Ransomware viruses (ransomware) in the United States

The main articles are:

• Ransomware ransomware viruses (ransomware)
• Information Security in the United States

2024

Kansas' largest city cuts off all public services due to ransomware virus attack

On May 5, 2024, authorities in Wichita, Kansas' largest city, reported a massive hacker attack on their IT infrastructure. As a result of the invasion, the work of government services has been stopped, and cybersecurity experts are urgently engaged in system recovery. Read more here.

American medical holding Change Healthcare paid $22 million to ransomware hackers to prevent leakage of patient data

On April 22, 2024, UnitedHealth Group, the largest US health insurance company, announced that it was forced to pay ransomware hackers approximately $22 million to prevent the leakage of patient data. Confidential information was stolen in an attack on a subsidiary of Change Healthcare. Read more here.

County authorities in Pennsylvania paid a ransom of $350 thousand after an ransomware virus attack that blocked state servers

On February 15, 2024, county authorities Washington in Pennsylvania announced the payment of a ransom of almost $350 thousand to cybercriminals who organized a massive attack using. programs extortioners This invasion effectively paralyzed work. state IT infrastructures More. here

2023

FBI hacked into the infrastructure of Russian-speaking ransomware hackers, which angered them

The US Department of Justice announced the hacking of the infrastructure of the Russian-language hacker gang Black Cat (Blackcat, aka ALPHV, aka Noberus). The US intelligence services managed to gain access to the decryption keys, which allowed them to create tools for restoring the IT infrastructure of companies that suffered from the actions of this cyber group. More

North Face and Timberland store owner has IT systems stopped due to ransomware virus attack

On December 18, 2023, the American company VF Corp., which owns clothing and footwear brands such as Dickies, Icebreaker, North Face, Timberland, Supreme and Vans, reported a hacker invasion. Due to the ransomware virus attack, a number of IT systems had to be stopped, and the operational activities of VF Corp. were seriously affected. Read more here.

40 countries led by the United States agreed never to pay ransom to hackers

At the end of October 2023, 40 countries led by the United States announced the signing of a document securing their promise to never pay a ransom to hackers, as well as work to destroy the economic basis for the existence of cybercriminals. Read more here.

City courts in Texas have been down for a month due to ransomware virus attack

In early June 2023, it was reported that Dallas courts in Texas could not fully resume work for a month due to a ransomware attack. Cybercriminals also disabled a number of computer systems from the city's fire and police departments. Read more here.

American telecom company Dish Network paid ransom to hackers after ransomware virus attack

In mid-May 2023, it became known that the American television provider Dish Network, apparently, paid a significant ransom to cybercriminals after the ransomware virus attack. Read more here.

US Federal Marshals Service attacked by ransomware virus

At the end of February 2023, the US Federal Marshals Service was subjected to a cyberattack using a ransomware virus. First, this was reported in the media, and the department confirmed the incident. Read more here.

California city declares state of emergency after ransomware attack paralyzing nearly all city services

In mid-February 2023, the city of Oakland, located in the state of California, was attacked by a ransomware virus, as a result of which many government services were disconnected from the network. As a result, the city authorities were forced to declare a state of emergency (PE). Read more here.

Ransomware virus attack set California police back 80 years

On February 8, 2023, police in the cities of Oakland and Modesto in the state of California (USA) were attacked by ransomware viruses, as a result of which public services were disconnected from the network, and the police were forced to switch to old tools such as the use of portable radio stations, pens and paper while patrolling cities. Read more here.

Ransomware virus attacked trading platform and undermined banks in the US and Europe for several days

On January 31, 2023, the international financial data and services provider Ion Group reported a ransomware attack. As a result, ION Cleared Derivatives, which provides software for financial institutions and banks, was disrupted. Read more here.

Rackspace Hosted Exchange mail service closed after ransomware attack

In early January 2023, the reasons for the large-scale failure affecting the systems of Rackspace Technology, which provides cloud services, were announced. The incident led to the disconnection of the Rackspace Hosted Exchange mail service - the provider does not intend to restore its functioning, so it asks users to switch to other projects. Read more here.

