New Ransomware Attacks Pose Costly Threat to Transit Agencies

Nov. 19, 2020
A more proactive approach to cybersecurity can help transit agencies thwart cybercriminals who are becoming more sophisticated and more organized.

When Fort Worth’s regional transportation agency was hacked by a ransomware group this past summer, the agency not only lost access to its IT systems, data and customer support – it also faced a high-pressure threat of public data exposure by the criminal group behind the hack. 

This “double extortion” attack – ransomware, combined with data leak extortion – is more profitable for cybercriminals, which is why it is becoming widely used. While ransomware has been an ongoing problem for public transportation providers for years (these attacks have also targeted transit agencies in Sacramento, Philadelphia and San Francisco and state transportation departments in Texas and Colorado), the traditional ransomware attack has typically been limited to data encryption only, which – although potentially disruptive – is less harmful to public reputation and confidentiality of data than the new combined attacks that are now being carried out.

The changes that are happening in ransomware reflect a broader evolution of cybercrime, as hackers are becoming more sophisticated and better organized. Many of these extortion groups are forming criminal “business partnerships” with other cybercriminals to expand their operations globally. They are actively collaborating on these attacks, offering “ransomware-as-a-service” solutions and the first ransomware “cartel” was announced earlier this year. What this means for transit agencies is that they are more likely to face advanced adversaries who will penetrate their networks with sophisticated malware and behave more aggressively once they are inside the organization.

This can significantly increase the overall costs and risks for public agencies that become the victims of a cyber attack. In order to reduce these risks, they have to get more proactive about cybersecurity.

How Ransomware is Changing

Ransomware attacks used to be relatively straightforward.  

In a traditional attack, the hacker would breach one or two computers on an agency’s network, infect them with a type of malware that encrypts document files, databases and spreadsheets in order to render them inaccessible to the victim and then demand a relatively small ransom on the order of a few thousand dollars in order to remove the encryption from the network. Although victims’ sensitive data was technically compromised by the malware, the hackers didn’t actually steal or view this data – they simply locked it up behind a robust encryption algorithm to force the organization to pay.

These attacks were bad enough and cost many organizations a lot of money, but they were far less complex than the new attacks happening today. The new ransomware that is now in wide use – including Maze, NetWalker, REVil, DoppelPaymer and Ryuk – is a multi-stage weapon capable of causing significant damage. Not only do the victims have to contend with their data and systems being encrypted, but they must also now deal with information theft and the possibility that this sensitive data will be publicly exposed on the web for other criminals to steal and use in various frauds. Additionally, as an initial step in compromising the network, these attackers usually plant malware that acts as a “backdoor.” These backdoors allow them to carry out surveillance on the network ahead of the attack, but they also provide long-term access to the organization post-attack. This means that even after a ransomware attack is “cleaned up” by an IT security team, these backdoors could persist inside the system.

The bottom line is that ransomware is no longer just ransomware – it can carry out multi-stage attacks and data theft that can be crippling to its victims.

What Happens in a Double Extortion Ransomware Attack?

This attack begins like any normal ransomware attack, usually with a phishing email to an employee or by exploiting a weak employee password for a remote desktop portal that is exposed to the Internet.

The hacker will trick the employee into clicking on a link or downloading a malicious attachment (often Word or Excel), at which point the ransomware infects that person’s computer and then immediately connects to the attacker’s command and control server. The intruder then takes over manual control and runs commands to map out the agency’s servers and other workstations, looking for ways to spread across the network. Unlike traditional ransomware campaigns, which usually rely on a “spray-and-pray” approach, the double extortion groups often seek out specific victims that are able to afford high ransoms and will be motivated to get systems running again quickly – such as large corporations and public agencies.

The second stage of the attack is where double extortion incidents really break away from the traditional ransomware “business model.” In a standard ransomware attack, the malware will automatically seek out important files on the system where it landed, encrypt everything it can find and then demand a payment to remove the encryption. In a data leak extortion attack, however, the ransomware goes one step further by stealing the information before it encrypts it. This puts the victim in a considerable bind, because even if they use backups to recover from the encryption part of the attack, they still have no control over what the hacker does with the stolen data.

