Kaspersky: Municipal Ransomware Attacks Spike in 2019

Written by Edward Gately
December 11, 2019

Ransom amounts have varied greatly, with highs reaching up to $5.3 million.

More municipalities have been targeted by ransomware attacks this year than any previous year, costing victims on average more than $1 million.

That’s according to new research by Kaspersky. The company’s researchers observed at least 174 municipal institutions with more than 3,000 subset organizations targeted by ransomware throughout the past year. This represents a 60% increase from the same figure in 2018.

Fedor Sinitsyn, a security researcher at Kaspersky, notes how cities typically provide essential services to citizens, which makes normal operations critical for a large number of people.

Kaspersky’s Fedor Sinitsyn

“Disruption caused by a ransomware attack may have disastrous effects on the day-to-day life of ordinary folks,” he said. “As a result, the affected municipality may be forced to solve the issue in the shortest time by any means available, which is likely to involve paying the ransom. The criminals anticipate this when choosing a victim. Additionally, municipalities may not always have the most advanced network defenses and this also becomes a factor that makes them an attractive target for threat actors.”

When considering publicly available information, ransom amounts have varied greatly with highs reaching up to $5.3 million, according to Kaspersky. Researchers note these figures do not accurately represent the final costs of an attack as the long-term consequences are far more devastating.

“To minimize the risks associated with ransomware attacks, municipalities are advised to focus on securing their network perimeters, adopt a regular backup scheme for the most critical data, invest in educating the personnel about cybersecurity risks, and deploy a modern and robust security solution,” Sinitsyn said.

The malware most often observed were varied, yet three families were named as the most notorious by Kaspersky researchers: Ryuk, Purga and Stop. Ryuk‘s distribution model usually involves delivery via backdoor malware which spreads by the means of phishing with a malicious attachment disguised as a financial document. Purga malware has been recognized since 2016, yet only recently municipalities have been discovered to fall victims to this trojan having various attack vectors from phishing to brute force attacks. Stop cryptor propagates by hiding inside software installers.

“Because of the high impact of a ransomware attack, the main focus for cybersecurity service providers should be prevention of such incidents,” Sinitsyn said. “It may be a challenge for MSSPs to provide rapid enough response in order to intercept and thwart an ongoing attack, but that would be the ideal outcome. An opportunity would be to provide a service to carry out a thorough security audit of the customer’s network and help them harden their infrastructure against targeted attacks in general, including the ones involving ransomware.”

As for 2020, smaller cities and municipalities will continue to be targeted, “particularly where there is a high prevalence of cyber insurance in place, where insurers find the ransom cost lower than remediation cost,” said Matt Aldridge, senior solutions architect at Webroot.

“Hopefully as this part of the insurance industry evolves, it will work more closely with cybersecurity vendors and service providers to ensure that insured parties are properly protected from the majority of threats,” he said.