US Bombarded With Ransomware

In 2019, the US was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion.  The impacted organisations included:
 
 
• 103 federal, state and municipal governments and agencies.
• 759 healthcare providers.
• 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
 
The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.
 
What was the cost?
Due to the lack of publicly available data, it is not possible to accurately estimate the cost of these incidents. Perhaps the best indication of the potential cost comes from a statement made by the Winnebago County, Illinois' Chief Information Officer, Gus Gentner, in September: “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.”
 
If that is correct, the combined cost of 2019’s ransomware incidents could be in excess of $7.5 billion. 
 
While we believe this overstates the actual costs, a small school district’s recovery expenses are unlikely to run to seven figures, it nonetheless provides an indication of the enormous financial impact of these incidents. It should be noted that these incidents also had a broader economic impact. For example, in some instances, companies were unable to obtain the necessary permits and documentation to carry out certain work, disrupting and delaying their operations. Estimating these costs is beyond the scope of this report.
 
Why did it happen?
Ransomware incidents increased sharply in 2019 due to organisations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses. Combined, these factors created a near-perfect storm. In previous years, organisations with substandard security often escaped unpunished; in 2019, far more were made to pay the price, both figuratively and literally.
 
A Report issued by the State Auditor of Mississippi in October 2019 stated that: “Among the government offices that replied to the survey, the report shows at least 11 do not have adequate written procedures to prevent or recover from a cyberattack. 
“Another 22 respondents have not executed a third-party risk assessment. Having a third party test the vulnerability of an agency’s server is a requirement under state law....Further, 38% of all respondents indicate sensitive information like health information, tax data, and student information is not being encrypted to protect it from hackers”.
 
According to the auditor's reort there is a “disregard for cybersecurity in state government,” that “many state entities are operating like state and federal cybersecurity laws do not apply to them,” and identified problems including:
 
• Not having a security policy plan or disaster recovery plan in place.
• Not performing legally mandated risk assessments.
• Not encrypting sensitive information.
 
The report also stated that “Over half of the respondents were less than 75 percent compliant with the Enterprise Security Program.” The program establishes minimum security requirements and compliance is required by law. Only a minority of states conduct statewide audits and, despite the multiple serious deficiencies that Mississippi’s audit identified, it was nonetheless one of the States least affected by ransomware in 2019. 
 
The data show that these governments are under constant or near‐constant cyberattack, yet, on average, they practice cybersecurity poorly. 
 
While nearly half reported experiencing cyberattacks at least daily, one‐third said that they did not know whether they were under attack, and nearly two‐thirds said that they did not know whether their information systems had been breached. 
Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and a lack of adequate funding for it. 
 
The fact that governments are failing to implement basic and well-established best practices, even when legally required to do so, can only be described as grossly negligent, especially as these entities know fully well that they are likely to be targeted in the ongoing campaign of cyberattacks.
 
Conclusion
Like other businesses, criminal enterprises pursue strategies that have been proven to work. On the basis that ransomware attacks against governments, healthcare providers and educational institutions have indeed been proven to work, these sectors are likely to continue to be heavily targeted in 2020.  Additionally, given the financial resources now available to bad actors and the significant profits that can be made, organisations in these sectors should expect that attacks will increase in both sophistication and frequency, possibly with the threat of the release of exfiltrated data being used as additional leverage to extort payment.
 
Payments are the fuel that drive ransomware. The only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid.
 
EMSISOFT:       Wiley:       State Of Missisippi:
 
You Might Also Read:
 
Ransom Attack Strikes New Orleans:
 
US City Of Atlanta Suffers An Attack:
 
 
 
« Digital Shock: The 4th Industrial Revolution
Wanted: International Cyber Standards »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

Herjavec Group

Herjavec Group

Herjavec Group's Managed Security Services practice defends your organization from increasingly sophisticated, targeted cybercrime threats.

Secure India

Secure India

Secure India provides Forensic Solutions that help Government and Business in dealing with prevention and resolution of Cyber related threats.

tietoEVRY

tietoEVRY

TietoEVRY creates digital advantage for businesses and society. We are a leading digital services and software company with local presence and global capabilities.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

HumanFirewall

HumanFirewall

HumanFirewall makes it possible for every individual to take part in securing their organisation. With HumanFirewall, achieving security has never been easier.

Navaio IT Security

Navaio IT Security

Navaio helps clients with IT Security related challenges with a primary focus on Identity and Access Management, Data Governance, User Awareness and Cyber Resilience Services.

Crypsis

Crypsis

Crypsis was built based on a shared vision of creating a more secure digital world by providing the highest quality incident response, risk management, and digital forensic services.

Wayra

Wayra

Wayra connects Telefónica and technological disruptors around the world. As their preferred strategic partner, we scale them up to accelerate their business and ours.

Quzara

Quzara

Quzara provides trusted advisory services and highly adaptive cybersecurity services to federal, commercial and Defense Industrial Base customers to meet their security compliance and cyber needs.

Avrem Technologies

Avrem Technologies

Avrem Technologies is a business IT and cybersecurity consulting firm. We design, implement, manage and monitor the networks, servers, computers and software that our clients rely on each day.

CodeLock

CodeLock

Codelock is a patent-pending solution that continuously provides software security at the code level, while providing advanced management insights with performance metrics and data analytics.

Oligo Security

Oligo Security

Oligo aims to streamline the usage of open source by making it secure and easy to protect. Through focusing developers on the relevant vulnerabilities we make the fixing process significantly shorter.

Core4ce

Core4ce

Core4ce is a mission-oriented company that serves as a trusted partner to the national security community.

ITButler e-Services

ITButler e-Services

At IT Butler, our mission is crystal clear: we are dedicated to providing top-tier cybersecurity solutions and best-practice methodologies to secure and enhance your digital infrastructure’s resilienc