By Chris Bates, VP of Security Strategy, SentinelOne
Every city and government organization should assume they are a ransomware target. Attacks like the ones in Atlanta, Baltimore, and Rivera Beach are about more than just criminal payouts – they’re paralyzing attacks that can bring a city to its knees, as we’re seeing. A lack of cybersecurity resources, maintenance, and updates across broad enterprises combined with the human tendency to click through questionable emails makes municipalities an easy target.
Preparing for an attack starts with assuming an employee will introduce malware into the network and taking steps to prevent its spread when that happens. It’s incredibly hard to prevent employees from making mistakes, which is why cities need security technologies that prevent ransomware from spreading once the inevitable happens.
From a response standpoint, immediately isolating systems and limiting employees’ access to shared systems may help minimize the spread of the ransomware. Legacy AV systems have continually shown that they can’t keep up with attacker sophistication and repeatedly miss detecting and proactively blocking malware. 2019 Security Megatrends research by EMA tells us that 90% of respondents that experienced an attack causing significant to severe impact believed an advanced endpoint solution would have performed better than traditional AV. Moreover, all of the respondents who experienced severe impacts from a malware attack indicated they now intend to replace their traditional AV product with advanced defense technology.
Because attackers are continually perfecting their malware, organizations need to implement AI-powered solutions that can identify and block attacks before they happen, and importantly, rollback ransomware so vital systems do not need to be shut down. What we call ‘behavioral AI’ is the ability to really detect something and protect from an attack. Not by looking at signatures or at static indicators of compromise, it’s by actually looking at the nature of what it does.
But what should you do if disaster strikes? “To pay or not to pay” continues to be a tough decision in each case, and Riviera Beach has set a dangerous precedent by showing cybercriminals that “ask and you shall receive” is a reality. This will surely increase the frequency of municipality ransomware attacks, especially on smaller cities who are even more bootstrapped than the Atlanta’s and Baltimore’s of the world from a resource standpoint.
Riviera Beach’s decision to pay the ransom was surely influenced by Baltimore’s decision not to, which has cost the city an estimated $18M in damages – exponentially more than the attacker’s ransom request. But paying the ransom is not the answer either as recent research tells us 45% of U.S. companies hit with a ransomware attack paid at least one ransom, but only 26% of these companies had their files unlocked. Furthermore, organizations that paid the ransoms were targeted and attacked again 73% of the time as attackers treat paying companies like ATMs.
The real answer is taking a proactive approach and updating legacy defense systems susceptible to sophisticated attacks, in addition to allocating additional resources to security team staffing, training, and support.
The trend of repeated ransomware attacks on cities worldwide is far from over, and Riviera Beach’s decision to pay may have made these susceptible targets even more enticing for the bad guys.
About the Author
Chris Bates is the VP of Security Strategy at next-gen autonomous endpoint protection provider SentinelOne. Chris is a trusted professional, adviser, and leader in the information security and technology space with over 23 years of experience. Chris can be reached at SentinelOne website https://www.sentinelone.com.