Ransomware: holding communities hostage
It's a dirty secret no one wants to talk about.
It's not sex, infidelity, cross-dressing or any other previously scandalous issue. There's intrigue, confusion and it crosses international date lines. It is ransomware attacks and cyberthreats to businesses, non-profits and municipalities across the country, causing havoc and financial mayhem in its wake. And no one ever really wants to talk about it, whether out of fear of it happening to them, embarrassment that it already did, sensitivity in providing information on security protocols, or even the turmoil done to the organization's operations. Yet ransomware attacks costs millions of dollars each year, whether in ransom to receive the “key” to retrieve a business' own information and data, costs to rebuild systems, insurance, on and off-premises back ups, lost business and down time while systems are encrypted and being rebuilt.
Ransomware is the scariest entity information technology experts, business executives and municipal leaders are currently facing on the computer landscape. According to the FBI, ransomware is a type of malicious software cyber actors use to infiltrate computer systems and then deny access to those systems and data. The malicious cyber actor invades systems and holds the system or data hostage until the ransom is paid – hopefully. After an initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems, extending the reach of the tentacles of the ransomware and preventing the use of the affected machines. If the demands for ransom are not met, the system or encrypted data remains unavailable, data may be deleted – and the business or government is hobbled and, sometimes, totally incapacitated.
“Ransomware is a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization – including the loss to data, systems, and operational outages,” wrote Matthew McWhirt in “Ransomware Protection and Containment Strategies.” “The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming. Ransomware has become an increasingly popular choice for attackers over the past few years, and it's easy to understand why given how simple it is to leverage in campaigns – while offering a healthy financial return for attackers.”
“When you ask tech people what keeps you up at night, it's ransomware,” said Dwight Levens, executive director of technology for Birmingham Public Schools. “The tricky part is it's a constant cat and mouse game, because as always with technology, threats evolve and change constantly. A new threat could be introduced next week which could make the safeguards we have in place not as secure as we thought. I don't know anyone who could be as bold as to say 'we will not be hit.' It's trying to be as secure as you can be with the information you currently have at the time.”
“The people delivering the ransomware – they're being run by criminal elements. They're definitely not a 14-year-old in their mom's basement,” emphasized Garrett McManaway, senior director, Information Security and Compliance, Wayne State University, who has spent years in the information technology industry before taking over IT for Wayne State last year. “Like any well-run business, they're going to find their potential targets to make their returns on investment.”
McManaway explains further, “Where ransomware has become prevalent in the last four to five years has been with hospitals and health care systems, where they've been shut down. Two, three years ago, the bad actors moved on to manufacturing companies, such as several (international) shipping companies, public corporations, where they shut them down for a few days. Now, I'm not sure why municipalities are being hit, but being a public institution, they are a business, and they're after the same thing.”
Kimberly Goode, manager of financial crimes analysis for FireEye, a cybersecurity company in California, which provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analizes IT security risks, said attackers aren't turning to government entities so much as “deploying ransomware in different ways. They're moving laterally to identify all the systems they can within a system to get into a privileged system which will allow them to get into an administrative level access. That's what's going to allow them to deploy even more ransomware to more machines. In this scenario, they'll have hundreds or thousands of work machines, and maybe a backup system, that can be infected and that they'll have deployed the ransomware.
“They're trying to identify as many critical systems as they can through their ransomware and that's how they're able to have such a critical impact,” Goode noted.
She noted, “I track financially-motivated actors. They're trying to extort you. Because they're highly disruptive, they're able to extort so much more money, from hundreds of thousands of dollars to millions of dollars.”
Typically, ransomware demands are for payment in bitcoin, a type of cryptocurrency. It is a decentralized digital currency without a central bank or single administrator that can be sent from user-to-user on the peer-to-peer bitcoin network without the need for intermediaries. Another advantage for those who are operating in the margins of society as bad actors is that bitcoin can be paid on the dark web, where it is untraceable.
