This report was originally scheduled to be published on January 1st, 2020. We have, however, decided to release it immediately due to a recent incident in which a ransomware attack may have resulted in a municipal government’s data falling into the hands of cybercriminals. We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked. We hope that releasing this report early will help kickstart discussions and enable solutions to be found sooner rather than later. Those solutions are desperately needed. The numbers contained in the report will be updated in the New Year and, unfortunately, will almost certainly be greater than the numbers currently stated.
Update – December 14th, 2019: Within 24 hours of this report being published, the city of New Orleans and several other public entities fell victim to ransomware attacks. We repeat the warning made above: the threat level is now extreme and governments must act immediately to improve their preparedness and mitigate their risks.
In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion. The impacted organizations included:
- 103 state and municipal governments and agencies.
- 759 healthcare providers.
- 86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected.
The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.
- Emergency patients had to be redirected to other hospitals.
- Medical records were inaccessible and, in some cases, permanently lost.
- Surgical procedures were canceled, tests were postponed and admissions halted.
- 911 services were interrupted.
- Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field.
- Police were locked out of background check systems and unable to access details about criminal histories or active warrants.
- Surveillance systems went offline.
- Badge scanners and building access systems ceased to work.
- Jail doors could not be remotely opened.
- Schools could not access data about students’ medications or allergies.
“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better. ” — Fabian Wosar, CTO, Emsisoft.
Other effects of the incidents included:
- Property transactions were halted.
- Utility bills could not be issued.
- Grants to nonprofits were delayed by months.
- Websites went offline.
- Online payment portals were inaccessible.
- Email and phone systems ceased to work.
- Driver’s licenses could not be issued or renewed.
- Payments to vendors were delayed.
- Schools closed.
- Students’ grades were lost.
- Tax payment deadlines had to be extended.
This report examines the cost and the causes of the incidents, discusses the courses of action that should be taken and breaks down the numbers by sector.
What was the cost?
Due to the lack of publicly available data, it is not possible to accurately estimate the cost of these incidents. Perhaps the best indication of the potential cost comes from a statement made by Winnebago County’s Chief Information Officer, Gus Gentner, in September: “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.”
We cannot comment on the accuracy of that statement but, if correct, the combined cost of 2019’s ransomware incidents could be in excess of $7.5 billion. While we believe this overstates the actual costs – a small school district’s recovery expenses are unlikely to run to seven figures – it nonetheless provides an indication of the enormous financial impact of these incidents.
It should be noted that these incidents also had a broader economic impact. For example, in some instances, companies were unable to obtain the necessary permits and documentation to carry out certain work, disrupting and delaying their operations. Estimating these costs is beyond the scope of this report.
Why did it happen?
Ransomware incidents increased sharply in 2019 due to organizations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses. Combined, these factors created a near-perfect storm. In previous years, organizations with substandard security often escaped unpunished; in 2019, far more were made to pay the price, both figuratively and literally.
A report issued by the State Auditor of Mississippi in October 2019 stated there was a “disregard for cybersecurity in state government,” that “many state entities are operating like state and federal cybersecurity laws do not apply to them,” and identified problems including:
- Not having a security policy plan or disaster recovery plan in place.
- Not performing legally mandated risk assessments.
- Not encrypting sensitive information.
The report also stated that “Over half of the respondents were less than 75 percent compliant with the Enterprise Security Program.” The program establishes minimum security requirements and compliance is required by law.
It should be noted that only a minority of states conduct statewide audits and, despite the multiple serious deficiencies that Mississippi’s audit identified, it was nonetheless one of the states least affected by ransomware in 2019. This gives rise to an obvious question: would audits in other states reveal that their security is even worse?
A 2019 University of Maryland, Baltimore County research report based on data from a nationwide survey of cybersecurity in U.S. local governments stated that “Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and funding for it,” and that “Local governments as a whole do a poor job of managing their cybersecurity.” The issues identified included:
- Just over one-third did not know how frequently security incidents occurred, and nearly two-thirds did not know how often their systems were breached.
- Only minorities of local governments reported having a very good or excellent ability to detect, prevent, and recover from events that could adversely affect their systems.
- Fewer than half of respondents said that they cataloged or counted attacks.
In some cases, governments failed to implement even the most basic of IT best practices. For example, Baltimore experienced data loss because data resided only on end-user systems for which there was no backup mechanism in place.
“Our research has shown that most American local governments do a poor job practicing cybersecurity. They must do better. And they can start by establishing a culture of cybersecurity throughout their organizations to best protect citizen information and maintain continuous service delivery.” — Donald F. Norris, PhD, Professor Emeritus, UMBC; Laura Mateczun, JD, PhD student in Public Policy, UMBC.
