BR +55 11 3069 3925 | USA +1 469 620 7643

5 Lessons to Avoid Being a Ransomware Victim

by | Dec 6, 2019 | BLOG

One of the biggest organizational nightmares today is being attacked by ransomware. Worse than that is failing to recover from such an attack.

In this article, we will look at the second ransomware attack within a year in the city of Baltimore and what organizations can learn from this case not to be the next victims. 

Baltimore City

Baltimore is in the state of Maryland, in the United States, and has joined Greenville and other American cities that have had their systems down due to ransomware in recent months.

Ransomware is malware that performs a “virtual hijacking”. After infecting a machine through email links, file downloads and other means, the purpose of this malware is to encrypt the data on infected systems, demanding an amount for them to be recovered.

In March 2018, the city’s police and fire brigade phone system was affected by ransomware due to accidental misconfiguration in the firewall.

RobbinHood: The Baltimore City Data Hijacker

In May this year, Baltimore again fell victim to this type of malware. Due to the lack of a 24/7 security monitoring system, the incident took hours to identify.

Payments for utility bills, such as water bills, could not be made through credit cards; the public works department had no network; the city hall mail server was unavailable and other services were damaged due to a variant of the “RobbinHood” ransomware.

“RobbinHood” – a kind of ransomware that also affected cities in North Carolina – demanded the payment of 3 bitcoins ($ 17,600 – the price at the time) per computer or 13 bitcoins ($ 76,280) to release all the city’s data.

The ransomware note also warned that payment should be made within four days or the price would increase, and warned that antivirus use would damage the city’s data.

We’ve watched you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections, so don’t ask for more times or some things like that. We won’t talk more all we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!” (DUNCAN; CAMPBELL, 2019)

At the time, Mayor Bernard C. “Jack” Young stated that the city would not pay for ransomware and would not accept bribes of any kind.

In August, the city voted to transfer $ 6 million from the Baltimore Recreation Fund to help pay investments to make the system more secure. However, the cost of the attack is estimated to be at least $ 18.2 million.

Frank Johnson – the city’s CIO – was criticized for his leadership in the midst of the crisis in May. As a former top salesman at Intel, during the recovery period of the attack, he said he had a recovery strategy, but the mayor’s representative said there was no plan in place, even though Mayor Jack had requested one.

Lack of transparency and communication were also pointed out by local authorities in relation to Johnson’s leadership.

In September, an audit was conducted on the city’s computers, which concluded that lost data could not be recovered because it was being stored locally on each hard drive, and none of it was saved in the cloud or any form of backup was being performed.

Not only was the data lost, but also the documentation on disaster recovery plans and security patch installations, and because of this, they cannot be sure if the city actually had such processes.

Finally, the city is now considering hiring a cyber insurance service to prevent future attacks.

And what are the lessons learned?

Even though there is still no magic bullet to prevent ransomware attacks, the Baltimore case brings us some lessons to ponder:

1 – ALWAYS have a backup

The scary thing about this whole episode is that the city did not have a backup available to recover its lost data, and city officials were not instructed to store copies of important data.

An English ambulance service company is a successful case involving backup and ransomware. After being infected with one of this malware, the company returned to normal operations in less than 30 minutes as they restored all their information from their backup.

Perhaps, at the moment, the backup cost may seem too large for your organization, but it will never be higher than recovering data if it is lost.

Always have a backup, either on a second server or in the cloud.

2 – NEVER pay the ransom, unless…

It is not recommended to pay for ransomware, ever, otherwise, this attitude can encourage criminal practices to grow, so crime will eventually pay off.

In the case of Baltimore, which did not have a backup, the only hope of recovering the data would be to pay for the ransom, even without any guarantee that access would be returned.

The best solution is “Never pay the ransom and always have a backup.”

3 – Have a prepared leader

The level of CIO Johnson’s “Information Security” technical knowledge is not clear, but given that he is a former Intel employee from the sales department, he is somewhat distrustful about his technical experience.

Even after witnessing a previous attack on its management, the city’s IT department had not yet created a plan to follow through cyber crises, let alone adopted the practice of having a backup.

It is necessary for the organization to have someone who understands not only the seriousness of the situation, but can somehow see and exercise strategies that can bring activities to the normal pace, with a managerial but mainly technical point of view.

4 – Have a contingency plan

For any type of incident, a contingency plan should be in place. Contingency plans prevent the situation from spinning out of control in the midst of a crisis and help employees know what to do so it has as little damage as possible.

This type of plan typically describes step by step how to perform the fastest possible system recovery.

It took Baltimore weeks to get back to using its systems, and it definitely lost a lot of data. This would have been avoided with a well-designed contingency plan.

5 – Consider Cyber Insurance Services if really needed

Perhaps, hiring cyber insurance is not ideal for all cases and companies. It is a decision to be evaluated, as often the cost of using these services can far exceed the cost of actions that could be taken by the organization itself. However, there are scenarios where this type of company is of great help, but one should consider whether these companies are actually reliable, as some were investigated for removing ransomware by paying the ransom without the victim’s knowledge.

6 – Have a solution that monitors access

The city did not have network monitoring, which made it easier for ransomware to spread easily across workstations until it was noticed.

According to RobbinHood’s own note, the malware was in the system for days finding ways to gain full access to the network until it hijacked all the data.

If there were a system capable of monitoring suspicious access and privilege abuse, ransomware might have been identified earlier and its spread blocked.

Vitali Kremez, a researcher who studied “RobbinHood”, said this type of ransomware is new and unnoticed by antivirus tools, and the attacker relies on unrestricted access to spread the malware.

Services and workstations would not have been affected if access to each one of them were different, restricted, and monitored.

senhasegura is a PAM solution that helps control access to workstations and critical system credentials.

In addition to detecting and warning of suspicious access, it also creates abuse restrictions that can prevent malware that has infected a workstation from gaining access to other stations on the same network.

Top 7 Types of Phishing Attacks and How to Prevent Them

Social engineering, in the context of information security, consists of practices performed by hackers to manipulate users to take actions that go against their interests, exploiting their vulnerability and lack of knowledge for their benefit. One of the main types of...

ISO 27001 – What is the importance of having achieved the certification

The process of digital transformation has intensified in companies of all sizes and industries, and is considered an essential factor for business success. One of the main consequences of this process is the exponential growth in the amount of data from customers,...

Principle of Least Privilege: Understand the Importance of this Concept

Granting administrator access to a user who does not even have time to explain why they need this permission is not an efficient way to solve a company's problems but rather to harm its security.  This is because sensitive data can fall into the wrong hands through a...

How to Prevent DDoS Attacks in Your Company?

There are several methods by which malicious agents attack websites and destabilize network services and resources. One of the most widely used techniques is the DDoS attack, which means distributed denial-of-service. Through this attack, a website ends up becoming...

Gartner and PAM: What Does One of the Most Important Consulting Companies in the World Say About this Cybersecurity Solution?

All of us have already heard of digital transformation at some point. This phenomenon affects companies of all verticals and sizes and has been gaining prominence in the market.  Digital transformation increasingly requires organizational leaders to adapt their...