US Bombarded With Ransomware

Uploaded on 2019-12-31 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

In 2019, the US was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion.  The impacted organisations included:
 
 
• 103 federal, state and municipal governments and agencies.
• 759 healthcare providers.
• 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
 
The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.
 
What was the cost?
Due to the lack of publicly available data, it is not possible to accurately estimate the cost of these incidents. Perhaps the best indication of the potential cost comes from a statement made by the Winnebago County, Illinois' Chief Information Officer, Gus Gentner, in September: “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.”
 
If that is correct, the combined cost of 2019’s ransomware incidents could be in excess of $7.5 billion. 
 
While we believe this overstates the actual costs, a small school district’s recovery expenses are unlikely to run to seven figures, it nonetheless provides an indication of the enormous financial impact of these incidents. It should be noted that these incidents also had a broader economic impact. For example, in some instances, companies were unable to obtain the necessary permits and documentation to carry out certain work, disrupting and delaying their operations. Estimating these costs is beyond the scope of this report.
 
Why did it happen?
Ransomware incidents increased sharply in 2019 due to organisations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses. Combined, these factors created a near-perfect storm. In previous years, organisations with substandard security often escaped unpunished; in 2019, far more were made to pay the price, both figuratively and literally.
 
A Report issued by the State Auditor of Mississippi in October 2019 stated that: “Among the government offices that replied to the survey, the report shows at least 11 do not have adequate written procedures to prevent or recover from a cyberattack. 
“Another 22 respondents have not executed a third-party risk assessment. Having a third party test the vulnerability of an agency’s server is a requirement under state law....Further, 38% of all respondents indicate sensitive information like health information, tax data, and student information is not being encrypted to protect it from hackers”.
 
According to the auditor's reort there is a “disregard for cybersecurity in state government,” that “many state entities are operating like state and federal cybersecurity laws do not apply to them,” and identified problems including:
 
• Not having a security policy plan or disaster recovery plan in place.
• Not performing legally mandated risk assessments.
• Not encrypting sensitive information.
 
The report also stated that “Over half of the respondents were less than 75 percent compliant with the Enterprise Security Program.” The program establishes minimum security requirements and compliance is required by law. Only a minority of states conduct statewide audits and, despite the multiple serious deficiencies that Mississippi’s audit identified, it was nonetheless one of the States least affected by ransomware in 2019. 
 
The data show that these governments are under constant or near‐constant cyberattack, yet, on average, they practice cybersecurity poorly. 
 
While nearly half reported experiencing cyberattacks at least daily, one‐third said that they did not know whether they were under attack, and nearly two‐thirds said that they did not know whether their information systems had been breached. 
Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and a lack of adequate funding for it. 
 
The fact that governments are failing to implement basic and well-established best practices, even when legally required to do so, can only be described as grossly negligent, especially as these entities know fully well that they are likely to be targeted in the ongoing campaign of cyberattacks.
 
Conclusion
Like other businesses, criminal enterprises pursue strategies that have been proven to work. On the basis that ransomware attacks against governments, healthcare providers and educational institutions have indeed been proven to work, these sectors are likely to continue to be heavily targeted in 2020.  Additionally, given the financial resources now available to bad actors and the significant profits that can be made, organisations in these sectors should expect that attacks will increase in both sophistication and frequency, possibly with the threat of the release of exfiltrated data being used as additional leverage to extort payment.
 
Payments are the fuel that drive ransomware. The only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid.
 
EMSISOFT:       Wiley:       State Of Missisippi:
 
You Might Also Read:
 
Ransom Attack Strikes New Orleans:
 
US City Of Atlanta Suffers An Attack:
 
 
 
« Digital Shock: The 4th Industrial Revolution
Wanted: International Cyber Standards »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ITQ

ITQ

ITQ is an IT consulting firm with a focus on the entire VMware-product portfolio with three main services: Professional Services, Support Services and Managed Services.

BCS, The chartered Institute for IT

BCS, The chartered Institute for IT

BCS provides IT professionals with up to date and relevant certifications enabling them to manage IT security effectively within their budget.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

Deep Instinct

Deep Instinct

Deep Instinct provides comprehensive defense that is designed to protect against the most evasive unknown malware in real-time, across an organization’s endpoints, servers, and mobile devices.

Hedgehog Security

Hedgehog Security

The key objective of Hedgehog is to provide simple, effective and affordable information security improvements that support your drive to increase productivity and profitability.

X4 Technology

X4 Technology

X4 Technology is a leader in finding the very best technology talent for some of the world’s most innovative start-ups and globally recognised brands.

Noname Security

Noname Security

Noname Security detects and resolves API vulnerabilities and misconfigurations before they are exploited.

National Cryptologic Foundation (NCF) - USA

National Cryptologic Foundation (NCF) - USA

The National Cryptologic Foundation strives to influence the cryptologic future by sharing our educational resources, stimulating new knowledge, and commemorating our heritage.

Nagios

Nagios

Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

Questex Asia Total Security Conference

Questex Asia Total Security Conference

Questex Asia’s Total Security Conferences is one of the industry’s most prestigious and engaging forums for the region's top information security leaders and business decision-makers.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

CYTUR

CYTUR

CYTUR provide trusted and secured maritime cybersecurity solutions to keep ships safe, protecting them, their crews, cargo and all stakeholders from maritime cyber threats.

ThreatDown

ThreatDown

ThreatDown, powered by Malwarebytes, is on a mission to overpower threats and empower IT by removing the complexity of detecting and stopping today’s most advanced threats.

Beaming

Beaming

Beaming is an established Internet Service Provider for businesses across the UK. We deliver reliable voice, data and managed services, including cybersecurity.

Digital & Intelligence Service (DIS)

Digital & Intelligence Service (DIS)

DIS is the fourth Service of the SAF, here to defend and dominate in the digital domain, and achieve peace and security for our land.