Regardless of who is hit, law enforcement takes the same tack: do not pay.
“If an organization chooses to pay, there's no guarantee the hacker will provide all the files,” Goode said, “which is why last week the FBI recommended to not pay the ransom. There's no guarantee, and you're incentivizing them to continue.”
“As law enforcement, we do not encourage furtherance of the crime by paying the ransom – but we understand,” said Michigan State Police Detective/Sergeant Jeff Hoffman, along with Information Technology Specialist Luke Salem with the department's CyberCommand Center. They often work in conjunction with the FBI on ransomware crimes.
“As long as people keep paying, there's no incentive for the bad guys to stop doing this,” Hoffman stated. “As long as governmental entities are paying, they'll still hit governmental entities, or large companies. They'll go for the big fish. Their goal is to get paid.”
Michigan State Police and the FBI, along with Homeland Security, see it as a crime that “absolutely is growing,” Hoffman said.
“There have been dozens of incidents this year – at least that's what's been reported,” Salem said. “Even with governmental entities, entities don't report. A lot don't report because they have good back ups and figure the likelihood of catching the bad guy, or the likelihood of catching the bad guy in Michigan, is close to zero. Or they don't think law enforcement can help.
“The importance of reporting cybersecurity incidents is so that law enforcement knows what's going on, is aware of the victims, if – and when – the perpetrators are caught, they can be held accountable. These incidents can take a long time to solve because of where these perpetrators are from. The biggest perpetrators, I'd say about 90 percent of our problems come out of Eastern Europe, Russia, North Korea, China, and some countries in Africa. They're traceable, but the problem is cooperation with the U.S. government.”
Whether a company or a civic organization, Rob Cote of Security Vitals, a cyber security consulting company which began as a client of Oakland University's Macomb OU-Incubator, said it succinctly, “The reason they're getting picked on is because they're easy targets. For malicious actors, they're looking for cheap and easy money. They're no different than any other thief – it's no different in the cyberworld. They're looking for quick and easy marks. You have to make it a pain, uncomfortable and difficult for them to hack you in the first place. If it's hard, most of them are moving on to the next target.”
How can an individual or company stop themselves from being an easy target? Is it as simple as just buying the latest and newest generation anti-virus software?
That can be one step, Cote said, but a lot of companies say, “It's three-times what the more traditional ones cost. ‘Why would I spend $40 if I could spend $10?’ But there's a reason for that. I have some companies who say 'we've never had a breach,' – and I say, 'How do you know?' The average breach or incident goes about 240 days before it's discovered. Most data breaches are discovered by accident.”
Cote and other cyber security consultants and advisors say there is basic computer hygiene that is neglected, or employees are not diligently taught.
First and foremost, they all advise everyone to pay attention to the emails you open.
“I think everyone has had threats, and continues to get threats,” acknowledged Gayle Sadler, director of Information Technology for Bloomfield Township. “We get phishing emails, which are emails which are trying to trick users into clicking onto malware. We have spam filters that help prevent users from clicking on malware, but we can't prevent all phishing emails because the threats are changing on a daily basis. So we scan all of our incoming emails.”
A different problem occurs increasingly, in all organizations and businesses, which Bloomfield Township and others do ransomware testing for – email impersonation.
Sadler said there has to be an effort on all sides, from hardware and software to personal training.
“There has to be a firewall that is properly configured to block for emails that we know are malicious emails,” she said. “We are very active with Homeland Security alerts. We do not allow users to run updates on their computers anymore, because it could be compromised; we only do it on request. We're updating (data) constantly – multiple times a day, blocking for IP addresses. It's complicated, and it's gotten much more complex, because the internet is on numerous devices. The cloud can't protect you from every threat. If you're not making sure that you're backing up your data, so you don't have an air gap, you can have a problem. It's important not to keep your data and backup in the same place or both somewhere that they can be breached in the same compromise. You can't have your backup on the same network as your data.