The fact that governments are failing to implement basic and well-established best practices, even when legally required to do so, can only be described as grossly negligent – especially as these entities know fully well that they are likely to be targeted in the ongoing campaign of cyberattacks. There is no excuse for this. They need to do better. They must be made to do better.
Unless governments improve their cybersecurity posture, cyberattacks attacks against them will continue to succeed.
What needs to be done?
There is no single silver bullet. Multiple initiatives are necessary in order to make public entities more secure and less susceptible to ransomware attacks and other security incidents.
- Improved security standards and oversight: The State Auditor of Mississippi’s report and UMBC’s research both indicate significant shortcomings in governments’ security. To address this, all government agencies and other organizations that provide critical services should be subject to federal- or state-mandated baseline security standards and audited to ensure those standards are met. Additionally, given that the Mississippi case clearly demonstrates that laws and audits do not necessarily result in compliance, mechanisms need to be put in place that enables agencies to be compelled to meet those standards.
- More guidance: Cybersecurity is complex and getting it right can be challenging, especially for smaller organizations. A small municipality needs a similar level of security to a large city, but has fewer human and financial resources with which to achieve it. The smaller the organization, the bigger the challenge. And what, exactly, must organizations do in order to achieve a satisfactory level of security? Should a small school district invest in annual penetration testing, third-party network security monitoring, both of these or neither of these? At present, even the smallest organizations need to conduct their own research and make these calls themselves. This is both an unnecessary waste of resources and a recipe for disaster as, clearly, many organizations are not making the correct decisions. Consequently, as mentioned above, baseline security standards need to be established. This is important not only so that acceptable levels of security are consistently achieved, but also to ensure that budgets are wisely spent.
- Security debt and funding: Underinvestment in IT has resulted in many organizations accruing a security debt, and security weaknesses are the result of that debt. According to UMBC’s research, more than 50 percent of governments identified lack of funding as a barrier to cybersecurity and this is almost certainly an issue in the education and healthcare sectors too. Resolving the problem may simply require that organizations reallocate their existing budgets, or it may require that additional funding be provided either by federal or state government. In either case, it is an issue that must be addressed.
- Closing the intelligence gap: Currently, there is no legal requirement for public entities to report or disclose ransomware incidents and, as a result, relatively little data about the incidents is available. However, information such as the ransomware strain used, the attack vector, the vulnerability exploited and the financial impact of incidents is critical as it can help other organizations better understand the threat landscape and better assess their security priorities. For example, if organizations know what weaknesses enabled other organizations to be compromised, they can make sure that they do not have the same weaknesses. To close the intelligence gap, reporting requirements should be introduced and the data collected aggregated, anonymized and shared. As Algirde Pipikaite (World Economic Forum) and Marc Barrachin (S&P) recently stated, “Information is power and, in cybersecurity, it’s the power to prevent other similar events.”
- Better public-private sector cooperation: Establishing stronger channels of communication between the public and private sectors is important for coordinating anti-ransomware efforts. Shared intelligence would enable both sectors to respond to incidents more effectively and reduce the recovery costs for impacted entities. Shared intelligence is especially important as, for a number of reasons, security companies cannot always be entirely transparent about the methods they use to circumvent ransomware or make the details of those methods public. For example, ransomware groups would be able to fix errors in their code if they were to realize that 1) those errors existed and 2) a security company was actively exploiting them to help victims. Consequently, there needs to be a method that enables information to be securely shared between federal and state law enforcement, other security companies and incident response companies. Without such a communication channel – and one does not currently exist – impacted agencies may not discover that a solution is available and could needlessly pay ransoms or unnecessarily incur other costs. On a positive note, legislation such as the DHS Cyber Hunt and Incident Response Teams Act, which was recently passed by the U.S. Senate, is certainly a step in the right direction.
