An expert report says ransomware has hit crisis levels in the US, costing $7.5 billion this year – and the epidemic is forecast to get worse.
Anti-ransomware security firm Emsisoft has rush released its 2019 report to warn governments that ransomware hitting crisis levels and a new threat was emerging.
They said governments now face the very real issue of sensitive or secret information being made public by hackers – such as with the threatened release of confidential information unless a million dollar Bitcoin ransom is paid in this week’s attack by the Maze Crew on the City of Pensacola in Florida.
The Maze Crew has previously made good on threats to publicly release confidential information from security contractor Allied Universal to force them to pay Bitcoin ransoms.
Ransomware surge is ‘unprecedented’
The report calls the 2019 surge “an unprecedented and unrelenting barrage of ransomware attacks” and says that at least 948 government agencies, educational establishments, and healthcare providers were hit in the US at a potential cost in excess of $7.5 billion.
“The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety, and lives at risk,” the report stated.
These risks included interruptions to 911 emergency services, medical records lost, emergency patients redirected to other hospitals, surveillance going offline, surgical procedures and medical test cancelled, and school allergy records were unobtainable.
On the more inconvenient and annoying end of the spectrum, websites, email, and phone systems were knocked offline, bills failed to be issued, grants to non-profits were delayed, driver’s license renewals were halted, any number of payments were stopped, school closed and academic records were lost.
“Grossly negligent” security by governments blamed
Various reports by the State Auditor of Mississippi and the University of Maryland have identified serious cybersecurity flaws which suggest local and state governments lax security practices enable the attacks.
“The fact that governments are failing to implement basic and well-established best practices, even when legally required to do so, can only be described as grossly negligent – especially as these entities know fully well that they are likely to be targeted in the ongoing campaign of cyberattacks,” the report states.
“There is no excuse for this. They need to do better. They must be made to do better.”
Call to restrict Bitcoin ransom payments
Emsisoft called for legislative restrictions on ransom payments saying it was bizarre to ban payments for human ransoms while allowing a free for all with data ransom.
It also called for better security practices, mandatory reporting of incidents, more security funding, and better cooperation between private and public organisations to counter the threat.
It noted that Bitcoin payments are the ‘fuel’ that drives ransomware and the only way to stop attacks is by making it unprofitable to mount them due to better security.
“2020 need not be a repeat of 2019,” said famed Ransomware fighter and Emsisoft CTO Fabian Wosar.
“Proper levels of investment in people, processes, and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive, and less costly.”