“That's why people end up paying – because they can't rebuild their network,” she noted.
Sadler pointed out that in Bloomfield Township, they have 13 different departments, and numerous different threats aimed at them. “We have to be vigilant. You need two-step verification. And it's always important to hover over the email address.”
Dwight Leven from Birmingham Public Schools said it is a scenario that has become more common and come to the forefront, “and one we struggle in. When staff came back to school in the fall, all staff members had to participate in a cybersecurity safety video, and we're being more proactive in sending alerts and emails. But a day does not go by where an email impersonating a principal or staff member is sent to someone.”
This is social engineering, where a recipient believes they have received an email from a trusted colleague, and unless a cursor is deliberately passed over the email address – where it would show that it is from a spam email that is phishing – and the recipient opens the email.
“Imagine you're a teacher at one of our schools,” Leven explained. “The email says I, your building principal, need a favor – can you do this for me. There's going to be engagement. The most common is 'Can you buy me a gift card?' They literally all start with, 'Hey, are you available right now?'”
Others encourage recipients to click on a link in the email, which opens the machine to the ransomware.
Leven said he has taken screen shots and broken down each step of what red flags staff should look for and be aware of.
Leven's counterpart at Bloomfield Hills Schools, David Shulkin, director of IT, lamented, “It's a scary thing for schools and municipalities. We don't have a budget to deal with it. It scares us tremendously. The sophistication is unbelievable – it can be so subtle. You get that classic email from HR – ‘don't forget to click and download’ and BOOM! They've hit the payload.
“We're very transportable for a hacker. It's easy to jump on our website, see who is head of IT, who is a vice principal, and duplicate an email, and then the recipient will assume it's a real email – and then we're in trouble.”
Bloomfield Hills Schools has some protection for some forms of ransomware, he said, “and we have major backups. Recovery would not be without pain, but we could do it fairly quickly. We think we could be back up and running within a day or so. But essential services, like phones and email, would be back within an hour or so. That's our priority for safety and security.”
Shulkin said the district does backups of its critical systems multiple times a day. “We take snapshots of data,” he said. What that does, he said, “If four hours later, we got infected, we would only lose four hours of data. Other systems, we do daily backups.”
While they do not do a system cleanse, they do general maintenance and rebuild when necessary. “We're a virtualized environment for our data system,” he said.
The school district did have a limited attack about two years ago, he said, where one laptop was infected with ransomware. “Because of the way we isolate our laptops, it didn't infect anything else,” Shulkin said. “But it's always a false sense of security. It could always happen – that click, and then the quick spread through the network.”
Hoffman of Michigan State Police said since late 2018, and for all of 2019, they have seen a significant increase in ransomware attacks on municipalities and other governmental bodies.
“Malicious actors target anyone,” Hoffman said. “Recently, they've been targeting governmental bodies. Historically they've been underfunded, so they've been more vulnerable, and they've been more willing to pay because so many have not been willing to lose their data.”
Security Vitals' Cote said there are no good statistics on how often targeted companies or municipalities are paying ransom.
“Many don't, or won't admit it if they're paying the ransom demand, because even if they paid, they don't always get the key (to unlock the ransomware),” Cote said. “If they don't get the key, they shut their business down.”
A document sent from Stu Sjouwerman at FireEye stated that the latest information from their ransomware recovery vendor, Coveware, is that ransomware attacks cost nearly tripled in 2019, to over $36,000 per attack.
“Many organizations still think ransomware is merely a nuisance, impacting only a few machines and requiring only restoring backups to address,” according to the document..
Instead, the average ransom payment increased 184 percent from first quarter 2019 to second quarter 2019; the average downtime of a ransomware attack is 9.6 days; 96 percent of organizations receive a working decryption tool when they do pay the ransom; on average, eight percent of decrypted data is lost.
