Ransomware Succeeds Because Targets Don't Learn From History
Ransomware attacks continue to succeed because targets, like city governments, aren’t doing security basics, like patching vulnerabilities.
It was writer, poet and philosopher George Santayana, who said in 1905 that, “Those who cannot remember the past are condemned to repeat it.” British Prime Minister Winston Churchill reportedly updated it a bit in 1948 with, “Those who fail to learn from history are condemned to repeat it.”
Whatever. Both apply, in spades, to cyberattacks – especially ransomware attacks on governments at all levels. According to security firm Recorded Future, there have been more than 170 of them (that are publicly acknowledged) in the past six years on county, city or state government systems, including at least 45 police and sheriff’s offices.
One of the biggest, in March 2018, took down at least a third of Atlanta’s 424 software programs, about 30% of which were considered “mission critical.” The recovery price tag is now somewhere in the range of $21 million, or about 420 times the $51,000 ransom demand.
You might think that kind of disastrous history – recent history – would prompt municipalities from sea to shining sea to implement at least a few security basics like replacing outdated software and patching current software.
Not so much. Which makes both Winston and George, both long gone, still depressingly relevant. Recorded Future reported more than two dozen attacks so far this year.
And this month’s most egregious example is Baltimore, MD, which is struggling to climb out of a digital black hole caused by a May 7 ransomware attack that essentially locked the city government’s voicemail, email, parking fines database, and the online system for paying water bills, property taxes and vehicle citations. The attack also froze the processing of real estate transactions, although late last week, Mayor Bernard “Jack” Young announced a manual workaround that would let those transactions proceed.
A molehill of good news amid a mountain of bad news.
Because Fox News reported that one recent analysis of Baltimore’s cybersecurity concluded the obvious: It was “out of date in terms of security, staffing, and infrastructure to prevent attacks.”
History is apparently no guide
And Baltimore shouldn’t have even needed the Atlanta attack to put it on notice. It had its own history – the city’s 911 system was hacked in March 2018, just days after the Atlanta attack.
“That should have been a warning shot,” said Morgan Wright, an expert on cybersecurity strategy, cyber terrorism, identity theft and privacy, who has written about the Atlanta attack on the political website The Hill. “I’d be more sympathetic if they hadn’t had 26 months to prepare for this.”
Mayor Young has said he will not pay the ransom demand of about $100,000 – that the city has instead contracted with a series of experts to assist in restoring service. The FBI and Secret Service are also investigating.
But instead of acknowledging a catastrophic failure to implement security measures, Young also said this past week that he is going to try to get the feds to pay for at least some of the damage by declaring the event a disaster, based on reporting in the New York Times that the attack, with a ransomware called RobbinHood, was enabled by an exploit called EternalBlue that was stolen from the National Security Agency (NSA) more than two years ago and leaked by a group called Shadow Brokers.
It’s just that Microsoft had provided a patch for EternalBlue and various other exploits in March 2017, a month before the leak by Shadow Brokers. The company even released patches to cover users of Windows Vista, which was about to be dropped from support, and Windows XP, which had already been dropped.
So it is a major stretch to demand disaster aid for an exploit like EternalBlue, even if it had been lost by a federal government agency, given that there was a patch available for it 26 months ago.
There is also significant debate over whether EternalBlue was even a factor in the attack.
Ars Technica reported that several experts said it was, but not as part of the initial breach, which was attributed to an employee falling for a phishing attack.
“Once the initial foothold was established by RobbinHood’s operators, the ransomware was spread across the network – at least in part by using code cut-and-pasted from the EternalBlue tool,” Ars reported.
Don’t blame the NSA
But Robert Graham of Errata Security contended in a recent blog post that the blame lies with the attackers, who committed a crime, and with the victims, who failed to keep their systems up to date. “Windows is a system that needs regular patches,” he wrote. “Going two years without a patch is gross malfeasance that’s hard to lay at the NSA’s feet.”
And Wright noted that “80% of all intrusions take place on things that are not patched. It’s not like this was a zero-day.”
Of course, Baltimore is no outlier. Other recent victims include San Antonio, TX, Greenville, NC and Allentown, PA.
And a prime reason is that people aren’t patching – including people whose responsibility it is to patch.
EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. But even though Microsoft issued a patch, WeLiveSecurity noted two weeks ago that a Shodan search showed that there are still “almost a million machines in the wild using the obsolete SMB v1 protocol.”
In Baltimore, Ars reported that the current attack was likely made easier due to “more than a decade of neglect of the city’s information technology infrastructure.” That includes spending only 2.5% of its annual budget on IT operations.
All of which makes it almost inevitable that more municipalities will be condemning themselves to repeat history, since they aren’t learning from it.
Why? A lot of it comes down to deeply flawed perceptions about money – that a municipality can save it by not spending it on cybersecurity.
Price vs. cost
Indeed, generally even if there is money in the budget, it’s not enough. “If it’s in the budget at $15 an hour or $30,000 a year, who’s going to go do that job if they can get a $75,000-a-year job doing the same thing in the private sector?” said Sammy Migues, principal scientist at Synopsys.
Wright said municipal officials tend to confuse price with cost. As in, the price of minimal security might look attractive. But the potential cost of it – Atlanta is just one example – can blow a much bigger hole in the budget.
He said as a former state trooper, he raised the point with officials that the important thing about buying bulletproof vests was to take the “best bid, not the lowest bid.”
The final bill for the Baltimore attack won’t be known for some time – Young said rebuilding things from scratch will take at least months. But it is certain to cost vastly more than the trivial amount it would have taken to install a patch. A rigorous awareness training program for employees to help them spot and avoid phishing attacks is obviously more expensive than patching, but is still likely to cost much less in the long run than recovering from an attack.
Christopher Hadnagy, chief human hacker at Social-Engineer, said it is “hard to update very old systems, to get the budgets to do it right and to find the people to come work at municipalities to implement the right solutions. We often see what I call the ‘Ostrich Method’ of security: Put your head in the sand and pray they don’t see you.”
The irony is that governments are not helpless. While there is no way to cut the risk of an attack to zero, there is plenty they can and should be doing to lower those risks.
Wright said one way to start is to take nonessential services offline. “Roll back to the central core of services, and then harden those,” he said. “Diagnose the threats and then prescribe solutions. If it can’t be done with a particular service, take it offline.”
He said fragmented departments and lines of authority also make things easier for attackers. “They need to consolidate authority and spending,” he said. “Everybody doing their own thing is the reason everybody’s getting attacked. It’s like trying to build a house without a general contractor.”
Migues said he suspects this will eventually push municipalities to contract out for cybersecurity services. “I’d be shocked if Microsoft, Google, and IBM didn’t already have a ‘YourTownHere’ service where the town just pays X amount per person/per year for all the basic infrastructure, services, etc. and an EDS/Dell-like service to do any remaining local maintenance,” he said.
Hadnagy said whatever the method, it will take money and time that isn’t being spent now. “They need to analyze all outdated, antiquated systems and make a plan to remove them or update them. Then they need an education system that will get people involved in security and securing the company.”
But that, of course, will take learning from history. And as dystopian philosopher Aldous Huxley said, “That men do not learn very much from the lessons of history is the most important of all the lessons of history.”