2022

Ransomware viruses hit 870 critical US infrastructure

In 2022, at least 870 critical infrastructure facilities in the United States became victims of ransomware. Such data are provided in a report published on March 14, 2023 by the Federal Bureau of Investigation.

The statistics were prepared on the basis of the number of appeals to the Center for Complaints of Internet Crimes (IC3) as part of the FBI. Therefore, as noted by the Bleeping Computer resource, the actual number of hacks of critical organizations using ransomware can be much higher. The IC3 report says that out of 16 sectors of critical infrastructure in the United States in 2022, 14 industries were affected by ransomware attacks. Cyber ​ ​ groups behind the Lockbit malware (149 intrusions), ALPHV/BlackCat (114 attacks) and Hive (87 attacks) were the most active.

Ransomware viruses hit 870 US critical infrastructure in 2022

The maximum number of ransomware attacks in the segment of American critical infrastructure in 2022 was committed on healthcare institutions - 210 such incidents were recorded in IC3. In second place in terms of the frequency of intrusions was production - 157 cases. State organizations close the top three - 115 incidents. In addition, attackers often attacked IT companies (107 reported cases) and financial structures (88 attacks).

In total, victims of ransomware filed 2,385 complaints in 2022, and adjusted losses amounted to more than $34.3 million. The FBI recommends that no ransom be transferred to cybercriminals because the payments do not guarantee that victims will recover their files. In addition, such transactions can contribute to further attacks and, as noted, are highly likely to be used to finance new cybercriminal campaigns. The FBI is urging victims to report ransomware incidents to IC3.

FBI: Ransomware hit 860 critical infrastructure orgs in 2022

How many government agencies, schools and hospitals in the United States have been affected by ransomware viruses

On January 2, 2023, the company cyber security Emsisoft published the results of a study that examined the intensity of ransomware attacks on state and medical structures, as well as educational institutions. USA

The report says that in 2022, local government 106 suffered from ransomware. That compares with 77 similar incidents in the sector in 2021. At least 27 attacks in 2022 turned into data theft. The only confirmed ransom payment in the public sector was made by the government of Quincy (Massachusetts): attackers managed to get $500,000 for restoring access to encrypted information. At the same time, the largest score put up by cybercriminals was $5 million in relation to the government agencies of Whit Ridge (Colorado), but they refused to pay.

State institutions of America suffered from ransomware attacks

According to statistics, in 2022, ransomware attacks were recorded on 44 universities and colleges in the United States, as well as on 45 school districts that manage a total of 1981 schools. Thus, the total number of attacks on the educational sector was 89, which corresponds to the level of 2021, when 88 attacks were recorded. The most significant incident of 2022 was the attack on the Los Angeles Unified School District, which with more than 1,300 schools and 500,000 students is the second largest district in the United States. At least three educational organizations paid a ransom, the largest of which amounted to $400 thousand.

Ransomware was also encountered by 25 American medical providers operating 290 hospitals. The incidents had a wide variety of consequences, including ransom demands, forced rerouting of ambulances and drug overdoses due to malfunctioning computer systems.^[1]

Toymaker Jakks Pacific locked down servers after cyber smoke attack

Toy maker Jakks Pacific has locked down servers after a cyber smoke attack. The company notified the American authorities about this at the end of December 2022. Read more here.

Banks in the United States paid $1.2 billion ransom for the year after ransomware attacks

On November 1, 2022, the US Financial Crime Agency (FinCEN), part of the Treasury Department, revealed the scale of payments that the country's banks made as a result of ransomware attacks. The total amount exceeds $1 billion. Read more here.

Microsoft SQL servers covered a powerful wave of attacks using ransomware viruses

At the end of September 2022, it became known that servers Microsoft SQL a powerful wave of attacks using ransomware viruses was covered. Malefactors use malware programs called Fargo and GlobeImposter. More. here

The second largest network of schools in the United States is attacked by a ransomware virus. Infrastructure hit hard

On September 6, 2022, it became known that hackers, using a ransomware virus, carried out a cyber attack on the Los Angeles Unified School District, which is the second largest school district in the United States. Read more here.