While it sounds like a movie screenplay, dozens of ransomware attacks have actually happened close to home. Some have financially devastating consequences.
In April 2019, a Battle Creek medical practice was forced to shut its doors after cyberattackers wiped out its files after the firm, Brookside ENT and Hearing Center, refused to pay the ransom. Dr. William Scalf and Dr. John Bizon's practice was hit with ransomware on April 2, which locked up its files and presented them with a $6,500 ransom demand, in cryptocurrency. They reported they did not believe their files would be released, so they refused to pay. As a result, the attackers wiped all the offices’ files – including appointment schedules, payment and patient information.
Scalf and Bizon closed their offices on April 30, 2019, and retired, after determining that rebuilding their practice's database from scratch would be too great an endeavor.
Anecdotally, a West Bloomfield internal medicine practice affiliated with Beaumont and Providence hospitals shared that they endured a ransomware attack this past May, closing them down for five days, locking up all physician laptops, medical records, appointment computers and other records, with the security firm hired by Providence Hospital to manage the practice's cybersecurity paying a ransom in the “millions,” one of the physicians shared off-the-record, in order to have the practice's files released and allow them to reopen to their patients. Neither the practice nor Providence Hospital would confirm the ransomware attack.
One West Bloomfield physicians related, off-the-record, that she knows of individual physicians who are closing their practices, including two solo practitioners in Clarkston, because they could not afford the ransom demands.
Health care organizations around the world have repeatedly been targets of ransomware attacks because of their increasingly inherent vulnerabilities in their business models and systems. Wayne State University's McManaway explained that whether a single computer or for a large company which operates computerized machinery, whether MRIs or robotics or stamping machines, “they're designed to run for 20 years, and they're all computerized. But the computers running them are not meant to run for 20 years. In our current environment, best practices mean, we tend to have three-year life spans for computers. Here on Wayne State's campus, we try to refresh all the laptops and computers every three years, and that's the standard for most businesses and education, to keep up with all the updates, security patches, all the newest versions of operating systems. But, when you're talking about these large scale computer systems meant to operate for 20 years – they can no longer renew security updates because the manufacturers will stop providing updates, which we call the 'end of support date.' The end result is, you end up with a bunch of systems connected together that are vulnerable to ransomware attacks. Over the course of time, health care, manufacturing, other industries are getting better at addressing the issues.
“So, now, if I'm looking to deliver ransomware and I want to make some money, I need to find the next target – municipalities,” he postulated. “The public sector has many older machines, they haven't caught up with upgrading as much as areas like health care and manufacturing. Further, a private organization does not have to hold to the same standards in openness and information sharing. They don't have to have networks that are open to the public.”
McManaway said health care corporations are among public corporations that must publicly report their data breaches.
“We've all gotten the notices. 'We're sorry, we've had a data breach. We've taken the steps, we're working with such-and-such company to take the right steps, and we'll provide free credit monitoring.' They're becoming more and more common, with public dumps of information, advising us to change our passwords and take advantage of monitoring for fraud. It's a good idea to do, it's just we're getting inundated with them.”
An unwillingness to confirm or speak publicly about ransomware attacks is pervasive in all areas of business and municipal government, from medical practices such as this, to local governments, with Birmingham City Manager Joe Valentine acknowledging the city of Birmingham did experience a ransomware attack in the past – but would offer nothing further.
“There is a sensitivity with providing information on security protocols of this nature,” Valentine said. As for the attack, “the structure of our network did not allow it to impact our operation given our internal security protocols.”
Carol Schwanger, Royal Oak City Manager, said Royal Oak has made preparations for a ransomware attack by keeping computers, servers and network devices at recommended software and firmware patch levels, as well as having a recovery strategy in place that minimizes potential data loss.
If they have ever been the victim of a cyber attack, or what their policy is, “We do not share that information,” Schwanger said.
