite tool of nation-state hackers and transnational criminal organizations. Which is why everyone from private citizens to operators of networks that keep the world running have to be on guard, experts warn.

"Ransomware is an irresistible crime," said Michael Daly, Raytheon's chief technology officer for cybersecurity and special missions. "It keeps hundreds of millions of dollars in untraceable cryptocurrency flowing in, all the while causing chaos in places like hospitals, power plants, train stations, financial institutions and telecommunications companies."

Ransomware uses encryption to lock up data on infected computers, then demands payment for its return. Though it has been around for years, it hit the public consciousness in May 2017 with an attack called WannaCry that infected tens of thousands of computers in more than 150 countries. In December 2017, the U.S. government officially attributed the attack to North Korea, with Homeland Security Advisor Thomas P. Bossert describing the attack as "indiscriminately reckless" and calling on governments and businesses to cooperate in making networks more secure and resilient.

WannaCry was the first big ransomware attack of 2017, but it was hardly the only one. A month later, similar software called Petya/NotPetya infected networks in Ukraine and spread around the world. Then four months after that, an attack labeled Bad Rabbit disrupted transportation networks, media outlets and other organizations.

Ransomware has also hit local governments across the United States. In August, 23 Texas towns were hit in a coordinated ransomware attack by a one threat actor. That followed a Florida attack in June 2019, when the city of of Riviera Beach, Florida, paid about $600,000 to attackers to regain access to the city's data. In May 2019, the city of Baltimore refused to pay a ransom, but the aftermath of the attack has cost the city about $18 million. The big question that organizations face is "Do we pay?"

“Unfortunately, there is no right or wrong answer here," said Mark Orlando, Raytheon Cyber Protection Solutions chief technology officer. "However, organizations need to be equipped to handle situations like this one. From knowing how to engage with law enforcement to understanding the risks of payment or non-payment. Organizations must weigh the costs and benefits of paying the ransom and make the decision that is best for them."

All told, ransomware is ballooning into a billion-dollar market as attackers quickly find new ways to exploit its reach.

“Ransomware is cheap to make and lucrative when it works, so we can expect to see a lot more of it," said Shirali Patel, Raytheon's international cyber program manager. “Today, corporate networks are so woven together that a breach of a lower-level target can allow attackers to slither into much more sensitive systems. That's the real danger. It's bad enough to hold data hostage, but it's much worse to lock up the operations of a power plant or a hospital."

In the Petya/NotPetya attack, the range of targets was wide – government offices in Ukraine, banks in Russia, a shipping company in Denmark, an advertising agency in Britain and even a chocolate factory in Australia. 

Analysts from Forcepoint, a cybersecurity firm jointly owned by Raytheon, said such attacks "will continue to evolve, including the evasive methods to hide their activity as well as their true intent."

"Understanding these intentions can help shape our security strategies," the company wrote in a blog post.

Most importantly, they said, security strategies should focus on a network's users, taking into account how they use the internet, which applications they need and which privileges they should have.

Some malware attacks, including as Petya/NotPetya, thrived because users had failed to install routine security updates. That malware in particular spread through a vulnerability in something known as SMBv1, an early version of a PC feature called Server Message Block that allows computers on a network to access printers, files and other commonly shared items.

Forcepoint's experts recommend installing security updates on all machines within an organization, and disabling SMBv1 on all Windows systems, where doing so would not impede older systems on the network.

People in charge of critical infrastructure must work to make it more resilient to such attacks, Daly said. 

“If we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with both economic and safety ramifications," Daly said. “From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it."

The deep web is full of do-it-yourself ransomware kits, Daly said, meaning it's easy for novices to try their hand at causing havoc.

"Anyone can launch an attack," he said. "You don't have to be a cyber whiz to inflict cyber damage."

Last Updated: 08/28/2019