American clothing and underwear manufacturer HanesBrands lost $100 million due to cyber attack

American clothing and underwear manufacturer HanesBrands lost $100 million in sales due to a cyber attack. This became known on August 11, 2022. The company came under ransomware attack in May. Read more here.

The number of ransomware attacks on US medical organizations increased by 94%

On July 15, 2022, it became known that from 2021, hospitals throughout the United States were targeted by an aggressive ransomware campaign emanating from North Korea. This was stated by the US authorities. Read more here.

2021

Japan and the United States unite in the fight against cyber drivers

The governments of Japan and the United States plan to begin cooperation in the fight against ransomware viruses. This became known on December 27, 2021. Read more here.

US Cybercom confirms cyber attacks against ransomware

The United States Cyber ​ ​ Command (United States Cyber ​ ​ Command) publicly recognized the offensive actions to neutralize cybercriminal groups that attacked American companies with ransomware. This became known on December 6, 2021. Read more here.

Ransomware virus attack on confectionery giant Ferrara Candy

In October 2021, Ferrara Candy a company specializing in the production of sweets under the brands Nerds, Laffy Taffy, Now and Later, SweetTarts, Jaw Busters, Nips, Runts and Gobstoppers, announced that it was subjected to to the attack extortion. software The virus has disrupted IT systems and manufacturing. The company did not say whether it paid the ransom or which ransomware group attacked their systems. More. here

Ransomware virus attack on telecoms conglomerate Sinclair Broadcast Group

On October 18, 2021, the telecommunications conglomerate Sinclair Broadcast Group (SBGI) reported a ransomware virus attack that disrupted some office and operating networks within the company. Shares of the company fell nearly 3% amid the news. Read more here.

Bill on obligation of ransomware victims to notify about payments

A US bill called the Ransom Disclosure Act would oblige ransomware victims to notify hackers of payments within 48 hours. This became known on October 6, 2021.

More information about ransomware will help authorities develop effective protection strategies.

The bill was drafted by US Senator Elizabeth Warren and US House of Representatives member Deborah Ross. As the senator said, the number of attacks by ransomware groups is growing, despite versatile efforts to solve the problem, so obtaining more detailed information about financial transactions in underground circles can help the authorities develop and implement more effective neutralization and protection strategies.

The bill's four main points are as follows:

Require victims of ransomware (excluding individuals) to disclose ransom payments no later than 48 hours after the payment date, including the amount of ransom requested and paid, the type of currency used to pay the ransom, and any known criminal information;

Require the U.S. Department of Homeland Security to make public information disclosed during the previous year, except for identifying information about organizations paying ransom;

Require the US Department of Homeland Security to create a website through which people can voluntarily report ransom payments;

To direct the Secretary of Homeland Security to conduct a study of the general features of ransomware attacks and the extent to which cryptocurrency contributed to these attacks, and to provide recommendations for protecting information systems and strengthening cybersecurity.

Forcing victims to disclose ransom payments to hackers has always been controversial, as this can only exacerbate the consequences of ransomware attacks. This strategy may lead to cases where the restoration of normal operation of the company will be delayed due to additional verification.

To enter into force, the bill must pass a vote in the Senate, then in the House of Representatives and, finally, be signed by US President Joe Biden ^[2]

American corn and soybean producer New Cooperative attacked ransomware virus

At the end of September 2021, the agricultural group New Cooperative was to the attack subjected to a ransomware virus, which could jeopardize the activities of the company, which plays a key role agricultural in the product supply chain. More. here

FBI: Attacks by ransomware viruses hit food and agricultural companies

On September 1, 2021, the FBI sent out a notice warning food and agriculture companies to beware of ransomware attacks.

Groups using the virus are seeking to disrupt operations, cause financial damage and negatively affect the food supply chain, the FBI memo said.

The notice explains that the food industry and agriculture sector has been facing a growing number of attacks in recent months as groups using ransomware viruses target critical industries with large attack surfaces.

