Baltimore County Public Schools shut down Monday and Tuesday following a ransomware attack that paralyzed the school system’s network last week right before Thanksgiving.
According to the Baltimore Sun, officials described the event as a “catastrophic attack on our technology system.” The ransomware attack is reported to have hit the entire Baltimore County Public Schools’ network on Wednesday. The attack caused the 115,000 students who were solely remote learning to have an extended Thanksgiving weekend as schools were shut Monday and Tuesday and will resume on Wednesday.
When resuming school tomorrow, the District is advising students and staff that they can use Chromebooks, but not Windows-based devices while the investigation is ongoing. Students and staff are performing a series of security checks on system-issued devices and any students who need a new device or assistance can get assistance at their local public high school.
According to social media accounts, some teachers have surmised that the ransomware strain involved in the attack is Ryuk, which is well- known to have been involved in previous attacks against municipalities and school systems.
At the present time, the attack is being investigated and it is unknown whether or not any personal student or employee information was compromised.
Today marks two weeks since Election Day 2020 in the U.S., when tens of millions went to the polls on top of the tens of millions who had voted early or by mail in the weeks leading up to November 3.
The whole affair was expected to be a hot mess of suffrage, what with a closely divided public and access to the world’s most powerful office hung on the outcome of voting in a few, key districts sprinkled across a handful of states. Election attacks seemed a foregone conclusion.
Election Attack, Anyone?
Memories of the 2016 Presidential contest are still fresh in the minds of U.S. voters. During that contest, stealthy disinformation operations linked to Russia’s Internet Research Agency are believed to have swayed the vote in a few, key states, helping to hand the election to GOP upstart Donald Trump by a few thousands of votes spread across four states.
In 2020, with social media networks like Facebook more powerful than ever and the geopolitical fortunes of global powers like China and Russia hanging in the balance, it was a foregone conclusion that this year’s U.S. election would see one or more cyber incidents grab headlines and – just maybe- play a part in the final outcome.
But two weeks and more than 140 million votes later, wild conspiracy theories about vote tampering are rampant in right wing media. But predictions of cyber attacks on the U.S. presidential election have fallen flat.
From Russia with…Indifference?
So what happened? Did Russia, China and Iran decide to sit this one our, or were planned attacks stopped in their tracks? And what about the expected plague of ransomware? Did budget and talent constrained local governments manage to do just enough right to keep cyber criminals and nation state actors at bay?
To find out we invited two experts who have been following election security closely into the Security Ledger studios to talk.
Allan Liska is a Threat Intelligence Analyst at the firm Recorded Future, which has been monitoring the cyber underground for threats to elections systems.
We spend a lot of time reporting on ransomware because we are seeing more incidents than ever before, and our readers comment that keeping them up to date on ransomware tactics is helpful. The ransomware gangs, strains and vectors are constantly changing, so it is very challenging for companies to keep up with their latest tactics.
The Coveware Quarterly Report is one resource that is very helpful in understanding the newest methods and successes of ransomware attackers, and Coveware’s Third Quarter Report was recently released.
The Report confirms what we are seeing in the field, and confirms how the landscape is changing. The big news is that the Maze group has allegedly dispersed, with some members joining others. Maze wreaked havoc last year, when it started exfiltrating data from victims before it dropped the ransomware and then threatened to publish the data if the company didn’t pay.
The Report is a must read, but here are some highlights (depressing as they are):
There is no guarantee that if you pay the ransom to delete data that they will actually delete it or that they will not come after you again. (They are criminals, after all). In Q3, exfiltration of data before the introduction of ransomware doubled, and half of all ransomware attacks included exfiltration of data. These are not promising statistics.
Although Maze is allegedly out of business, others have copied its tactics forexfiltrating data, including AKO, Ranzy, Netwalker, Mespinoza, Conti, Sekhmet, and Egregor. Egregor is believed to have inherited Maze. Sodinokibi has re-extorted victims after they have paid the ransom.
Some gangs provide fake proof that they have your data to get you to pay.
There is no guarantee that the exfiltrated data will not be sold to other groups.
Ransom demands are increasing.
The biggest ransomware threats in Q3 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer.