These new ransomware attacks also lead to significantly higher extortion fees. Although not all the attacks have been made public, ransom demands in September and October 2020 were often more than $10 million. In one recently disclosed attack, the REvil ransomware group demanded a whopping $42-million ransom from a New York law firm.

When demanding these ransoms, the criminal groups may offer to decrypt a certain number of files for free to prove their “good intentions.” They will also negotiate with victims on the price of their extortion, if the victim is unable to pay. However, even with a reduction, they will still demand a hefty sum. Generally speaking, the hackers will try to portray themselves as professional, business-like and reliable to their victims. This might sound strange, but it is simply part of their strategy for getting paid.

High-Pressure Tactics

Ransomware gangs are motivated by one thing – money. If they don’t get it, they are going to put more pressure on the victim.

The way they will do this is by posting the victim’s data on one of the many “leak sites” these groups now operate on the Dark Web. In most cases, they won’t post all of the information right away. Instead, they will post a small amount, perhaps up to 10 percent of the total data, to show they mean business. These leak sites take many different forms and range from eBay-like auction sites where buyers bid on the stolen data to “news” and “shaming” sites which give the information away for free.  

With time ticking away and the criminals threatening to double the ransom if not paid in 48 hours, the situation can be extremely difficult to deal with if the agency has not prepared a response plan for this type of emergency and established contacts with law enforcement and outside professionals who can help.

The FBI has long discouraged companies from paying ransoms to hackers and public agencies should never trust these groups to keep their word, either to decrypt the network or erase the stolen information. There is also no guarantee that they won’t hack the organization again, now that they know it will pay.

How to Mitigate This New Threat

The best way to lower an agency’s risk is by developing a defense-in-depth approach. This means creating a layered cybersecurity defense that anticipates all of the associated threats (encryption attack, data theft and data exposure), so that even if one part of the security program fails, the others will be able to pick up the slack and limit the damage.

The standard defense against ransomware – backing up all important data and building redundancy into these systems – will not be enough against these multi-stage attacks, but it is a solid first step. For many agencies, getting the ticketing systems back into operation quickly is the most immediate priority. Making regular backups and ensuring that the backups cannot be deleted or corrupted, even by an administrator, is critical to maintaining this capability.

Another critical step is to implement robust data encryption. This will protect the data even if it is stolen by a hacker. Employees should also be instructed how to safely store sensitive data without sending it via email or storing it on workstations and shared folders.

Network segmentation and administrator account segmentation are also top priorities, as these will limit how far the ransomware, or other malware, can spread once it gets inside the agency’s network. Attackers always seek administrator passwords and protecting those accounts should be taken seriously by limiting where and when administrator accounts are used.

Agencies should also have active security monitoring of any unusual network activity, including SIEM (security information and event management), EDR (endpoint detection and response), intrusion detection/prevention systems (IDS/IPS) and exfiltration monitoring. Additionally, agencies should use email whitelisting, robust malware detection tools and keep all systems updated with the latest software and security patches. Another good policy is to engage outside cybersecurity consultants to test the agency’s network (i.e., a penetration test) to look for any security weaknesses ahead of time.

In addition to preventative security, transit agencies must also plan for how to handle a successful attack. They need to develop a response plan, which includes contacting the FBI and/or U.S. Secret Service to know how to report incidents and preserve the digital evidence for investigators. Establishing a relationship with incident response companies is also critical.

Although ransomware attacks are becoming more complicated, transit agencies can drastically lower their risk by taking a proactive approach and preparing in advance.

----------------------------------------------------

Randy Pargman is the senior director of Threat Hunting and Counterintelligence at Binary Defense.

About the Author

Randy Pargman | senior director of Threat Hunting and Counterintelligence

Randy Pargman is the senior director of Threat Hunting and Counterintelligence at Binary Defense. In this role, Pargman leads the threat hunting team in reverse engineering malware and developing new techniques for detecting signs of emerging threats and attacker behavior that evade or defeat traditional security solutions. He also leads the counterintelligence and intelligence operations teams in researching threat actors, finding threat information on Darknet hidden websites, criminal forums, dump sites and social media platforms. Pargman previously spent 15 years at the FBI as a senior computer scientist with the Cyber Task Force based in Seattle, Wash., as well as the global Cyber Action Team. Pargman has earned the FBI Director’s Award for Excellence in Technical Advancement as well as the FBI Medal of Excellence.