Ransomware Attacks Grow Rampant, Paying Still Not a Good Option

A flurry of ransomware attacks has been reported this week affecting entities in US states of Georgia, New York, Tennessee, and Florida.

File-encrypting malware has grown rampant lately, with the likes of Ryuk, Sodinokibi, or Dharma/Phobos targeting organizations in both the public and private sector.

The actors behind these threats do not discriminate between targets but statistics from Coveware,  ransomware incident response company, show that public sector victims pay ten times more than private companies. The calculated average for Q2 was $338,700.

Ryuk in Tennessee

On Thursday, officials in Collierville, Tennessee, confirmed that the Town's computer systems were infected with a ransomware strain.

The IT department worked to minimize the impact and isolated several servers hit by the attack but some services (permits, public records requests, and business services) were affected.

The attack occurred in the morning and did not have an effect on emergency services, according to News Channel 3. Later in the day, Town officials said that the disruption was caused by the Ryuk ransomware strain.

Ransomware hits radio station in Florida

Community radion station WMNF 88.5-FM in Tampa decided to beef up its security posture following a ransomware attack last month.

The incident occurred on June 18 and did not affect any sensitive data but it did reach a system that stored audio archives for pre-recorded promos and episodes of news and public affairs programming.

Systems for live HD broadcasts were also infected, causing radios with a digital display to show the name of the rock band 'Derek and the Dominos' regardless of the tune played.

Despite not having backups for the malware-encrypted data, WMNF decided not to pay the ransom, Tampa Bay Times reports on Wednesday.

The Florida Department of Law Enforcement told the radio that there is a good chance of losing the data even if they paid the cybercriminals.

In other ransomware incidents in Florida, crooks were able to cash in at least $1 million in bitcoins after infecting computers in the City of Lake City (paid 42 bitcoins) and in Riviera Beach (paid a 65 bitcoins ransom).

Ryuk in New York libraries

Another page in the chronicle of ransomware attacks can be found in the libraries of Onondaga County (OCPL), New York, where a Ryuk incident was discovered last Friday.

The FBI has been involved in the investigation and information technology teams have been working to restore to normal the systems at the county's library locations.

The systems continued to be unavailable on Tuesday but signs of returning to normal occurred today when OCPL informed that cardholders can now access their OverDrive accounts and check out items using a web browser.

Update: OCPL cardholders can access their OverDrive accounts and check out digital items using a web browser or the OverDrive/Libby app on their smart device. Browse eBooks, audiobooks, and the latest magazines! pic.twitter.com/chHlCMVXsv

— OCPL (@OCPL_CNY) July 18, 2019

The ransomware strain causing the disruption appears to be Ryuk, also responsible for the attack on Syracuse City School District last week, according to News Channel 9.

Ransomware in Georgia

Another incident that may be caused by file-encrypting malware was reported today in Henry County, Georgia. The attack happened on Wednesday morning (around 3 or 4 AM) and the systems were still not functioning this afternoon.

The computers that have been taken down served the budgeting and procurement systems, and the Planning and Zoning Department.

Melissa Robinson, public information officer for the county told local news outlet Henry Herald informs that the Planning and Zoning Department would have to switch to paper permits if the current situation persists in the next couple of days.

Robinson did not clearly explain the nature of the incident but stated that the FBI was contacted and they would take over in situations where ransomware is involved, if this is the case.

Paying is a short-term solution

Ransomware is a serious threat that can be stifled by not paying the price the cybercriminals ask for the decryption tool as this would make the business less profitable for the attacker.

Furthermore, yielding to the threat actor's demands does not solve the problem in the long run. In the end, victims will have to accept the financial loss and also invest in a better security posture that would shield them from other types of attacks in the future.

For instance, the attack on Riviera Beach ended with the city paying about $600,000 to get the decryption keys from the hackers and investing close to $1 million in new computers and hardware to rebuild its IT network.

Most cyber attacks are possible by exploiting vulnerabilities that have already been reported and addressed, so installing the latest security updates lowers the chances of an attack.

It is also important to note that there are projects such as No More Ransom that provide free decryption for various versions of several ransomware families.

Another project, ID Ransomware, can identify the ransomware strain by checking the ransom note or an encrypted file. For Ryuk incidents, Emisoft can decrypt files in 3% to 5% of the cases and the ID Ransomware service can confirm if decryption works with a particular sample.

On the defense side, organizations should make sure that they have a proper file backup system that runs regularly and is isolated from the main network.