2019 ransomware trends: doctors forced out of business as attacks intensify
What’s the state of ransomware in 2019 so far? Not great, apparently.
Despite signs that some cybercriminal groups are moving away from ransomware to other illegal enterprises, like cryptojacking, a near constant stream of attacks have continued to roil businesses this year.
· A medical practice in Michigan was forced to shutter its doors following an infection.
· The City of Albany was overwhelmed by an attack that disrupted government services for days and may have even compromised bank accounts.
· Attacks disrupted government operations in North Carolina, Georgia, Michigan and elsewhere.
· A global aluminum producer was hobbled by an attack, shutting down its network and stalling operations worldwide.
Together, these attacks seem to go against the general consensus that ransomware would slow down in 2019. While the exact rate of infections remains to be seen, these recent attacks paint a bleak picture of a cybersecurity threat that is getting nastier and more targeted.
In this post, we take a closer look at some of the recent attacks and what they might mean for other businesses.
Doctors’ office to close after ransomware
An often-cited statistic from FEMA reveals that 40% to 60% of small businesses never recover after a disaster. That appears to be the case for a Michigan-based medical practice that was devastated by ransomware in late March.
After the infection wreaked havoc on the business, the recovery was apparently so insurmountable that the doctors decided to close the business entirely and retire early.
Brookside ENT and Hearing Services is a small, two-doctor practice in Battle Creek, Michigan. While it’s not known exactly how the infection occurred (traditionally, most infections are delivered through spam email and phishing scams), it appears that the practice’s IT systems weren’t built to fend off such an attack.
The ransomware encrypted all of the practice’s critical data. Staff lost access to patient records, medical histories, appointment schedules and other files.
Interestingly, the ransom demand was only $6,500 – not a particularly hefty sum for small businesses. But rather than paying up (which federal authorities advise against anyway), the doctors decided to call it quits.
It’s not clear how that decision squares up with federal laws like HIPAA, but the practice confirmed it was indeed shutting its doors within a month.
City of Albany crippled by ransomware infection
The City of Albany experienced a similar situation as the Michigan ear doctors, except on a much larger scale.
The attack happened on a Saturday in late March, locking up vital data and rendering all the city’s Internet-connected tools unusable, including police systems. Officers had to complete reports by hand, and even the employee scheduling system was down. The department had no visibility into which officers were scheduled for the week or how much manpower they had.
A wide range of municipal services were also unavailable, including requests for vital records, such as birth certificates, marriage licenses and death certificates.
Some services were restored by Monday, while other key systems remained inaccessible, including the city’s payroll system. City workers had to track their hours on paper.
On the whole, the city was able to restore most systems pretty quickly. But a week after the incident, officials suggested the attack might have been nastier than previously thought. Mayor Kathy Sheehan told reporters that the hackers may have also committed bank theft alongside the ransomware attack. Several city workers reported unauthorized withdrawals from their online bank accounts, as well as financial accounts in Florida and Illinois.
Sheehan called it “too much of a coincidence at this point to say with the city having a ransomware attack, with all the data that’s stored at city hall and on our servers that personal information was also breached and these guys are now noticing that their accounts are being substantially drained.”
If true that the bank theft was part of the attack, this would indicate a troubling development for ransomware. To date, most forms of ransomware have been designed only to encrypt data, not copy it or transmit it to attackers.
However, experts have warned that future ransomware infections could indeed be used to disguise other crimes, such as data theft, and other malware like banking Trojans. Additionally, analysts have predicted that ransomware attacks would become more targeted, and there’s a good chance that’s how the Albany infection originated.
2019 Ransomware Trends
These incidents certainly look bad, but what does the overall data say about where ransomware is heading in 2019?
Not surprisingly, attacks on businesses are on the rise, while attacks on consumers are declining. In Malwarebytes’s 2019 State of Malware report, analysts noted a 79% increase in ransomware detections at businesses in 2018. A sizable portion of that jump came in the second half of the year, signaling that the trend would likely continue into 2019.
Specific families of ransomware are also on the rise. Malwarebytes has found a sharp increase in Troldesh ransomware, also known as “Shade,” between Q4 2018 and Q1 2019.
Attackers are also relying less on certain mass delivery methods, such as malvertising, and instead targeting specific businesses, using “brute force” attacks to crack passwords and decode sensitive data.
The top 10 industries affected by ransomware in 2018:
It’s important to note that the total volume of ransomware detections was down in 2018 compared to 2017. But as we’ve seen, this doesn’t mean ransomware is on the way out.
Researchers at Malwarebytes say 2018 was “a year of quiet experimentation and reassessment … We expect to see more innovative reworkings of older files and strengthened ties to cutting-edge exploit kits to push ransomware further still.”
Global aluminum producer sidelined by ransomware
Norsk Hydro ASA (often referred to as simply “Hydro”) is a Norwegian aluminum producer that operates in 40 countries with 35,000 employees based around the globe.
On a Tuesday morning in mid-March, all 35,000 employees were instructed to keep their computers turned off until further notice. The company was fending off a fast-moving ransomware attack.
Just the day before, some of its computers in the United States had been infected. And from there, the infection quickly spread across the company’s global network, eventually taking it down entirely, impacting 160 locations worldwide.
Hydro had to temporarily shut down some of its plants as it attempted to isolate the infection. The company’s most critical plants, which need to operate continuously, had to switch to “manual mode.” As employees and guests arrived at Hydro offices around the globe, they were greeted with posters warning them not to connect any devices to the network and to not turn on any device that was already connected.
Officials from Hydro didn’t mince words about the seriousness of the situation: “Let me be clear: the situation for Norsk Hydro through this is quite severe,” said Chief Financial Officer Eivind Kallevik. “The entire worldwide network is down, affecting our production as well as our office operations. Our main priority now is to ensure safe operations and limit the operational and financial impact.”
Analysts believe the attack may have been orchestrated by a well-known cybercrime group known as FireEye. FireEye has been known for sophisticated cyberattacks on retail point-of-sale systems, but the group appears to be switching tactics to focus on ransomware.
Is that all?
The last few weeks have been an especially active time for high-profile ransomware attacks:
· Government operations in Orange County, North Carolina, were severely disrupted by a ransomware variant known as Samas, which infected 70% to 90% of the county’s servers, as well as employees’ computers. Officials believe the infection did not originate through email.
· In Georgia, county government spent more than $400,000 to get rid of ransomware after an attack took down most of the county’s IT systems last month.
· Genesee County, Michigan, faced its own ransomware attack last week, which affected all computer systems and even deleted the county’s data backups.
These attacks all occurred within the last month, and yet they represent only a few examples out of numerous additional infections occurring worldwide on a near daily basis (many of which go unreported).
How to protect your business against ransomware
Ransomware may be evolving, but there are some relatively simple steps you can take to prevent an infection and recover quickly if an attack occurs.
· Data backups: Deploying a dependable backup & disaster recovery system is essential. When an attack occurs, you can roll back to clean data, thereby restoring your files and removing the threat.
· Employee training: Educate all staff on proper email/Internet usage, how to spot phishing scams and protocols for handling email attachments and other security concerns.
· Antimalware: Deploy antimalware/antivirus software across the organization, with active and scheduled scanning on every machine.
· Patching: Make sure all software, operating systems and firmware are patched frequently, ideally as soon as updates become available.
· File access control: Restrict user access to only the folders and directories they need. This will prevent some strains of ransomware from spreading across the network.
Get more information
For more information on how you can protect your critical data from ransomware and other threats, request a free demo of BC/DR solutions from Datto. Contact our business continuity experts at (646) 395-1170 or email [email protected].