The Age of Coordinated Ransomware – What Is It, What Can You Do?

October 4, 2019 John Cartwright

Though ransomware attacks aren’t a recent phenomenon, they do seem to be increasing in frequency and intensity. If society has, in any way, grown used to these kinds of cyberattacks, that’s about to change--with the reports of 20+ Texas governmental entities recently being simultaneously hit in a coordinated attack, there may be a new and even scarier method of extorting entities for their data.

By definition, ransomware is a type of malware code that uses virtually unbreakable encryption to deny user access to a company’s systems. By the time of the actual attack, the perpetrator has already done reconnaissance to find weaknesses in the chosen system, and they then exploit that to find important data, manipulating the environment to where the affected entity cannot touch their own information. The victim then receives a message demanding some kind of payment—bitcoin being a preferred option—in order to unlock the files or systems. In short, ransomware operates exactly as a hostage situation seen in films and television shows--the hacker literally hoards the keys to the company’s kingdom, only relinquishing them when their demands are met.

The first known ransomware attack was in 1989 and was conducted using snail-mailed floppy disks. Technology has come a long way since then, and today’s attacks are much easier to carry out--they’re more lucrative as well. Typically, ransom requests generally average around $500 USD—a seemingly tiny sum for entities worth billions. No matter what the amount, these financial after-effects are obviously painful for the victims, and sometimes the companies attacked aren’t always the sole injured party. After the 2018 attack on the City of Atlanta, where the ransom was $50,000 USD in bitcoin, the additional remediations totaled more than $2.6 million taxpayer dollars. However, $50k is a drop in the bucket for these new attackers in Texas—after their government attack, they’ve demanded a  collective $2.5 million, a serious upgrade in reward for their criminal risk.

"...nearly two-dozen entities were hit in one fell swoop, something that smacks of more sophisticated methods and patience on behalf of the attacker or attackers."

So what else makes these recent attacks in Texas unique? For one thing, nearly two-dozen entities were hit in one fell swoop, something that smacks of more sophisticated methods and patience on behalf of the attacker or attackers. The 2016 Verizon Data Breach Investigations Report said phishing is the #1 cause of data breaches—one option the Texan criminals may have used to gain access and inject their malware is through spear-phishing techniques. Spear-phishing is the use of targeted emails that, when the recipient clicks on a link in that message, allow the cybercriminal to obtain sensitive information—i.e., credentials—or install that malware into the company’s systems. If this is indeed how the bad actor infected government entities in Texas one-by-one, it shows some patience to wait until they had an opening into a number of systems, then coordinating the lockup to happen all at once. Local governments are a prime target for these kinds of hacks, and the size of this one has prompted a huge, state-wide response.

Though Texas is just the latest victim, what’s scarier is that these cybercriminals and their methods will only get better and more exotic. How long before bots start locking hundreds of systems at once? Already there are ransomware-as-a-service providers that enable even the most novice cybercriminals to hack in with tools such as CryptoWall, Locky and TeslaCrypt. For everyone with data to protect, the idea is terrifying, and society isn’t doing much to help themselves—there is definitely more that could be done.

In the analog world, companies and governments actually play a part in aiding the cyber criminals when they fail to report. Even if they don’t announce the attack publicly, sometimes it’s still obvious that it happened, like when a local or county government suddenly cannot produce vital records or process things like permits and marriage licenses. Other private companies might be down for a short amount of time, failing over to backup systems, but still in danger of at least temporarily losing some data depending on their backup frequency. As the attacks continue to intensify and grow stronger, companies must take steps to protect themselves and not give the criminals any wiggle room.

So, what are these steps? What can be done to mitigate these attacks and lessen the risk of it happening?

  • Make sure to run the latest patches on systems, as well as the latest versions of applications—even middleware and those on the back end.
  • If there is no InfoSec team dedicated to overall, company-wide security, invest and put one together as soon as possible.
  • Leverage industry-standard (ex: NIST, SANS) and compliance guidelines such as PCI, ISO, HIPAA, etc. to make sure at least most security bases are covered.
  • Educate your employees on how to spot phishing and vishing attempts.

"...humans will always be the biggest risk to an organization’s security, and therefore, employee education is key."

It’s that last point that is most critical. Unfortunately, humans will always be the biggest risk to an organization’s security, and therefore, employee education is key. In this spirit, prepare and execute a robust security awareness campaign and conduct regular training sessions. Then, after you’ve completed the training and education, do it again—keep at it until security isn’t a thought anymore because it’s part of everybody’s routine, daily processes. Ransomware attacks aren’t a new or recent development, but as they continue to develop in strength and the potential for bigger financial penalties continues to grow, it’s always better to be safe rather than sorry.

About the Author

John Cartwright

John Cartwright is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman & Company, LLC in 2015, John worked as a QSA for IBM, specializing in PCI-DSS gap analyses and Attestations of Compliance, and IT controls. John has worked across many other compliance frameworks, including Sarbanes-Oxley (SOX), ISO 27001 and NERC-CIP. Prior to IBM, John served as an internal security assessor for a Fortune 50 company, as well as a QSA with Secureworks. John is also a documentation specialist, working as an IT and software development technical writer for 10+ years and as a freelance journalist, published in print for over 25 years.

More Content by John Cartwright
Previous Article
The Most Important Considerations in Building a DevSecOps Pipeline
The Most Important Considerations in Building a DevSecOps Pipeline

Security Boulevard reached out to a panel of DevSecOps pros to learn more about key considerations and best...

Next Article
A SOC-like Approach to PCI: PCI DSS v4.0
A SOC-like Approach to PCI: PCI DSS v4.0

The 2019 PCI North America Community Meeting was held in beautiful Vancouver, British Columbia, Canada. The...


First Name
Error - something went wrong!