Ransomware Attacks Multiple Government and Healthcare Organizations in April

Posted by Geraldine Hunt on Thu, May 3rd, 2018

The ransomware attacks of Wannacry and NoPetya inflicted heavy carnage on large corporate enterprises throughout the world last summer.  The incident proved that even large corporations are vulnerable to these types of attacks.  It also showed that even enterprises protected by an adequate cybersecurity staff do not always follow best security practices or implement a layered security stack.  In these cases, it was the lack of diligence regarding timely system updates and patching that provided the means for the malware infections.  If large corporations are easily susceptible to ransomware threats, then small business, organizations, and municipalities are even more exposed to these extortion threats as they lack the resources, knowledge base and staff to combat these threats.

School System Shut Down

Apparently, cybercriminals think the same way.  On April 14, a small school district of barely 6,000 students in Massachusetts was hit by a ransomware attack in mid-April.  The Leominster Public Schools District found their computer systems locked down with all of their data encrypted.  Fortunately, the attack took place during the school system’s spring break so student-learning activities were not interrupted.  The perpetrators demanded a ransom of $10,000 in bitcoin.  Faced with the challenge of getting operations back up in time for the returning students the following week, school administrators along with the local city mayor began negotiating with the hackers. 

As part of the negotiations between the school district and the hackers, decryption keys were sent to unlock some of the locked files as a show of proof.  With few options at their disposal, the mayor agreed to pay the ransom using funds from the city’s general budget.   According to a senior cyber intelligence director in Boston, “Municipalities are really the low-hanging fruit . . . because they don’t have the cybersecurity budgets that corporations do.”

Small Rural Towns Attacked

On April 4, network operations within the City of Atlanta were interrupted for two weeks after falling victim to a ransomware attack as the result of an embedded email link that was activated by a user.  In some cases, sixteen years of data was lost and the city’s mayor admitted that cyber security had not been a high priority prior to the attack.  The city chose not to pay the $55,000 ransom that was demanded by the hackers.  Instead, the city brought in outside companies to provide timely assistance to them.  The total cost of the recovery operation is estimated $2.7 million dollars.  Just days before, the City of Baltimore had its 911 dispatch system shutdown because of a ransomware attack.

Unfortunately, it isn’t just the big cities that are serving as attractive targets for hackers.  About an hour north of Atlanta lies the small town of Dawsonville, Georgia – population 2,634.  The town hosts the governmental operations for the Dawson County.  County personnel were greeted Monday morning on April 23 with a ransomware attack that brought down the county’s email system and some of its internal computer systems.  Fortunately, the county’s critical services such as law enforcement and fire protection were uninterrupted.  It took a full week for the county to regain control of its systems and restore backups.   The Georgia Bureau of Investigation, the Federal Bureau of Investigation and the United States Secret Service were involved in the investigation. 

Ukrainian Energy Ministry

It wasn’t just US-based government municipalities that were hit last month.  On April 24th, hackers took down the website of the Ukrainian energy and coal ministry and posted a notice in English demanding a Bitcoin ransom to recover encrypted files.  The Ukrainian government has been the brunt of a number of cyberattacks against some of its key infrastructure but this attack does not appear to be state-sponsored.  In fact, the rudimentary format of the attack indicates that it was most likely implemented by amateurs who were either working on improving their cyber attack skills or implementing the attack as an initiation requirement to join a veteran cyber organization.  Fortunately, the attack was limited to the web server itself.  The ransom was not paid and no other operations were affected.

California Health Provider Suffers Ransomware Breach

While ransomware attacks on government municipalities are increasing, the healthcare industry is still a prime target for these types of attacks.  In fact, ransomware accounts for 85% of the malware in healthcare.  On April 27, California-based Center for Orthopedic Specialists reported a ransomware attack that encrypted 85,000 patient records.  COS was notified by a third party technology vendor and a prompted investigation found that unauthorized parties had begun probing the network two months prior.  The compromised and affected systems were taken offline and the company insists that the perpetrators seized no data.  The encryption of medical records is a major concern in the healthcare field as the perpetrators of ransomware can potentially alter the tamper with the encrypted data.  The potential fallout over data integrity would be devastating for any healthcare provider. 

Fewer yet more hard-hitting ransomware attacks in 2018

The number of ransomware attacks is on the decline.  According to a report by SonicWall, there were 184 million ransomware attacks in 2017 compared with 638 million in 2016.  While the number of attacks may have subsided, the number of strains more than doubled in 2017.   Researchers believe this may indicate a shift from quantity to quality.  

Some industries, such as healthcare and government, will continue to be targeted by ransomware attacks. Many of the tools developed by the criminals behind ransomware, including fileless malware and encryption techniques, will continue to be used in different types of attacks. To escape future ransomware attacks IT pros must leverage the right technology.

Municipalities are particularly vulnerable to ransomware without the right security stack and defense in depth approach. Hackers are taking advantage of virtually non-existent DNS security to infiltrate computer networks, install malware, and steal data. The majority of malware variants now being released use security vulnerabilities in the DNS system to communicate with command and control servers and steal data.  The cost to adopt a layered security solution is far less expensive than the cost to recover from a breach.