Ransomware attacks hit food and agricultural companies

Many of the largest food companies today use many IoT devices and intelligent technologies in their processes, so large agricultural enterprises are targeted because they can afford to pay a higher ransom, and with smaller organizations, although there are fewer profits, they are attacked due to the inability to afford high-quality cybersecurity.

From 2019 to 2020, the average ransom claim doubled and the average cyber insurance payout increased by 65%. The highest observed demand for buybacks in 2020 amounted to $23 million. According to the IC3 report for 2020, 2,474 complaints identified as ransomware viruses were received, with adjusted losses of more than $29.1 million in all sectors. Separate studies have shown that 50-80% of the victims who paid the ransom were re-attacked by the same or other persons. Although cybercriminals use a variety of methods to infect victims, the most common methods of infection are email phishing campaigns, remote desktop protocol vulnerabilities, and software vulnerabilities, the FBI said.

Next, the notice lists numerous attacks on the food and agriculture sector, committed since November 2020, including the Sodinokibi/REvil ransomware attack on an American bakery company, attack on global meat processor JBS in May 2021, an attack on an American beverage company in March 2021 and an attack on an American farm in January 2021, which caused damage of about $9 million.

We want to raise awareness, and this need is particularly important for critical infrastructure owners and operators who provide critical services to Americans. Organizations and individuals should be on alert now, because criminals sometimes think about their steps in advance and begin planning, Deputy White House National Security Adviser Ann Neuberger.

The notice lists a number of measures that food industry and agriculture companies can take to protect themselves, including backup, network segmentation, multi-factor authentication, and proactive monitoring of remote access/RDP logs.^[3]

The US government has created a department to combat ransomware viruses and is offering $10 million for information about their distributors

In mid-July 2021, the US government created an anti-ransomware virus department and offers $10 million for information about persons involved in foreign-sanctioned malicious cyber activity against critical US infrastructure, including ransomware attacks. Read more here.

US Department of Justice puts ransomware virus attacks on a par with terrorism

In early June 2021, the US Department of Justice reported that ransomware attacks were equated to terrorism and received appropriate priority in investigations. The Justice Department's decision followed attacks by hackers on Colonial Pipeline and JBS, which led to fuel shortages on the east coast of the United States and beef shortages in North America and Australia.

Internal recommendations sent to US attorneys' offices state that a specially created task force in Washington will centrally coordinate investigations into ransomware virus attacks on the ground.

Specialized procedures will allow you to track all cases of the use of ransomware viruses so that the investigative committee can establish connections between the participants and find the instigators, "said John Carlin, an employee of the Ministry of Justice.

JupiterOne chief information security specialist Sunil Yu noted that if payments related to the use of ransomware viruses are now considered as terrorist financing, this will give the United States new leverage to countries harboring or supporting hackers. "For countries like North Korea, this is unlikely to be a major deterrent. However, other groups of hackers may reconsider their goals under such pressure. "

Dirk Schrader, vice president of cybersecurity research at New Net Technologies, noted that such a move by the government may not be enough to effectively deter cyber attacks. "Most of the issues are about gathering and centralizing information," he said. "Companies must report all cases of extortion to the authorities^[4]

Bose fought off ransomware virus attack

At the end of May 2021, the online publication Bleeping Computer reported an attempt to hack a sound equipment manufacturer Bose using a ransomware virus. In a notification letter filed with the New Hampshire attorney general's office, Bose reported a "complex one to cyber attack that led to the deployment of malware/ransomware" in the company's cyber environment. More. here

CNA Financial pays $40 million ransom after ransomware virus attack

At the end of May 2021, one of the largest insurance companies USA CNA Financial paid to hackers $40 million to regain control over its internal network. The ransom was demanded by hackers who attacked the company using a ransomware program that encrypts data on the victim's computers. More. here

Scripps Health clinic network attacked by ransomware viruses

In early May 2021, a large network of clinics Scripps Health deployed in the San Diego state California was subjected to to the attack a ransomware virus, as a result of which all IT systems of the company were disabled. More. here

2020

Ransomware virus attack on Baltimore County schools

At the end of November 2020, Baltimore County Public Schools were forced to cancel classes due to a ransomware virus attack. According to local reports, the virus has disabled the entire school system network. The form of the ransomware virus used in the attack has not been disclosed, but hackers are known to have demanded a ransom. Read more here.

