Inside the Battle Against Ransomware Attacks

Survey results show less than half of respondents have ransomware incident response plan

NBC Universal, Inc.

Ransomware attacks have doubled in each of the past two years, according to a new report from the nonprofit group Identity Theft Resource Center, and the group said hackers demanding payment could become the number one cause of data compromises this year, surpassing phishing schemes.

As witnessed over the past couple of years, it seems no company, government or school is immune to the risk.

"There's no silver bullet that protects you from everything,” Maryland Chief Information Security Officer Chip Stewart said.

In December, a ransomware attack forced the state’s Department of Health to shut down its website in the middle of the pandemic. It impacted COVID-19 data reporting, hospital operations, even funerals.  

"Systems start malfunctioning, which is how this event was detected," said Stewart.

He told the I-Team as soon as the threat was discovered emergency plans kicked in and the agency immediately took servers offline to protect the network.

"Ransom payment is always part of the discussion. Fortunately, because of the work we've done leading up to this, we haven't had to consider that as a real possibility at this point," said Stewart.

Attacks like these happen thousands of times each year, said Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 by Palo Alto Networks, a specially trained team of cybersecurity experts who help with ransomware negotiations.

“Ransomware has gone absolutely insane. They're continuing to expand their tactics and ways that they're trying to get paid. The best thing to do is not to pay. But there are cases where you have to because otherwise your business is done. It can be a really, really tough situation," she said. 

Last April, D.C.'s Metropolitan Police Department got hit with an attack. The hackers wanted $4 million. MPD offered $100,000 but ended up paying nothing. Files containing sensitive information on officers and suspects were posted on the dark web.

"It's definitely a place where criminals hang out. It's definitely a place that you know these threat actors are leveraging to stay anonymous," said Ramarcus Baylor, a ransom negotiator for Unit 42 and senior director of incident response.

"You need to exude confidence and be able to negotiate,” he said when dealing with attackers. “You have to come off as calm."

But that can be difficult for a company executive to do when their entire business might be on the line. Some ransomware attacks deny access to operating systems. Others steal and encrypt data, then demand payment to unlock it.

"You are in a better situation if you have a means of being able to restore and recover from backups, so you won't have to pay," said Baylor.

But he said even then, the attackers sometimes switch gears and use what's called double extortion: threatening to release the info they've stolen publicly. And that can impact everyone.

"Suffering from a ransomware attack is definitely something that people can feel that impact, not just the business," he said.

Yet the average American might not understand how problematic ransomware is right now.

“Ninety percent of the people can't even explain what ransomware is,” said Mark Weatherford, who works as chief strategy officer at the National Cybersecurity Center.

He also served as the first deputy undersecretary for cybersecurity for the Department of Homeland Security in 2011. He said it's a problem the U.S. can't solve on its own since the bad actors are mainly operating overseas.  

"At first it was kind of like they would just find any random company they ran across,” Weatherford said. “There's a lot more reconnaissance and intelligence gathering happening now."

He said that means they're more frequently hitting entities that can't afford not to pay, like hospitals that must have access to patient records, lifesaving equipment, even communication systems and governments.

"State and local governments are always a bit behind the private sector simply because, well, certainly funding. And they just, they move at a glacial pace compared to the private sector, " said Weatherford.

Unit 42's parent company, Palo Alto Networks, surveyed 200 state and local government leaders for the I-Team and found budgets have generally increased. But many still felt they weren't prepared enough to protect against ransomware. Less than half, 48% of those who responded, said their organization had a ransomware incident response plan. Close to 80% admitted they don’t think the risk of ransomware will subside in the next couple of years.

Most Organizations Are Not Prepared for a Ransomware Attack

Between 2019 and 2020, ransomware payments increased by 171% from $115,123 to $312,493.

Source: Palo Alto Networks Ransomware Survey
Credit: Andrew Williams/NBC

Two months after the ransomware attack against the Maryland Department of Health, Stewart is still working to fully restore all of the systems from its backed-up files.

"I think even worse than restoring slowly is restoring inaccurately and having people make decisions based on bad data," he said.

He said he couldn’t disclose how the hackers got in or how much they demanded because the investigation is still active.

He did say they've found no Marylanders' health information to be compromised and nothing that hasn't been able to be restored so far. He told the I-Team certain systems are already back online with workarounds in place. But it will be several more weeks or even months before everything is back to normal. And he expects the agency's security will actually end up being stronger from this in the future.

"You have to realize that it's going to happen,” Stewart said. “And what really matters is that you're prepared to respond when it does."

Reported by Jodie Fleischer, produced by Rick Yarborough, and shot and edited by Steve Jones.

Contact Us