Public-sector victims of ransomware that chose to pay forked over almost 10 times as much money on average as their private-sector counterparts over the second quarter of 2019, according to research published Tuesday by Coveware, a security firm that specializes in ransomware incidents.
Between April and June, the company found, the average payment from a government victim totaled $338,700. The average payment for all victims was $36,295. But overall, Coveware found, ransom payments have been rising.
In cases of attacks against governments, the surging ransom amounts can be attributed in large part to a family of malware called Ryuk, which has infected numerous local governments around the United States in recent months, including several that have coughed up six-digit sums to hackers in exchange for decryption keys promised to restore access to their networks and data. In June alone, the Ryuk hackers collected nearly $1.1 million from attacks on Lake City and Riviera Beach, Florida. On Monday, officials in La Porte County, Indiana, acknowledged paying $130,000 to end an attack that began July 6.
Despite warnings from the FBI and other law enforcement agencies that ransomware victims should refuse to satisfy their attackers’ demands, many local governments find themselves outmatched by evolving cyberthreats and lacking resources to acquire the latest — and ideally better-protected — hardware and software, said Coveware founder Bill Siegel.
“Public sector organizations are a soft target,” he said. “They’re underfunded and using hardware and software that should have long been replaced. I’ve talked to the IT managers of some of these places, and they don’t have a chance. They’re so horribly understaffed, running systems that are antiquated.”
Even major cities that have suffered ransomware attacks, like Atlanta and Baltimore, were found to have been running many of their municipal applications on servers running on long-expired versions of Microsoft Windows. While those cities were attacked with viruses other than Ryuk, they have both become examples of how quickly the full cost of a ransomware attack can climb as they’ve scrambled to hire data-recovery experts and purchase new equipment.
Atlanta Mayor Keisha Lance Bottoms told Congress last month her city has already spent $7.2 million since its attack in March 2018, and Atlanta officials have estimated the full cost could eventually reach $17 million, a figure that includes the estimated cost of lost business to the city. In Baltimore, which is still dealing with the effects of a May attack, officials are bracing for an $18.2 million toll. Meanwhile, Imperial County, California, the target of a Ryuk attack in April, has spent at least $1.6 million to rebuild its systems after refusing to pay a $1.2 million demand.
Siegel said that kind of spending happens in place of long-term IT procurement strategies.
“A ransom payment gets you your data back. That’s it,” he told StateScoop. “The money that [these cities have] spent, they probably should’ve been investing $2 million more in IT security over the past few years and this is one big payment.”
Still, attacks against governments make up a very small portion of the overall ransomware landscape. Over the second quarter of the year, just 3.4 percent of attacks targeted the public sector, with the vast majority hitting small businesses, according to Coveware, though the hackers behind Ryuk are known to favor larger enterprises, including governments. Despite their small share of the ransomware universe, public-sector attacks get nearly 100 percent of public attention, Siegel said.
Siegel suggested that government ransomware incidents are more public because open-meetings rules create records of officials’ decisions to either pay hackers’ demands or approve emergency IT contracts, as opposed to private companies, which have the incentive — and ability — to keep things confidential.
Along with the rise in payments, the frequency of overall ransomware attacks — especially against state and local governments — only appears to be accelerating, according to research published earlier this year by security firm Recorded Future. Siegel said that while the threat is only getting more pervasive, governments at least appear to be more cognizant they could be targeted next.
“The only positive thing is increased awareness of the risk,” he said. “If you’re responsible for securing a public sector organization’s IT footprint and you’re not a target, you haven’t read the paper. There’s not a lot to be hopeful for because this will continue until these organizations protect themselves.”