Ransomware virus attack on Mattel, manufacturer of Barbie dolls

Mattel, a manufacturer of Barbie dolls, announced on November 4, 2020 that it was the victim of a ransomware virus attack, but it managed to repel it and avoid serious consequences. Read more here.

US authorities begin to fine companies for paying ransom in ransomware attacks

In early October 2020, the Office of Foreign Assets Control of the US Treasury Department (OFAC) presented guidance for victims of ransomware viruses. The department noted that paying the ransom to attackers against whom US sanctions apply, as well as related cyber fraudsters, will be considered a violation of sanctions, for which a fine is expected.

The document notes that after paying a ransom against a company, organization, individual, financial organization through which funds were transferred, as well as companies engaged in cyber risk insurance and investigation of cyber incidents, a trial may be initiated in connection with the violation of sanctions. We are talking about those cases when the attack was carried out by hacker groups included in the sanctions list, or associated with them.

In the event of an attack, victims are advised to immediately contact the Office of Foreign Assets Control (OFAC) of the US Treasury, since litigation against violators can eventually lead to serious fines.

It is known that the sanctions list includes: Lazarus Group, Evgeny Bogachev (Cryptolocker ransomware virus), Ali Khorashadizade and Mohammad Gorbaniyan (SamSam ransomware), Maxim Yakubets and the hacker group EvilCorp created by him (Dridex program), Bluenoroff and Andariel (associated with the WannaBit ransomware).

The department also noted that if extortionists fall under US sanctions, the appeal of the affected company to law enforcement agencies will become a "significant mitigating factor" for it. However, the statement also notes that the guidance presented "is only explanatory in nature and has no legislative force."

Ransomware virus attack on IT provider in public sector Tyler Technologies

At the end of September 2020, Tyler Technologies, which supplies IT solutions to state and local authorities in all US states, was attacked by a ransomware virus. Tyler Technologies says the cyber attack only hit the company's internal systems and did not affect customers. Read more here.

Ransomware virus attack on Equinix

In mid-September 2020, Equinix, the world's largest data center operator, attacked a ransomware virus. Equinix said the cyber attack did not disrupt data centers, and the company's cybersecurity team has already taken the necessary actions, notified law enforcement and is continuing to investigate. Read more here.

Ransomware virus attack on Connecticut state schools

In early September 2020, schools in Hartford, Connecticut, were unable to open their doors to students due to a ransomware virus attack that shut down critical IT systems. The Hartford mayor called the incident "the largest and most significant virus attack in the city in five years." The ransomware program did not affect students' learning platforms, but damaged a number of other systems relevant to studies, including the compilation of school bus routes. Read more here.

Ransomware virus attack on University of Utah

On August 19, 2020, the College of Social and Behavioral Sciences at the University of Utah fell victim to a ransomware virus. The leadership of the educational institution paid hackers a ransom of $457 thousand, as a result of the attack, the attackers gained access to confidential data of employees and students. Read more here.

Ransomware virus attack on world's largest cruise operator Carnival

In mid-August 2020, the world's largest cruise operator Carnival fell victim to a ransomware virus, as a result of which customer data fell into the hands of hackers. The cyber attack took place on August 15 and was discovered by the company on the same day. Unknown hackers encrypted some of the systems and downloaded data files of the same brand. Read more here.

Revil ransomware virus attack on whiskey maker Brown-Forman

On August 17, 2020, it became known that Brown-Forman, known for releasing Jack Daniel's whiskey, was attacked by the Revil ransomware virus, as a result of which hackers managed to steal 1 TB of corporate data. Read more here.

