1. Why has ransomware become such a serious global problem?
2. In the Atlanta and Baltimore ransomware attacks, the perpetrators asked for far less money than the two cities ended up paying to recover. Would it not have saved money and time for both cities to have paid the ransom? Why did each city not pay the ransom? Was this a good decision? Draw implications for any organization after a successful ransomware attack. Should organizations pay ransoms?

WannaCry.

WannaCry caused serious problems around the world in an attack that began on May 12, 2017. WannaCry ransomware demanded $300 in bitcoins for unlocking encrypted files, a price that doubled after three days. Users were also threatened, via a ransom note on the screen, with having all of their files permanently deleted if the ransom was not paid within a week. More than 300,000 victims in more than 150 countries were infected with ransomware over a single weekend.

WannaCry attackers made only $100,000 in ransom payments. However, the global financial and economic losses from WannaCry could reach as high as $4 billion. This figure includes lost productivity as well as the costs associated with conducting forensic investigations, restoring lost data, and implementing new user training and other security measures.

The reason why WannaCry returned only $100,000 in ransom payments had to do with Marcus Hutchins. Hutchins, also known as MalwareTech, found an unregistered URL address in WannaCrys code. Suspecting that the address had something to do with how the software communicated, he registered the domain and watched as traffic from thousands of infected computers flooded into the domain. The domain turned out to be a kill switch. The malware shut itself down on any system that made contact with the URL.

Hutchins further noted that malicious programmers could easily change WannaCrys code to try to communicate with a new address. Those programmers did just that. Only a few days later, a new type of WannyCry infected thousands of systems in Russia. Lets consider some examples of WannaCry infections.

In early 2016, the Hollywood (California) Presbyterian Medical Center (www.hollywoodpresbyterian.com) experienced a cyberattack that encrypted some of the hospitals crucial information. In response, the hospital turned off its network to prevent the infection from spreading, and it began negotiations with the attackers, who demanded a rumored $3 million in bitcoins as ransom. Hospital employees resorted to pen, paper, telephones, and fax machines for many tasks normally carried out by information systems. These tasks included accessing patient information and test results, documenting patient care, and transmitting laboratory work, X-rays, and CT scans. The hospital claimed that the network shutdown did not affect patient care, although the hospital did send some patients to other facilities. The hackers held the hospital hostage for 10 days until the hospital paid them approximately $17,000 worth of bitcoins to decrypt its key information.

Over the Thanksgiving weekend in 2016, the public transit system in San Francisco would not accept riders money. Attackers had compromised the agencys ticketing system, encrypted its data, and reportedly demanded 100 bitcoins (about $73,000 at that time) to send the decryption key. Rather than pay the attackers, the agency deactivated its ticketing machines and let riders go through the gates for free. The agency then rebooted its ticketing machines, and by Monday, the system was operating normally, even if the agency had lost two days of revenue.

Health care organizations across the United Kingdom had their systems taken offline by the attack. As a result, patient appointments were canceled, and hospitals instructed people to avoid visiting emergency rooms unless it was absolutely necessary.

WannaCry infected Russian banks, telephone operators, the Russian Post Office, and IT systems that supported the countrys transportation infrastructure.

WannaCry infected 29,000 Chinese organizations ranging from police stations to the huge oil and gas company PetroChina.

Automobile manufacturers Renault and Honda had to halt production lines in several factories.

The Petya Family.

Just over a month after the WannaCry ransomware outbreak, another global ransomware attack appeared. This cyberattack first hit targets in Ukraine, including the central bank, the primary international airport, and the Chernobyl nuclear facility. The malware infected organizations across Europe, Russia, the United States, and Australia. One day after the outbreak began, at least 2,000 attacks had been recorded in more than 60 countries. Even more worrisome, security analysts noted that Petya is designed to erase information permanently, not to hold it ransom.

The attack significantly impacted thousands of organizations around the world. Here are only a few examples:

The British health and consumer goods firm Reckitt Benckiser (www.rb.com) announced 100 million in lost revenue. One week after being infected, the company announced that some key applications and a number of its facilities were only partially operational. Petya disrupted the firms manufacturing and ordering systems, severely restricting its ability to ship products.

Both the shipping firm Maersk and the goods delivery company FedEx (www.fedex.com) estimated losses of $300 million due to the attack.

The U.S. pharmaceutical firm Merck (www.merck.com) stated that Petya ransomware had compromised its network.

SamSam.

On March 22, 2018, a type of ransomware called SamSam encrypted the city of Atlantas data. The attackers asked for about $51,000, paid in bitcoin.

The attack crippled some of the citys critical functions. More than one-third of Atlantas 424 necessary programs were disabled or partly disabled, and almost 30 percent of those affected apps were deemed mission critical by the city. Consider these problems:

City employees did not have e-mail or Internet access.

Online bill-pay programs across multiple city departments (e.g., water and electricity) were disabled.

Wi-Fi was shut down at the citys international airport.

The citys municipal courts had no access to electronic records.

Many departments, including the city jail and the police department, were operating with pen and paper.

The city could not collect revenue from parking fines.

The city jail had difficulties processing new inmates.

The city stopped taking employment applications.

Years worth of police dashboard camera footage was destroyed.

The city attorneys office lost 71 of its 77 computers and 10 years worth of documents.

On the other hand, some major systems were not affected, including the 911 system, the fire department system, and the wastewater treatment system. Operations at the citys international airport were likewise not affected.

Leaked e-mails sent among the citys Department of Information Management, city council staff, and the city clerks office suggest that city officials failed to adequately respond to multiple security warnings in the months before the ransomware attack. The e-mails show that city employees were warned several times during an eight-month span starting in June 2017 about issues involving a computer infected with ransomware. City officials received a second ransomware warning on July 17, 2017.

An earlier warning from cybersecurity firm Rendition Infosec (www.renditioninfosec.com) noted that Atlanta had five information systems fully compromised in April 2017. The firm noted that Atlanta did not patch its systems for more than a month after critical patches were released by Microsoft.

The ransomware attack was particularly bad news because Atlanta was trying to automate processes that humans were performing, and an increasing number of the citys systems were being connected via the Internet of Things (see Chapter 8). Such future smart cities digitize large parts of their infrastructure, including streetlights, traffic management systems, pollution monitoring, water systems, and many others.

And the bottom line? By July, 2019 Atlanta had spent $17 million to repair the SamSam ransomware damage.

RobbinHood. On May 7, 2019 ransomware called RobinHood took control of some 10,000 computers of the city of Baltimore. The attackers demanded a ransom of about $80,000 in bitcoin to provide the decryption keys. City officials notified the FBI and refused to pay the ransom.

The attack shut down the city email system, disrupted real estate sales, water bills, health alerts, and parking and many other services. Emergency systems, such as police and fire department networks and the citys 911 system were not affected.

Baltimores problem was not surprising. Government systems typically lack resources and IT expertise and operate on outdated hardware and software. Baltimore is no exception. For years, the city had failed to update its computer systems to defend against a known, critical vulnerability. That is, the successful attack worked against city computers operating with Windows software that was two years out of date.

By mid-June, 70 percent of city employee email accounts were active again. City residents could look up parking tickets in person or online and property tax bills would go out on time. However, some billing systems remained inoperative. City officials estimate that it will take months for the city to fully recover from the attack.

Unfortunately, Baltimore had no insurance to help cover the cost of a cyberattack. Therefore, the citizens will bear the cost of the more than $18 million spent trying to recover from the attack.