Wasted, Nephilim and Avvadon made it into the top 10 list of market share of ransomware variants.
More than 50 percent of all attacks are successful through attacks on Remote Desktop Protocols (RDP). Coveware sees this method of attack as the most cost-effective way to compromise organizations and stresses the importance of properly securing RDP connections.
Almost 30 percent of attacks see the ransomware distributed via phishing emails, which have steadily increased since late 2019.
The average ransom payment in Q3 was $233,817, up 31 percent from Q2 2020.
The median ransom payment in Q3 was $110,532 up 2 percent from Q2 2020.
Ransomware is a disproportionate problem for small and medium-sized businesses—those with a median of 168 employees—which is up 68 percent from Q2 2020.
Most victims of ransomware have less than $50 million dollars in annual revenue.
Professional service firms, especially small ones such as law firms and accounting firms, are especially vulnerable.
The average number of downtime days of victimized businesses is 19 days.
These statistics are ones to pay close attention to and use when determining risk management priorities. It is clear from the Report that addressing RDP and employee education as top priorities makes sense. According to the Report, one possible reason for the increase in the use of RDP is “that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”
As coronavirus cases increase again throughout the U.S., remote working appears to be the norm, so ransomware attackers are using, and will continue to use, the shift from the office to the home to attack victims.
Compari, the Italian drinks company, recently announced that it was hit with a cyber attack that encrypted its data and potentially exfiltrated some data.
According to Compari, “We are still investigating the attack and…determining to what extent there has been any loss of confidentiality. At this stage, we cannot completely exclude that some personal and business data has been taken.”
According to Cybersecurity Ventures, cybercrime is the fastest growing crime in the U.S., with damages expected to reach $6 trillion globally by 2021. Therefore, it is axiomatic that C-Suites continue to address the risk associated with cybercrime and how cybercrime will affect the business.
Ransomware continues to be one of the biggest risks to company operations. Statistics show that ransomware attacks are becoming more prolific and expensive. According to the most recent Coveware Q3 Report, ransomware incidents and ransom demands are increasing. Ransomware attacks are leaving a company paralyzed for an average of 19 days.
The inability to conduct business operations for 19 days can be devastating, especially to small and medium-sized businesses. Having an incident response plan, contingent operations plan, and disaster recovery plan is essential to minimizing the risk of failed or stalled operations. Those companies that are prepared for an attack and can implement these plans are better able to respond to a cyber-attack that leaves the company paralyzed.
It is clear that cyber-attacks and cybercrime damages are continuing to soar, particularly while companies’ workforces are working remotely. It is crucial to evaluate and put your incident response, contingent operations and disaster recovery plans in place now.
The misinformation on social media about the election results (and other topics) is rampant. Social media companies like Twitter and Facebook are struggling with the balance between the First Amendment right to free speech and false information or exaggerated reports on their platforms and are hiding or flagging those they deem to be false or misleading.
Misinformation and false information does not help anyone get to the truth. Getting news from reliable sources and news outlets, instead of through social media platforms and websites, is usually more reliable because there are standards in the news industry that must be followed by major news organizations regarding content.
In addition, going to unreliable websites to obtain information may put you at a higher risk of a cyber-attack. Cyber criminals and foreign adversaries develop fake websites and when individuals click on such a website, they introduce malware or ransomware into the system.
Don’t be fooled by false or misleading information on social media platforms or websites. Go directly to the source to stay informed and to stay cyber-safe.
The GEO Group, Inc. (GEO), a publicly held company located in Boca Raton Florida, announced on November 3, 2020, that it is beginning to notify individuals following a ransomware attack that “impacted a limited amount of personally identifiable information and protected health information for some inmates and residents contained on certain servers for a small number of facilities including the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville Pennsylvania, and a now close facility in California. The incident also impacted two corporate servers with employee data.”
According to the statement on its website, the GEO Group is “not aware of any fraud or misuse of information as result of this incident.”
The ransomware attack was discovered by GEO on August 19, 2020. It thereafter launched an investigation with cybersecurity firms and law enforcement. According to the website notice, “the company recovered its critical operating data and, based on its assessment and on the information currently known and obtained through the investigation, the Company does not believe the incident will have a material impact on its business, operations or financial results.”