- Legislative restrictions on ransom payments: In some cases, public agencies chose to pay ransoms because doing so was less costly than other recovery options. For example, Lake City elected to pay a $460,000 ransom even though the city may have been able to recover its data by other means. According to a ProPublica report, “The [Lake City] mayor, Witt, said in an interview that he was aware of the efforts to recover backup files but preferred to have the insurer pay the ransom because it was less expensive for the city. ‘We pay a $10,000 deductible, and we get back to business, hopefully,’ he said.” This is a problem. Such decisions should not be made on the basis of a simple cost-benefit analysis. The question of whether to use tax dollars to pay off extortionists is not a run-of-the-mill business decision and the cheapest option is not necessarily the best option. By paying ransoms, public agencies are incentivizing cybercriminals and helping perpetuate the cycle of cybercrime. While a blanket ban may not be practical, government should certainly consider legislating to prevent public agencies paying ransoms when other recovery options are available to them. While this may increase costs initially, it would be less expensive in the longer term. It seems bizarrely inconsistent that the U.S. government has a no-concessions policy in relation to human ransoms but places no restrictions whatsoever on data ransoms. In both cases, refusing to comply with extortionists’ demands disincentivizes other extortion attempts – and, of course, vice versa.
- Vendors and service providers must do more: It is safe to assume that every public entity has security solutions in place yet, despite that, many were impacted by ransomware. This is not good enough. Vendors and service providers need to step up to the plate, innovate, collaborate and do more to protect both their customers and their customers’ customers. For example, a significant number of ransomware attacks in 2019 were launched via the remote monitoring and management (RMM) tools used by managed service providers (MSPs), enabling multiple customers of the MSPs to be simultaneously compromised – more than 400, in one incident. These attacks were entirely foreseeable and mostly preventable. In the majority of cases, the attacks succeeded because two- or multi-factor authentication had not been enabled on the RMM. While RMMs support 2FA/MFA, vendors had not made its use mandatory and some MSPs chose not to use it. Most RMM providers have since made 2FA/MFA mandatory, but they did not do so until after their solutions were used as launchpads for large-scale ransomware attacks. This is not acceptable. The industry needs to be proactive rather than reactive and service providers must not prioritize convenience over security.
Insights and observations
- Cyber insurance: Organizations that have cyber insurance may be more inclined to pay ransom demands, which results in ransomware being more profitable than it would otherwise be and incentivizes further attacks. “The lesson that many governments seem to have drawn from these attacks is not that they need better network and data protections in place as well as more effective incident response plans, but rather that what they most need is more insurance coverage to help pay the ransoms demanded of them – a phenomenon that only contributes to more ransomware and better-funded criminals,” says Josephine Wolff, Assistant Professor of Cybersecurity Policy at The Fletcher School, Tufts University. To be clear, this is not to say that public agencies should not take out cyber insurance – on the contrary, it can be a very sensible investment – but rather that insurance should not be considered an alternative to properly funded and resourced security programs.
- Incidents are preventable: While 948 government agencies, school districts and healthcare providers were impacted by ransomware in 2019, not a single bank disclosed a ransomware incident. This is not because banks are not targeted; it is because they have better security and so attacks against them are less likely to be successful. If government agencies were simply to adhere to industry-standard best practices – such as ensuring all data is backed up and using multi-factor authentication everywhere that it should be used – that alone would be sufficient to reduce the number of successful attacks, their severity and the disruption that they cause.
- Backups are not a panacea: Too often, organizations’ response to the ransomware crisis is simply to invest in a better backup system. While a well-designed backup system should protect backups from being encrypted or deleted, using those backups to rebuild systems to a fully operational state after a ransomware incident is a process that can take weeks or months during which time organizations will continue to experience significant disruption. Consequently, emphasis needs to be placed on prevention and detection, and especially in organizations such as hospitals which provide critical services and cannot afford downtime. In particular, organizations should assume their perimeters will be breached and monitor their environments for signs of compromise. For example, Emotet, which is often used as a launchpad for attacks, may be present on a network for days, weeks or even months before being used to deploy ransomware. This provides organizations with a window of opportunity during which the threat can be detected and neutralized before a ransomware attack takes place. Prevention and detection are especially important given the increased risk of data being exfiltrated and made public during ransomware attacks (see below). To be clear, we are in no way downplaying the importance of backups; it is absolutely critical that all organizations have a robust and secure backup system in place.
- Data exfiltration: In November, a ransomware attack on Allied Universal, a security staffing firm, resulted in data not only being encrypted, but also exfiltrated and a part of it made public. The bad actor used the remaining non-leaked data as additional leverage, threatening to release it too should Allied Universal not pay the ransom. We expect “double whammy” attacks such as this to become more commonplace. This is an extremely concerning development, especially given the extreme sensitivity of the data that public sector agencies hold, and further demonstrates the need for emphasis to be placed on prevention and detection.