Garmin paid a ransom of $10 million to restore systems after a ransomware virus attack

At the end of July 2020, Garmin became a victim of a ransomware virus attack. The manufacturer of navigation devices paid hackers a ransom of $10 million to restore all services. Read more here.

University of California paid $1 million ransom after ransomware attack

In early July 2020, the University of California at San Francisco (UCSF) paid a $1.14 million ransom to restore important academic files blocked by the ransomware virus. Read more here.

American medical institutions lost $157 million in 5 years due to ransomware viruses

In mid-February 2020, it became known that American medical institutions in five years lost $157 million due to more than 170 ransomware attacks. Read more here.

Ransomware virus attacked American gas pipeline operator

In mid-February 2020, it became known that the ransomware virus attacked the American gas pipeline operator and interrupted the compression plant. The date of the attack has not been announced, but technical recommendations are being given for other critical infrastructure operators to take appropriate precautions.

According to a report by the US Interior Ministry, the incident occurred after "a hacker used a phishing connection to gain access to the organization's information network, and then entered the operating network." If the information network is mainly for office and other administrative work, then the operating network allows you to manage critical factory equipment and other production operations.

Having gained access to the operating network, the attacker launched a ransomware virus that encrypted all available company data simultaneously in the information and operating networks, and then requested a ransom. According to the report, the virus did not affect programmable logic controllers, which are small sensors and devices that directly interact with factory equipment. However, operators could not access other data, which led to a malfunction.

The pipeline operator decided to temporarily halt operations as a precaution to avoid unwanted incidents, although the emergency plan did not require mandatory equipment shutdowns in the event of a cyber attack. The activities of the gas pipeline operator were stopped for two days, after which the workers resumed their activities as usual. Regulators noted that the facility's emergency response plan focused on physical security threats rather than cyber attacks, so staff were unable to adequately respond to the situation. The pipeline operator promised to revise its internal procedures and standards.

2019

More than 100 civil services in the United States were attacked by ransomware viruses

On February 11, 2020, the company IBM published the annual IBM X-Force Threat Intelligence Index 2020, which showed how methods have changed cybercriminals over several decades of illegally accessing billions of corporate and personal records and exploiting hundreds of thousands of vulnerabilities in software. According to the study, 60% of primary intrusions infrastructure into victims were carried out using previously stolen credentials data and known vulnerabilities, which ON made it possible to to malefactors rely less on deceiving users to get access to the data.

More than 100 state services USA in were subjected to the attacks viruses to -encryptors in 2019. IBM X-Force specialists also noted large-scale attacks against, retailers production transport and companies. More. here

The world's largest currency exchange network has stopped working due to a cyber attack. Hackers demand a ransom of $6 million

At the end of December 2020, a cyber attack was carried out on Travelex, which led to the suspension of the world's largest currency exchange network. Hackers claim that they stole 5 GB of "valuable customer data" and threaten to put it up for sale if they do not receive a ransom of $6 million by January 14, 2020. Read more here.

US Coast Guard base attacked by ransomware virus

At the end of December 2019, the US Coast Guard base was attacked by a ransomware virus that disabled cameras, door access control systems and monitoring systems. Read more here.

Ransomware virus attack on government agencies in New Orleans

On December 15, 2019, the authorities of the city of New Orleans (state) Louisiana imposed a state of emergency due to mass cyber attacks hackers on state bodies. This was announced by the mayor of the city Latoya Cantrell in his official account on the social network. Twitter More. here

CyrusOne attacked ransomware virus

In early December 2019, one of the largest data center operators in the United States, CyrusOne, attacked a ransomware virus. Customers began to have massive failures. Read more here.

Ransomware virus infects hundreds of dental clinics in the United States

At the end of August 2019, it became known about the ransomware virus attack on hundreds of dental clinics in the United States. They were forced to pay a ransom for decrypting files, but the recovery process is slow. For several days, dentists were in a forced downtime due to the blocking of their computer systems. Read more here.

Ransomware virus attack on Texas government agencies

Approximately 23 government agencies in Texas were affected by an unprecedented coordinated ransomware virus attack that began on August 16, 2019. Read more here.