Kevin Krawjewski, information systems director for the city of Rochester Hills, responded to an inquiry that, “The city does not divulge information about our network security methodology or practices. Doing so would reveal clues that could be used to attack us. You will probably find this to be the case with most organizations you may contact. I can tell you we are insured and take extensive precautions to protect our digital assets.”
Dwight Levens of Birmingham Schools, said, “Legend has it the district did get hit before I was here, about three years ago, but supposedly it only hit one computer.” He said even he has had difficulty getting confirmation or information on the ransomware incursion.
But Josh Freeman, board and capital projects manager, Genesee County Board of Commissioners, has taken another tack, recognizing the importance of sharing information and knowledge, acknowledging the cyberattack that shut them down on April 2, 2019.
“We came in one morning and staff was having issues with email,” Freeman recalled, “and as IT was working to check it out, they realized we had been hacked. There was no big glaring image. Someone just locked down our computers, and wouldn't give us the key until we paid.”
Unlike some bulletins of scary glaring images on computer screens, Freeman said there was nothing like that on Genesee's screens. He said eventually IT discovered notices that it was the Evil Locker 2.0 ransomware, and “they demanded five bitcoins per server – and we have about 83 servers.”
As of this writing, a bitcoin, a cybercurrency, is worth over $8,562 each, meaning Genesee County Board of Commissioners would have had to pay almost $710,698 to retrieve their own information and data back.
“So that was not something the county was willing to do,” Freeman said.
They also reached out to Michigan State Police and the FBI. “The FBI and MSP advised us not to pay.”
As a result, Freeman said, “We were locked out for two weeks where we couldn't do anything. The overall event lasted a month-and-a-half.”
But in the end, they only ended up losing about four days worth of data that they weren't able to recover from any of their computers.
“We had paper data, so we were able to rework and recover,” a majority of that work product.
No doubt about it, it was an extremely difficult and painful episode for the county, staff – and the public.
“It was frustrating for staff, but especially for the public, because they were trying to conduct business, whether to pay their taxes, to get a birth certificate or a marriage license, record a deed – how does the public interact with county government,” Freeman recalled.
He noted the county's court system was affected as well.
“They were able to continue in an old school way, but it was the clerk's office that was hit the worse, with a three- to four-hour wait, which was burdensome, and a backlog,” he said.
The county did have cyberinsurance, with a deductible only at $15,000, but after getting back up and running, the total costs for having vendors come in to rebuild, having staff and private vendors from other counties come in to work on the system, Freeman said the total costs were just under a half-million dollars.
“It was a pretty big deal,” Freeman acknowledged. “I'm not the advice guy – but don't click on links.
“Genesee went through a period where IT wasn't always a priority,” he recalled. “As we went through rebuild and recovery, it's been slow, and this shows it was an absolute priority. But it was a cheap lesson when you see what is going on around the country.”
Freeman said the board of commissioners has agreed to spend almost $2 million on upgrades to their system, from phones to payment options to the court systems. “Everything is interfaced and online, and it has to be protected.”
A half-million dollar lesson may be a moderate priced price tag compared to some ransomware quotations that FireEye's Goode noted.
“I track financially motivated actors, and they try to extort you,” she said. She said the largest publicly announced extortion of a municipal ransomware event “was just over $5 million – and they did not pay,” in New Bedford, Massachusetts. “I'm not sure if they were able to restore everything, but they were in the process.”
Goode said the latest hacking her company is identifying ransomware that “is sophisticated advertising on Russian language sites.”
They've also identified Iranian bad actors, “which have targeted hospitals with SamSam ransomware.”
Two Iranian nationals were indicted in the United States in October 2018, for their alleged involvement with SamSam attacks. The FBI estimated the group received $6 million in ransom payments and caused over $30 million in losses to victims, including an attack to the city of Atlanta in March 2018, and an attack to the Colorado Department of Transportation, which resulted in clean-up costs of $1.5 million.
