The attacker chose Friday, August 16th, to take down the systems managing 22 towns, government agencies and counties in Texas. In the most brazen operation to date, the unknown ransomware group simultaneously triggered systems in the nearly two-dozen jurisdictions to seize up, hobbling municipal, county and police services across the state.
The town of Borger, TX, lost access to birth and death records, and could no longer accept utility and tax payments. The town of Kaufman, TX, announced it had been "severely affected by an outside source."
"At this time, all of our computer and phone systems are down and our ability to access data, process payments, etc. is greatly limited," the town stated on its Facebook page. "We are currently working with a third-party IT Company to identify and correct the issue. However, all City Hall services will be limited until our systems are back online."
The attack—one of more than 5 dozen targeting local government organizations this year—highlights an ongoing change in tactics among ransomware groups, moving from the low-stakes attacks on consumers to targeting bigger game: companies, government agencies, and organizations.
By the end of the weekend, the Texas Department of Information Resources had activated its coordinated response, bringing in several state agencies, such as the Division of Emergency Management, as well as the Texas A&M University System's Security Operations Center.
The attack—one of more than 5 dozen targeting local government organizations this year—highlights an ongoing change in tactics among ransomware groups, moving from the low-stakes attacks on consumers to targeting bigger game: companies, government agencies, and organizations. In its 2019 Internet Security Threat Report, Symantec found that in 2018, while ransomware attacks targeting consumers shrank, attacks targeting enterprise rose 12 percent, making businesses and other organizations account for 81 percent of all ransomware infections.
One major reason for the targeting shift: Consumers are more trouble than they are worth, says Dick O'Brien, principal editor at Symantec, who authored an ISTR special report on targeted ransomware.
"A lot of the consumers these days do not use computers that much, and ransomware is designed to infect Windows computers—they are not in the firing line, as much as enterprise users," he says. "Enterprises are—I would not say an easier target, but there are more possibilities for a compromise with them."
Consumers: A Low Return on Investment
Consumers used to be the easy target.
For much of the first decade of the new century, a particular class of fraudsters would scare consumers with dire warnings that their computer had been compromised, and demanding that they buy antivirus or pay a fee to keep it safe. This so-called "scareware" gave way to real attacks that locked systems using a variety of technical tricks, and demanding money to unlock the operating system. Yet, security firms could often easily create utilities to restore victims' systems.
In 2013, the first modern data-encrypting malware, Cryptolocker, was released. While earlier ransomware—most notably the AIDS Trojan of 1989—had used rudimentary encryption, Cryptolocker was the first ransomware to really focus on making the encrypted data unrecoverable. In 2016 and 2017, ransomware started taking off, fueled by spam campaigns, the rise of bitcoin, and opportunistic attacks on consumers. A small fraction of consumers could be counted on to click on a malicious link, infecting their systems.
Consumers used to be the easy target.
While 2018 saw a decline in the targeting of consumers, a research paper published by researchers at Stanford University, New York University and Symantec found that the revenue of criminals like surpasses $100 million annually. In the paper published at the annual USENIX Symposium on Usable Privacy and Security, the researchers found that about 2 to 3 percent of adult consumers are impacted by ransomware each year and only 4 percent of those affected actually pay a ransom, which averages about $530.
Because the return on investment for consumers is quite poor, the only way to make such an attack profitable is to have a highly automated process, says Camelia Simou, a PhD candidate in computational social science at Stanford University and one of the paper's authors.
"Since it is an automated attack and low-cost attack, you can create a botnet to send out the malware and get hundreds of thousands of victims," she said. "It is definitely a different strategy, compared to the time and effort needed to carry out an enterprise attack."
The data is based on a detailed survey of 1,180 U.S. adults and suggests that between 5 million and 7.5 million U.S. adults are affected by ransomware each year, which results in cyber criminal profits of between $106 million and $159 million a year. Many other less rigorous surveys have been published by companies that suggest higher figures.
While a small fraction of consumers did pay the ransom, the vast majority—75 percent—solved the problem themselves, either by restarted their computer, using an online tool or AV software, or restoring their computer form a backup, according to the survey. In about one in eight cases, the malware was removed by someone else. Finally, about 5 percent of consumers just reformatted their computers.
That's yet another reason that ransomware operators have moved away from consumers. "I think, for most consumers, $1,000 may be the most that they are willing to pay for their data, whereas for enterprises, they are willing to pay a lot more," according to Symantec's O'Brien.
Consumer Learning Curve
The experience of having your life encrypted and held for ransom should only happen once. Yet, the Stanford, NY University and Symantec research paper found that consumers did not necessarily change their behavior after suffering an attack. Following an attack, about two-thirds of consumers claim to browse more carefully, 44 percent purchase an antivirus product, and 31 percent updated their current antivirus product.
The consumer still represents a potentially lucrative market, because many people do not take the correct steps to secure their systems after an attack. Only 26 percent of consumers started to back up data, and 22 percent began backing up data more regularly, which suggests that more than half of consumers don't back up regularly.
"Very few people actually started saying that they were backing up their data, even following an attack," Simou said. "And that pointed to us a need for more education."
The consumer still represents a potentially lucrative market, because many people do not take the correct steps to secure their systems after an attack.
Consumer behavior matters. Someone who does not download pirated or untrusted media or software, backs up regularly, and protects their computer with a password almost never encounters ransomware, according to a simple risk assessment given to participants in the Stanford survey.
The mini quiz scored people based on their behaviors. A person that frequently downloads from torrent sites, does not back up their data, downloaded an untrusted application, and does not password protect their computers, has a greater than 7 percent chance of being impacted by ransomware.
"You can never be 100 percent safe, and it is hard to tell people to protect themselves better," Simou said. "But at least consumers can mitigate the effects of a ransomware attack and avoid paying the ransom, if they back up."