The United States introduced a state of emergency after the attack of ransomware viruses on schools

In late July 2019, the Louisiana state government declared a state of emergency after multiple ransomware virus attacks on schools from the north of the state. Due to cyber attacks that began on July 23, 2019, data was blocked on school computer systems in three districts. Read more here.

Another Florida city paid $0.5 million ransom after ransomware attack

At the end of June 2019, it became known that the administration of Lake City in Florida agreed to pay $490 thousand to a hacker to unlock computer systems after a ransomware virus attack.

Lake City survived a hacker attack on June 10, 2019. 10 minutes after the attack, the authorities of the city of 65 thousand inhabitants turned off the IT systems. As a result, the settlement was left without telephone communication for one day, however, it was able to establish the reception of calls to emergency services through a special system.

Lake City agrees buyout to unlock computers hit by ransomware

By June 25, some of the computer systems affected by the malware were restored, but the work of e-mail and telephone communications remained paralyzed.

The city administration decided to pay a ransom of 42 bitcoins. Most of this amount will be reimbursed by the Florida League of Cities insurance company, with which the cyber risk insurance contract was concluded. The agreement includes a franchise of $10 thousand - its authorities will transfer the Florida League of Cities, and then they will receive from the insurance company the entire amount sent to the cybercriminal.

After the ransom was handed over, the ransomware virus distributor provided a decryption key that allowed the electronic systems to be restored. At the same time, some e-mail letters could not be returned. An investigation is underway.

In one week, Lake City became the second city in Florida after Riviera Beach to agree to a ransom after a ransomware virus attack. There are more and more such cyber attacks in the United States.

According to the FBI, in 2018, 1,493 ransomware attacks were reported, as a result of which hackers were paid about $3.6 million. From the beginning of 2019 to the end of June, more than 20 American cities were attacked. Some of them managed to cope with the problem without paying fraudsters.^[5]

Florida city pays hackers $600,000 after ransomware attack

In mid-June 2019, the city council of Riviera Beach (Florida) paid hackers more than $600,000 so that city officials could recover data that remained locked and encrypted for more than three weeks.

The city was forced to make that decision when officials concluded that there was no other way to restore the city's documents. The administration also had to pay $941,000 to buy new computers.

The city in Florida paid hackers $600 thousand and bought new PCs for $941 thousand after the ransomware virus attack

Access to Riviera Beach administration data was blocked on May 29, 2019, when a police department officer opened an email with a ransomware virus and accidentally launched it into a local network. The virus blocked the files and stopped the work of all city services, except for the emergency rescue service. The city's website, mail server and all other systems were unavailable for three weeks, and all city communications were carried out in person, by phone or through posters.

The city held its first meeting on June 3 and decided to purchase 310 desktops and 90 laptops and other equipment necessary to restore the city's IT infrastructure after the incident. Initially, the administration was not going to pay criminals, but it soon became clear that otherwise access to the file system could not be obtained. At the next meeting, officials unanimously voted to transfer the required amount to fraudsters. The local publication reported that it took less than a couple of minutes to vote.

Riviera Beach is considered a suburb of Palm Beach. In 2018, another local suburb, Palm Springs, was also forced to pay ransomware, but these measures did not help - as a result of a hacker attack, the city administration lost all data in two years.^[6]

The authorities of the American district paid $400 thousand ransom to distributors of the ransomware virus

In early March 2019, Jackson County authorities in Georgia paid $400,000 to cybercriminals to get rid of the ransomware virus and restore access to their IT systems.

The virus penetrated the county's internal network on March 1, 2019, and caused most local government IT systems to shut down, with the exception of its website and 911 emergency system. The authorities did not stop working, but returned to the usual paper documentation. In addition, they notified FBI and hired a consultant on. cyber security

The consultant held talks with the distributors of the virus, and as a result, Georgia County paid hackers a ransom to obtain a decryption key and restore access to files. Officials immediately began decrypting infected files and cleaning servers.