GEO is a publicly traded organization that “is a fully integrated equity real estate investment trust specializing in the design, financing, development and operation of secure facilities, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom. GEO is a leading provider of enhanced in-custody rehabilitation, post-release support, electronic monitoring, and community-based programs.” It owns or manages 123 facilities totaling approximately 93,000 beds and employing approximately 23,000 professionals. Its website states that its “diversified services platform provides unique capabilities for the delivery of educational and vocational programs, cognitive behavioral and substance abuse treatment, and faith based services across the entire corrections spectrum.”
Based upon the statement, it appears that GEO is notifying affected inmates, residents and employees of the incident.
Criminals are apparently not taking any time off during this pandemic, and in fact by all accounts have increased their attacks, particularly targeting entities whose attention is diverted to dealing with the fallout of the Covid-19 crisis. In particular, educational institutions across the country have faced a recent onslaught of ransomware attacks, often crippling an already vulnerable infrastructure just as classes were set to resume. Check Point Research recently published a report advising that cyber-attacks targeting academic institutions increased 30 percent between July and August (with upwards of 600 attacks per week). Although the research does not reveal why the surge occurred, it is likely not a coincidence that Covid-19 has compelled schools to utilize and vastly expand the use of new and unfamiliar technologies that allow remote learning, which in turn may have opened up new opportunities for cybercriminals to attack. In addition, although financial resources were spent on acquiring new technologies, the same expenditures were not necessarily invested in associated security. Often times cyber-attacks start with a phishing-email, that once opened allows cybercriminals to gain access to an organization’s infrastructure over time. As attention has been diverted to dealing with emergency Covid-19 issues, organizations have less resources focused on cyber-attacks. Accordingly, as the Covid-19 emergency persists, educational institutions must be sure not lose focus on monitoring cyber-attacks. Failing to expend the additional resources on cybersecurity prevention and monitoring, could very likely cost the school significantly more in the long run.
On October 27, 2020, the FBI and the Department of Homeland Security (DHS) warned the health care industry about “an imminent cybercrime threat to U.S. hospitals and healthcare providers.”
According to the warning, which was shared during a conference call, the government has received “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The information was being shared with participants so they can take timely precautions to protect their networks from the threat.
According to KrebsonSecurity, the threat is believed to stem from a Russian cybercriminal gang that may be deploying Ryuk ransomware to more than 400 health care facilities in the U.S. It appears the attack is planned to be coordinated in order to maximize disruption in the health care sector.
Hospitals are urged to confirm that patching of all known vulnerabilities has been completed. Mandiant Solutions has released a list of domains and Internet addresses that have been used by Ryuk in the past in order to assist hospitals with identifying known methods used to infiltrate systems.
Based upon these warnings, hospitals and health care providers may wish to consider prioritizing patching and blacklisting the known domains and Internet addresses used by Ryuk today.
The 2020 election in the U.S. is less than a week away and warnings about cyber threats to the vote are coming out with about the regularity as polls of the presidential contest between Joe Biden and Donald Trump.
Also this month, an outbreak of the Dopplepaymer ransomware affected elections infrastructure in Hall County, Georgia, disabling a database used to verify voter signatures in the authentication of absentee ballots.
Which leads us to ask: despite years of warnings, are state and local governments ready for what Russia, Iran or any number of ransomware gangs have in store for them?
To help answer that question, we invited Rob Bathurst into the studio. Rob is the Chief Technology Officer at Digitalware, a Denver area company that specializes in risk analysis and risk management with Federal, state and local government and F500 companies.
In this conversation, Rob and I talk about what the biggest cyber risks are to state and local governments and how worried we should be about warnings about cyber threats to elections systems are.
Vulnerabilities are just a reality in government networks, Rob says. The key is to avoid being surprised by attacks and also to ensure that you can keep voting systems and other critical systems available even if they are the target of an attack.
In this conversation, Rob and I talk about the bigger picture of cyber risk for federal state and local governments. We also talk about incidents like the recent hack of government ERP provider Tyler Technologies.
Rob Bathurst is the Chief Technology Officer at the firm Digitalware. he was here talking to us about cyber risks in local governments and the risk to elections systems.