“We haven't seen any (attacks) that we have confirmed have originated in the United States – it's not impossible that there are none, but with the FBI's ability to prosecute here, it's less likely,” Goode said.
Bloomfield Township, Birmingham, Bloomfield Hills Schools and Birmingham Public Schools all publicly confirmed they have cyberinsurance to protect them in the event of ransomware attacks – and they all emphatically advise others to do the same.
“I don't want to say how much the district has – but yes, absolutely. A district should have at least $1 million in baseline insurance,” Levens of Birmingham said. “I would advise anyone and everyone to do this. A hacker would generate so much traffic to the district it would just shut us down.”
Sadler, of Bloomfield Township, said they have a cyber risk policy through their insurance company. “We wanted a partner for our cyber risk,” she said.
Ken Korotkin, president of Korotkin Insurance Group in Southfield, said companies and municipalities definitely need insurance for cybersecurity.
“Thieves are brilliant and can tie up your system so you can't use your computers unless you pay $500,000 or so,” Korotkin said. “Insurance companies, such as Travelers, Chubb and boutique companies are providing it. It's not cheap – but it would be quite an expense for a city to deal with. People are unaware and think it will not happen to them. You would be surprised at the people who have been targeted – executives, bankers, all kinds of people – and once they're hit, and they pay, the money is gone. Once it's gone, it's gone. The money is wired and it's transferred out of the country as fast as it can be. The banks are not responsible.”
Ken LaBelle is a cyber liability broker with Burns + Wilcox, an independent insurance wholesale brokerage and managing underwriter in Farmington Hills. He said he currently writes about 300 policies for businesses a year, and on average sees about 15 ransomware attacks a year on policies take effect.
“That's just the accounts that take effect,” he pointed out. “How many phishing attempts? I don't know. It's in the hundreds. The attempts don't stop to get them to fall for it.
He said the importance of cyber risk insurance is enormous, pointing out the report of the city of Atlanta, where the ransom was for about a half-million dollars, “but reports of losses were greater than $10 million.
“The tricky thing is it's hard to state the losses,” LaBelle said. “It could be in upgrades, in recreating files, and the rebound to have to rebuild the system. There is the lost money to taxes, to issues caused to patrons and citizens. It's hard to determine the true quantifiable costs and to quantify true damages. How many deals did it quash for someone who didn't pay their taxes, who couldn't pull their files, so someone couldn't buy their first home? It affects more than the actual municipality. It's the same for a business. It's reputational harm.
“If you're a municipality, even if you back up, it's going to take you a while to get back up and running. Some municipalities and corporations have 60, 70 programs to reinstall and then to put back all of your data, all of your records,” he said. “If you store health records, they are very strict on how you have to respond to breaches – there's HIPAA, others. You have to look at the marketplace of ransomware to know the strands of ransomware to see what their tendencies are, if their åœtendencies of software are to only encrypt, it may satisfy regulators; if not, then you have a whole other set of regulations. All of these can be very expensive, depending on the situation – and these are on top of the ransomware invasion.
“When it's a smaller business, it can be taken care of quickly – or they just shut down because they can't get back up and running,” he noted.
Another issue, LaBelle pointed out, is if a business or municipality is running their systems with old software, and if there is a ransomware attack, data is lost because the software has not been updated.
“Having insurance is the number one thing I stress,” LaBelle said. “If you have a breach, there are companies who rebuild your data, restore your data, do forensics to determine, or try to determine who did this – they're always from out of the country – insurance will pay the ransom.
“We differ from law enforcement about paying. If you don't pay, you have hundreds of thousands of losses,” he said. “If they're not making money in ransomware, they'll find other ways to steal. We can only respond.”
LaBelle said he has seen happy results arise.
“We do have happy situations – where companies backup to an offsite resource, and if they have a ransomware attack, they have internal IT that can wipe out their systems and restore it from backups very quickly,” he said. “That's the best case scenario.”