In early March 2019, Jackson County authorities in Georgia paid $400,000 to cybercriminals to get rid of the ransomware virus and restore access to their IT systems

According to the consultant, the district authorities may not have paid the ransomware, but then it would have taken several months to restore the system, and it would have taken no less than the amount that fell into the hands of hackers as a result. Similar cases have already been noted. For example, the Atlanta authorities in Georgia spent several million to restore the network, the cost of which as a result increased from $2.6 million to $17 million. In addition, Jackson County paid far from the largest ransom - this record was set by the South Korean web hosting company Internet Nayana, which paid hackers $1.14 million after a cyber attack in June 2017.

The consultant determined that the ransomware that hit Jackson County's network is known as the Ryunk gang. They operate from Eastern Europe and during 2018 several times carried out cyber attacks on local authorities, and health care large corporate networks. Viruses extortioners Ryuk usually appear on networks after infection with Emotet or Trickbot malware.

^[7]

2018

Microsoft Security Intelligence Report

The corporation Microsoft published information security the Security Intelligence Report in April 2018 for the period from February 2017. It is based on data obtained by the company's security programs and services (Data on the number of detected threats, and not on cases of infection). The information was provided by corporate and private users who agreed to share it with geolocation binding.

Extorting cryptocurrency or other payments with the threat of destroying all victim data remains an attractive strategy for attackers. In 2017, three outbreaks of ransomware viruses - WannaCrypt, Petya/NotPetya and BadRabbit - caused infection of many corporate networks, including in hospitals, transport systems and traffic management systems. The ransomware attacks that we saw last year were extremely devastating and developed rapidly, leaving most of the victims without access to their files for a long time.

In Russia, on average, 0.13% of devices encountered ransomware per month, in the world this figure is 0.14%. Most often, users in Asia faced this type of threat. The highest rate of ransomware virus detection is in Myanmar (0.48%), Bangladesh (0.36%) and Venezuela (0.33%). The lowest figure was in Japan, Finland and the United States (0.03%).

Hospital in the United States paid $55 thousand cyber drivers

In early January 2018, the Hancock Health clinic in the American city of Greenfield, Indiana, was subjected to a hacker attack using the SamSam ransomware virus, which paralyzed the operation of a medical facility at the height of the flu epidemic in the state. To quickly recover the data, the hospital management paid ransomware ransoms in the amount of 4 bitcoins, which at the time of payment amounted to about $55 thousand. Read more here.

2017: Los Angeles Community College administration pays record $28K ransom after ransomware Trojan attack

The administration of a community college in Los Angeles paid a ransom for returning access to data encrypted by a ransomware Trojan - $28,000.^[8]

The attack on the educational institution happened on New Year's Eve. Hundreds of thousands of files turned out to be encrypted, as a result, almost all internal services, including email and messaging systems, failed.

Payments to hackers for returning data encrypted by them are growing

The school server found a demand from hackers to pay a ransom in bitcoins within seven days, otherwise the attackers promised to destroy the secret encryption key and deprive the college of the opportunity to return access to the data.

It immediately turned out that it was impossible to restore data from backups. After a meeting with involved security experts, the college administration concluded that it had no other options but to pay the required amount.

28 thousand dollars is the largest ransom, information about which fell into public space. According to some reports, larger payments also happen, but victims - usually large organizations - prefer not to advertise them. In 2016, the average "rate" on the part of cyber drivers was $679, a year earlier - $294.

More than twofold growth, apparently, is associated with an increased number of incidents that ended in repurchase payments, and in amounts significantly higher than the "average rate." In February 2016, the Presbyterian Medical Center in Hollywood paid a ransom of $17,000 after the ransom attack.^[9]

This is a very bad precedent - when the official structure follows the lead of criminals, pays a ransom and, in addition, reports this publicly. Now rates will continue to grow, "says Dmitry Gvozdev, CEO of Security Monitor. - If organizations are ready to pay five-figure amounts, then the requirements will grow. The only effective way to counteract ransomware is to regularly "cold" backup data, correctly configure access to them when working and closely interact with law enforcement agencies.

See also

• Ransomware viruses (ransomware) in Russia

Notes