4 Lessons to Learn From the Baltimore Ransomware Attack

Cybercrime today comes in a range of forms. Malware has a wide variety of purposes, from turning targets into botnets or cryptocurrency mining machines to extracting data. But one tactic that's particularly dangerous is malware that blocks access to users by encrypting key files on their system, then demanding payment in exchange for the decryption key.

This technique, known as ransomware, has quickly become one of the most troublesome forms of cybercrime, and it's one that can be especially devastating to deal with. From a criminal's perspective, it's easy to see where the attraction lies - ransomware programs are easily available - they can be found on the dark web for just a few hundred dollars - but the damage they can do can be so comprehensive victims may feel they have no choice but to pay up.

One of the most recent high-profile organizations to fall victim to this form of attack was in the city of Baltimore. In May 2019, it reported an attack that affected thousands of computers, locking employees out from their emails and leaving citizens unable to pay utility bills, parking tickets and taxes.

It's estimated that the incident cost the city at least $18 million in recovery operations and lost revenue, and it took weeks for services to return to normal. So what can other organizations, public and private, learn from the incidents to make sure they're not the next victim?

1. You're more vulnerable than you think

One of the sad truths about the Baltimore attack is it actually isn't that rare. Indeed, there’s a long list of public bodies that have fallen victim to such attacks, from small townships to huge metropolises. Greenwood, Atlanta, Cleveland, the list goes on.

Local governments are particularly lucrative targets for ransomware hackers for a number of reasons. Firstly, IT protections are often weaker than many private businesses, as governments tend to use outdated equipment and have limited budgets to devote to upgrading their systems.

Add to this the fact they run many critical systems, from utilities to tax payments, that will affect tens if not hundreds of thousands of people, and the potential for disruption is huge. Therefore, they may well be more likely than other organizations to give in to ransom demands in order to restore system availability.

However, these risks aren’t confined solely to municipal organizations. Many private enterprises may also suffer from weak security systems if they’ve neglected this area and it can take only one mistake, such as opening a spear-phishing email, for ransomware to gain access to a system. Baltimore wasn't the first city to be targeted, and it certainly won't be the last.

2. However you respond, the cost will be huge

As cities such as Baltimore and Atlanta have discovered, the costs associated with ransomware can be huge. In addition to the direct costs created by having to remove infections or even rebuild networks and databases from scratch if files cannot be decrypted, the lost revenue as a result of being unable to send out bills or process payments will quickly add up.

It's estimated that in total, ransomware attacks in 2019 are set to cost more than $11.5 billion in business disruption, investigation and recovery and reputational damage. Therefore, protecting against these attacks can't be seen just as an IT issue. It's a critical business risk, and as such requires support and attention from the most senior executives to ensure security teams have the resources they need to block such attacks before they have a chance to execute.

3. Prevention is better than cure

Once files are encrypted and access is lost, there's very little cities like Baltimore can do to retrieve their data. That's why stopping the attacks before they can do damage is so important. Basic security steps such as using proxy servers to halt malicious downloads, disabling USB thumb drives and using security software to protect against email threats and malware are so important.

Failing that, ensuring networks are effectively segmented to ensure hackers can't move freely through the entire system will also be important. And of course, for the worst case scenario, having comprehensive backups that are stored in totally separate systems can ensure you work through any disruption without permanently losing data is a must.

4. Payment isn't the answer

A big question for many organizations that fall victim to these ransomware attacks is 'should I pay?' While the official advice from the FBI is not to give in to any ransom, this can be tough to follow in practice. Indeed, when the potential recovery costs of rebuilding from scratch far outweigh the actual cost of the demand, it can be tempting to take the relatively small hit of the ransom and hope for a resolution.

This is the path chosen by several victims, such as Riviera City and Lake City in Florida, which recently paid $600,000 and nearly $500,000 respectively  to unlock their files. But there are a couple of problems with this. Firstly, capitulation will only encourage ransomware authors to try again, and the more confident they are that they’ll get paid, the bolder they’ll become.

What's more, there's no guarantee you'll actually get your files back. In fact, according to one study, less than half of ransomware victims that pay up actually get access to their data restored. Therefore, if you're going to be paying out large figures to restore systems anyway, why encourage the criminals?