Nearly 1,000 US government agencies, educational establishments and healthcare providers have been hit by ransomware attacks in 2019, with attacks reaching epidemic proportions, security firm Emsisoft warned today, saying it had tracked attacks on 103 federal, state and municipal governments and agencies, a stunning 759 healthcare providers and 86 universities, colleges and school districts.
The report comes amid a high-profile series of recent attacks, with data centre provider CyrusOne among the companies recently affected; others reported on by Computer Business Review include businesses that themselves put cybersecurity operations at the heart of their service; nobody is seemingly immune and attacks are increasingly highly targeted, security experts say, with extensive initial scoping of the target.
In the US alone such attacks have caused some $7.5 billion-worth of damage, Emsisoft said in a report it had planned to publish January 1, but which it said it is bringing forward in the wake of yet another attack on local US government, this time Pensacola.
The attacks disproportionately hit the healthcare sector, resulting in cancelled operations, delays to surgical procedures and interruptions to 911 services: “The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better”, said Emisoft CTO Fabian Wosar.
Ransomware Attacks in 2019: State Gov’t Has a “Disregard” for Cybersecurity
The New Zealand-based cybersecurity firm pointed to a report issued by the State Auditor of Mississippi in October 2019 that stated there was a “disregard for cybersecurity in state government,” with many state entities “operating like state and federal cybersecurity laws do not apply to them”.
That report found that many state government bodies do not have a security policy plan or disaster recovery plan in place; are not performing legally mandated risk assessments and are not encrypting sensitive information.
As Commvault’s Nigel Tozer told Computer Business Review: “A significant malware attack is a game-changer. System dependencies kick-in and create recovery-roadblocks, communications go down, plans evaporate, and business recovery priorities shift like desert sands. You may even need to build a new datacentre to recover to (as with COSCO and others). It’s imperative to have a robust backup system with its own defences; failure to do this means cracking the encryption keys or paying the ransom becomes your only option, assuming that destruction alone is not the attack’s purpose”.
Among a series of initiatives proposed by Emsisoft to stem the flood of attacks is mandating disclosure. As the firm notes: “Currently, there is no legal requirement for public entities to report or disclose ransomware incidents and, as a result, relatively little data about the incidents is available. However, information such as the ransomware strain used, the attack vector, the vulnerability exploited and the financial impact of incidents is critical as it can help other organizations better understand the threat landscape and better assess their security priorities.
“For example, if organizations know what weaknesses enabled other organizations to be compromised, they can make sure that they do not have the same weaknesses. To close the intelligence gap, reporting requirements should be introduced and the data collected aggregated, anonymized and shared. As Algirde Pipikaite (World Economic Forum) and Marc Barrachin (S&P) recently stated, “Information is power and, in cybersecurity, it’s the power to prevent other similar events.”