Cybercriminals are targeting government, healthcare, and education organizations with ransomware. While an uptick in attacks was expected due to the upcoming presidential election, cybercriminals are also leveraging the COVID-19 pandemic and remote work to wreak havoc on organizations. Although ransomware has been around for more than two decades, the threat has been growing rapidly in recent years.
In the past 12 months, Barracuda researchers identified and analyzed 71 ransomware incidents. Last year, an in-depth look at municipal ransomware attacks showed local government is a preferred target of cybercriminals. That’s the still the case; the majority of ransomware attacks looked at this year were on municipalities, including local governments, schools, libraries, courts, and other entities. This year’s analysis also includes data about organizations related to healthcare and logistics, two industries critical to our physical wellbeing and economic sustainability and recovery throughout the pandemic.
Here’s a closer look at the latest ransomware attacks and solutions to help detect, block, and recover from them.
Highlighted Threat
Ransomware — Cybercriminals use malicious software, delivered as an email attachment or link, to infect the network and lock email, data, and other critical files until a ransom is paid. These evolving and sophisticated attacks are damaging and costly. They can cripple day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unbudgeted and unanticipated expenses.
With the pandemic putting millions of workers at home, cybercriminals gained a larger attack surface as the result of the fast and widespread shift to remote work. The weak security of home networks makes it easier for cybercriminals to compromise them, move laterally to business networks, and launch ransomware attacks.
The Details
In addition to heavily targeting municipalities, clearly an area of focus and success for cybercriminals, they’re now setting their sights on education and healthcare. The steady attacks on healthcare are no surprise, as a variety of cybersecurity threats and attacks related to the pandemic have been widely reported.
Attacks on education, including institutions of higher learning, include the theft of personal information and medical records, as well as healthcare research. The Florida Orthopedics Institute and the UFSC School of Medicine were two high-profile cases to make the news. The former faces a class action lawsuit, and the latter paid a $1.1 million ransom.
Logistics-related attacks are also on the rise. Six notable ransomware attacks were examined since last July. These attacks on logistics companies can seriously hamper the ability to move goods, including medical equipment, personal protective equipment, and everyday products. Toll was the victim of two attacks in three months, perhaps an indication that attackers are shifting strategies and paying more attention to targets that have already been identified as vulnerable in order to launch a series of attacks.
Rising ransoms
It’s not just attacks that are on the rise. Ransoms and ransom payments are, too. In many cases, ransoms are now more likely to be paid, and these demands often exceed a million dollars. Of the cases studied, 14 percent were confirmed to have paid the ransom, and the average payment was $1,652,666. In one extreme example, Garmin was reported to pay $10 million in ransom.
Ransoms are also being paid by municipalities. A full 15 percent of the municipalities Barracuda studied are confirmed to have made payments ranging from $45,000 to $250,000. All the municipalities studied that made payments had populations less than 50,000, and they deemed the cost and labor associated with manually recovering from the ransomware attacks too high. That’s a significant change compared to last year, when practically none of the municipalities attacked paid any ransom.
One municipality to pay ransom this year was Lafayette, Colorado. “After a thorough examination of the situation and cost scenarios, and considering the potential for lengthy, inconvenient service outages for residents, we determined that obtaining the decryption tool far outweighed the cost and time to rebuild data and systems,” Lafayette Mayor Jamie Harkins said in a video statement.
In addition to stealing data, encrypting files, and demanding ransom, cybercriminals are also demanding payment from victims, to avoid publicly disclosing information obtained that could cause public humiliation, legal issues, and hefty fines. Many cybercriminals are now combining the use of ransomware and data breaches to double the leverage over their victims in this way. Of the attacks studied, 41 percent were a combined ransomware attack and data breach. If the ransom is not paid, victims’ data is dumped on the threat actors’ servers or auctioned off on the dark web.
Cybercriminals are also increasing their firepower to cast a broader net and trap more victims. In June, Barracuda data shows that a well-known botnet was used to attempt more than 80,000 attacks using Avaddon ransomware.
Defending against ransomware attacks
The rapidly evolving email threat environment requires advanced inbound and outbound security techniques that go beyond the traditional gateway, including closing the technical and human gaps, to maximize security and minimize the risk of falling victim to sophisticated ransomware attacks.
Spam filters / phishing-detection systems
While many malicious emails appear convincing, spam filters, phishing-detection systems, and related security software can pick up subtle clues and help block potentially threatening messages and attachments from reaching email inboxes.
Advanced firewalls
If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.
Malware detection
For emails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious.
Block lists
With IP space becoming increasingly limited, spammers are increasingly using their own infrastructure. Often, the same IPs are used long enough for software to detect and add them to block lists. Even with hacked sites and botnets, once a large enough volume of spam has been detected, it’s possible to temporarily block attacks by IP.
User-awareness training
Make phishing simulation part of security awareness training to ensure end users can identify and avoid attacks. Transform them from a security liability into a line of defense by testing the effectiveness of in-the-moment training and evaluating the users most vulnerable to attacks.
Backup
In the event of a ransomware attack, a cloud backup solution can minimize downtime, prevent data loss, and get your systems restored quickly, whether your files are located on physical devices, in virtual environments, or the public cloud. Ideally, you should follow the 3-2-1 rule of backup with three copies of your files on two different media types with at least one offsite to avoid having backups affected by a ransomware attack. 
