Following what it terms an unprecedented and unrelenting barrage of ransomware attacks, security vendor Emsisoft has sharply criciised American public service organisations for not acting on the growing threat and taking measures to protect it.
Emsisoft released its annual report on ransomware attacks in the United States early after a criminals recently not only encrypted and extortioned a municipal authority's data, but also stole it.
The security vendors tally this year stands at 948 government agencies, educational institutions and healthcare providers being hit with ransomware.
Most of these, 759, are healthcare provders, Emsisoft said.
The report echoes those published by other security vendors such as Symantec, which in July released estimates that pointed to ransomware attacks having increased four-fold over the past two years, as more criminals pile in share in the success of prior extortionists.
Like Symantec, Emsisoft is at pains to point out the seriousness of ransomware attacks.
Apart from causing disruption and being costly and difficult to recover from, ransomware attacks could endanger people's health and even their lives by for example denying access to medical records, forcing surgical procedures to be cancelled, and interrupting emergency services.
The security vendor's chief technology officer Fabian Wosar said that “the fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020."
Emsisoft noted that many attacks would have been preventable if government agencies adhered to industry-standard best practices such as backing up data securely and using multi-factor authentication everywhere.
Banks in the US did not report a single ransomware attack in 2019, not because they're not targetted but have better security, making attacks less likely to succeeed.
Too often, public service providers failed to implement even the most basic of well-established IT best practices even when they're legally required to do so.
This lack of precaution "can only be described as grossly negligent" and Emsisoft said there is no excuse for this.
In a number of cases, local authorities have paid ransoms as this was seen as the cheapest recovery option.
ProPublica cited a council of a Florida city that approved a ransom worth US$460,000 be paid in Bitcoin by insurers despite the possibility of recovery from backups.
Paying a US$10,000 excess deductible was deemed to be cheaper and faster than recovery from backups, which would have exceeded the city's US$1 million cybersecurity insurance coverage.
Such a simple cost-benefit analysis is not necessarily the best option as it encourages ransomware criminals, Emsisoft said.
The security vendor said it's bizarrely inconsistent that the US has a no-concessions policy when it comes to humans being held ransom, but no such restrictions for extortion involving data.
Better standards with auditing, improved guidance and more funding for cybersecurity is needed to stem the flood of ransomware attacks.
Public-private sector cooperation needs to improve as well, with better information sharing on incidents, Emsisoft said.
It's not only governments that need to do better, but their vendors and service providers.
A significant number of attacks this year were launched via remote monitoring and management tools used by managed service providers.
Using MSP tools as the attack vector is particularly effective for ransomware criminals as it enables multiple victims to be compromised simultaneously, over 400 in one particular incident.
The attacks were entirely foreseeable and mostly preventable, but succeeded as vendors had not made it mandatory for MSPs to enable two- or multi-factor authentication on remote tools.
It was only after their solutions were used as launchpads for large-scale ransomware attacks that 2FA/MFA became mandatory to use for remote management tools, and that is not acceptable, Emsisoft said.