Ransomware Attacks New York Capital; Aftershocks Expected

New York’s capital city Albany spent last weekend tackling a ransomware cyberattack. The attack affected Albany police department systems, including scheduling and email applications accessed over the Internet, multiple reports suggested.

Albany Mayor Kathleen Sheehan confirmed in a social media post the city experienced a ransomware cyberattack but didn’t give details about its extent. The occurrence apparently jammed computers in patrol cars, according to Albany Times Union. All city services except for getting birth, death and marriage certificates resumed Monday morning. About 100,000 people reside in Albany, and more than 1 million people live in the immediate area, known as the Capital District, which also includes the cities of Schenectady and Troy.

Schenectady County faced an attack from hackers last year when someone tried to gain access to the county’s bank accounts, but the institution caught the intrusion attempt.

“Malware continues to grow in sophistication and the newer forms of ransomware are particularly deadly to most business,” Pravin Kothari, CEO of San Jose-based cloud security company CipherCloud commented. Pravin Kothari indicated the offender in the Albany attack suggested use of custom infection ransomware known as SamSam, used in targeted attacks going back to 2016, on city networks from Georgia, Indiana and Colorado. “It has been increasing the cost of their ransom as well. It spreads using a range of exploits or brute-force tactics. In 2018, SamSam was enhanced to exploit vulnerabilities in remote desktop protocols, Java web servers, or FTP servers to gain access to victims’ network.”

Atlanta’s computer systems were targets of a ransomware attack in March 2018. The Atlanta Journal Constitution estimated the incursion cost the city — which declined to pay the hackers — as much as $17 million in recovery and upgrades to strengthen its information against subsequent attacks.

Kothari recommended to better combat malware, enterprise organizations improve their awareness training and security processes with real-time monitoring, backups, cloud security brokers, email security, strong passwords, and rights management to protect data. This ensures ransomware can be tackled in real-time or near real-time, so that the data cannot be stolen during a cyberattack or an attempt to compromise data by ransomware- wielding cyber thieves. “Encryption and rights management are necessary to be certain that a ransomware attack has not compromised regulated data as required by regulatory requirements of HIPAA, PCI, GDPR, etc.”

Kothari said. “Enterprise security operations centers now usually budget for specific ransomware detection and remediation software. This software protects against the most common ransomware attack vectors.”

According to Colin Little, senior threat analyst at cyberthreat intelligence firm Centripetal, said, “Ransomware is a perfect example of how an unskilled operator can cause massive amounts of damage to an organization, all in an effort to monetize their criminal efforts.”

Little implied the good news is that since ransomware is an established malware family, there’s a lot of threat intelligence available to identify and combat it. “The files involved, the locations on the endpoint those files are written to, the email or website used to deliver the malicious payload, the server it uses for command and control, all are typically re-used infrastructure.” Little said this means that if an organization is proactively using threat intelligence, they can stop an attack like this before it starts even if their conventional security tools miss it. ”

Though the extent of the Albany attack seems limited, there are almost always aftershocks, Justin Des Lauriers, technical project manager, at security management firm Exabeam, said, “The demanded ransom amounts often pale in comparison to the collateral damage and downtime costs they cause.”

The ideal case would be to detect and stop ransomware before an infection occurs. Des Lauriers explained, “Unfortunately, this insidious software is almost always detected after the damage has already occurred.” The Exabeam project manager suggested one way to thwart a ransomware infection, before it begins to encrypt your files, is by deploying user entity behavior analytics. “It lets you identify an attack earlier in its kill chain, such as during the infection, staging, or scanning phases, before encryption occurs.”

Caroline Seymour, director of product marketing at Zerto, which provides business continuity offered, “We don’t expect cybercriminals to target our small towns but it’s happening with increased regularity. Today it emerged that Albany was hit by a ransomware attack over the weekend forcing several city services to go off-line.”

Seymour pointed out a recent analyst study determined 50% of surveyed organizations have suffered an unrecoverable data event in the last three years, and while preventing these attacks is not always possible, diminishing the threat is. “Taking a more dynamic, modern approach to business continuity and disaster recovery is critical to this. Solutions utilizing continuous data protection and hybrid cloud disaster recovery can help cities like Albany better manage their IT infrastructures and achieve IT resilience so that downtime of more than mere seconds becomes a thing of the past and cybercriminals can’t just stop city functions in its tracks.”

Municipalities are not the only targets of cyberattacks. According to IBM in 2018 financial malware gangs started cooperating with each other to launch attacks against financial service organizations.