On May 7, news broke that the City of Baltimore joined the ranks of at least 22 other U.S. government organizations compromised by a ransomware attack in 2019. Since then, the threat actor holding the city’s data for ransom has publicly taunted Mayor Bernard C. “Jack” Young on Twitter in hopes of collecting payment. However, Young has held strong in his stance against paying up.
Throughout the past month, our team has closely followed this incident, tracking the Twitter profile of the hacker , and analyzing the ransomware used in the attack. This event, along with thousands of others just like it, reminds us how prolific ransomware has become over the past several years.
This blog will take a look at the situation still unfolding in Baltimore, and hone in on tips for organizations to protect themselves from falling victim to these types of cyberthreats.
To Pay or Not to Pay
The solution to a ransomware attack to many organizations is simple: give the hacker what they want. However, the reality is that there is no simple solution to a ransomware attack. Security Researcher Eric Sifford with Armor’s Threat Resistance Unit (TRU) noted in our Threat Intelligence brief, “As a cybersecurity expert, I generally recommend against paying a ransom; however, each case is unique in its totality, and I understand sometimes an organization’s leadership may decide their best option is to pay.” There are a number of factors that go into deciding whether or not to pay.
For starters, there’s no guarantee that once you pay the ransom your files will actually be recovered. Although, according to Coveware’s Q1 2019 Ransomware Marketplace report, 96% of companies that paid the ransom received a working decryption tool. However, payment success rates varied depending on the type of ransomware.
Additionally, when you do pay the threat actor, you’re helping to further their nefarious business by rendering their malicious approach successful. Cybercrime is an ever-evolving underground market just like legitimate businesses we use every day. The biggest difference is, supporting their business causes significant damage and loss to yours.
While paying the ransom demand is not a best practice, we know every situation is unique. In the case of the Baltimore ransomware attack, Mayor Young has remained unwavering in his decision to not give in. However, in an interview with The Hill last week, he noted, “But in order to move the city forward? I might think about it. But I have not made a decision yet.”
Sometimes you have to weigh your options and determine which course of action will be best for your organization. Holding out too long can result in paying more for remediation costs than what you would have paid to get your data back from the threat actor.
Avoiding a Ransomware Attack
Remediation vs. ransom? Neither option is great, nor an expense you want to invest in. The best way to ensure you’re not stuck between these two options is to invest in proactive cybersecurity measures against ransomware.
While there are numerous ways to protect yourself against the ever growing number of cyberthreats—including ransomware attacks, Armor recommends organizations definitely adopt the following five security protections:
- Do not leave remote desk protocol (RDP) servers open to the internet. Many threat actors launching ransomware attacks target “open” RDP servers as their initial entry into a target’s computer network. The hackers scan the web for “open” internet-facing servers running the RDP service.
- Network segmentation. Implement network segmentation where possible. Having proper network segmentation can limit the blast radius if you experience a compromise.
- Keep IT systems and software up to date. Organizations should apply software security patches and updates as soon as possible and often.
- Air gapped backup storage. Users should have backups of their data that are air gapped from the internet.
- Perform security awareness training. Employees, continually educated about current and emerging cybersecurity risks, can better identify phishing emails and suspicious behavior. Effective awareness training should invoke active employee engagement and institutionalize the correct response to suspected phishing attempts. With proper foundational and enhancement training, employees can effectively act as cybersecurity monitoring and reporting sensors in a potent line of defense against cyberattacks.
Moving Forward
The ransomware attack in Baltimore is still unfolding day by day. Whether the city will decide to pay or not is yet to be known. Regardless, this will certainly not be the last ransomware attack we see making headlines this year.
Don’t let your organization fall prey to today’s threat actors. To follow along with additional updates on the Baltimore ransomware attack and learn more about how you can proactively protect your organization from a similar cyberattack, check out our Threat Intelligence Brief. Contact us today for more information about how Armor can help you protect your organization from a ransomware attack.