“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Just over a year ago a massive SamSam ransomware attack crippled the city of Atlanta. It took the city back to the Stone Age, or more appropriately, the Paper Age. A third of the software programs used by the city were taken offline or disabled. It affected an estimated 6 million people and cost the city $17 million in ransom payments and recovery costs.
Fast forward to May 2019 when Baltimore's government computer systems were infected with a new and aggressive ransomware variant named RobbinHood. All servers, with the exception of essential services, were taken offline. With the success of these attacks, local government infrastructures have become a target for cybercriminals. The number of attacks rose from 38 in 2017 to 53 in 2018. In the month of June there were reported ransomware attacks against:
We can attribute this surge to a number of factors. First off, ransomware attacks have become significantly more targeted than when they first emerged. Ransomware is typically an opportunistic attack employing a spam campaign to get as many clicks as possible. It operates under a commodity model where cybercriminals profit through the quantity of attacks, not quality of attacks. However, cybercriminals have increased their efforts on targeted attacks against more profitable victims. As proof, ransomware payouts have tripled in the last year.
Secondly, the bigger the organization, the less they likely they can devote the time and money needed to update and maintain every aspect of their cyber infrastructure. This creates a rather large surface area for attack. In addition, today’s ransomware attacks employ aggressive lateral movement techniques that traverse the infrastructure quickly. This increases the revenue potential for the attackers.
And finally, many city governments have failed to update their network architectures from legacy equipment. They have implemented poor patch management. And, they are understaffed with IT individuals who lack the proper cybersecurity expertise. To protect their IT infrastructure and the communities they serve, city governments should consider engaging a qualified Managed Security Services Provider to: