Researchers estimate that since the beginning of 2019, encryptors have attacked 174 municipalities, which is at least 60% more than in 2018. The ransom amount required by attackers in such cases, on average, is more than $ 1,000,000, and the maximum values reached $ 5,000,000. At the same time, the spread in redemption amounts was very large – for example, from school districts in small settlements they demanded amounts about 20 times less than from city halls in large cities.
The cumulative damage from encryption ransomware attacks, including long-term socially significant consequences, could be even greater: researchers note that stopping the work of city services negatively affects the well-being of residents.
The cryptographers Ryuk, Purga, and Stop were the most active this year. Ryuk appeared more than a year ago, usually a backdoor is used to distribute it, which gets to devices of private and corporate users through phishing emails with malicious attachments (under the guise of financial documents). The malware Purga has been known since 2016, but it began to attack municipal services only this year. The vast majority (86%) of all attacks by the Purga ransomware were in Russia. In addition, Russia is in fifth place in terms of the number of users attacked by Ryuk ransomware.
Perhaps the most widespread and widely discussed incident was the attack in Baltimore – the city was the victim of a large-scale extortionate campaign, which resulted in many services being paralyzed, and as a result, tens of millions of dollars were required to restore the city’s IT infrastructure.
“The payment of a ransom is a short-term measure that only encourages attackers to continue their activities. It should be borne in mind that a successful attack on a city means that its infrastructure has been compromised, which means that a cyber incident investigation and a thorough audit are required, that is, in any case, additional costs will be required. City officials sometimes tend to pay the ransom because it is often covered by insurance. However, it would be more far-sighted to invest in proactive measures, such as reliable security products and backup solutions, as well as a regular security audit. The number of attacks on city administration is growing, but you can fight this if you reconsider the approach to cybersecurity, do not pay a ransom and translate this decision as an official position, ”says Fedor Sinitsyn, an expert at Kaspersky Lab.
Researchers believe that in 2020 this trend is likely to continue. First, in such institutions, cybersecurity financing is more focused on insurance and incident response than proactive protective measures. As a result of this approach, situations arise in which the only solution is to pay the criminals, thereby encouraging them to continue criminal activity.
Secondly, municipal infrastructures, as a rule, include many networks covering various organizations, so an attack on them causes disruption of processes at once at several levels, which can ultimately paralyze the work of services of entire regions.
Moreover, municipal networks often store data critical for the smooth functioning of daily processes that are directly related to the welfare of citizens and the work of local organizations. Attacking these targets, attackers strike at a sore spot.