Breakdown by sector
State, municipal and other government agencies
At least 103 government entities were impacted by ransomware in 2019 with notable incidents including:
- Baltimore: On May 7, the computers of the Baltimore city government were infected with an aggressive strain of ransomware known as RobbinHood. The attack disrupted nearly every government department and affected the real estate market as property transfers could not be completed. The city refused to pay the ransom of 13 bitcoins (more than $75,000). Recovery costs have been estimated at more than $18 million.
- Riviera Beach: In June, Riviera Beach, Florida, was hit with ransomware when a police department employee opened a malicious email attachment. The attack shut down many services, including the city’s website, email server and billing system. The Riviera Beach City Council voted unanimously to pay the ransom demand of $600,000 and invested more than $900,000 into new hardware to rebuild its IT infrastructure.
- New Bedford: In July, New Bedford, Massachusetts, was hit with Ryuk ransomware, which encrypted the data of 158 computers. The attackers demanded a ransom of $5.3 million – which was the largest demand to be publicly disclosed at that point – and rejected the city’s counter-offer of $400,000. The cost of recovery is estimated to be less than $1 million, which the city expects will be covered by insurance. The incident resulted in grant payments to nonprofits being delayed by more than three months.
There were at least 86 universities, colleges and school districts impacted, disrupting operations at up to 1,224 individual schools.
- Louisiana public schools: In July, Louisiana Governor John Bel Edwards declared a state of emergency after three public school districts – Sabine, Morehouse and Ouachita – fell victim to ransomware. State resources, including cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and others, were mobilized to help the schools. A State of Emergency was declared again in November when a ransomware attack affected 10 percent of Louisiana’s 5,000 network servers and more than 1,500 computers.
- Rockville Centre School District: On July 25, Rockville Centre School District was infected with Ryuk ransomware. The district’s insurance carrier was able to negotiate the initial ransom demand of $176,000 down to $88,000. The district’s insurer covered the ransom, although RCSD was charged a $10,000 deductible.
- Las Cruces Public Schools: In late October, a ransomware attack forced the shutdown of thousands of servers and devices in Las Cruces Public Schools, a school district headquartered in Las Cruces, New Mexico. The district did not engage with the attacker. Some 30,000 devices needed to be reformatted and their operating systems reinstalled before they could be used to access the Internet. This was the third time in the past six years that Las Cruces Public Schools has been attacked.
Healthcare organizations are under immense pressure to pay ransom demands as failure to comply could result in disruption that may endanger the lives of patients. The healthcare sector was the most popular target in 2019, with at least 759 providers being impacted by ransomware.
- Wood Ranch Medical: On August 10, California-based Wood Ranch Medical suffered a ransomware attack that prevented the medical records of 5,835 patients from being accessed. The practice’s backup system was encrypted during the attack, making data recovery impossible. The impact was so severe that the provider announced it would permanently close its doors. Earlier in the year, Brookside ENT and Hearing Center, Michigan, also shut down after its systems were wiped during a ransomware attack.
- Campbell County Health: In September, Campbell County Health in Gillette, Wyoming, faced severe disruptions after falling victim to ransomware. Surgeries were canceled, ER patients were transferred to alternative care facilities and the hospital was forced to stop accepting new inpatient admissions. Clinics continued to have limited access to patient information four weeks after the attack.
- DCH Health Systems: In October, Alabama hospital group DCH Health Systems, which includes hospitals in Tuscaloosa, Fayette and Northport, was hit with Ryuk ransomware. The hospitals were forced to stop admitting all new non-critical patients and medical staff had to rely on pen-and-paper systems as digital records were unavailable. DCH was able to restore some of its servers from backups but paid an undisclosed sum to regain access to other encrypted systems.
Like other businesses, criminal enterprises pursue strategies that have been proven to work. Given that ransomware attacks against governments, healthcare providers and educational institutions have indeed been proven to work, these sectors are likely to continue to be heavily targeted in 2020. Additionally, given the financial resources now available to bad actors and the significant profits that can be made, organizations in these sectors should expect that attacks will increase in both sophistication and frequency, possibly with the threat of the release of exfiltrated data being used as additional leverage to extort payment.
Payments are the fuel that drive ransomware. The only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid.
Governments must act, and they must act now.
“2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.” — Fabian Wosar, CTO, Emsisoft.
THANKS AND NOTES
We’d like to thank the academics, journalists, security researchers and other individuals who kindly shared information with us over the course of 2019. Without that information, we would not have been able to help as many ransomware victims as we did. We hope the information we were able to share with them was equally useful.
This report is based on data from multiple sources, including press reports, and almost certainly understates the actual number of incidents. The report does not include data relating to attacks on private companies as these incidents are too infrequently disclosed to enable the production of meaningful statistics.