Ransomware: Where Does the Fault Lie?

The spread of ransomware is big technology news. In March, the city of Atlanta was hit by a ransomware attack that crippled its services, from police to courts. Cyberthieves demanded $51,000.

But the Atlanta attack is just one of many where cyberthieves extort money in exchange for restoring crippled online systems. National Public Radio reports a dramatic rise in the number of U.S. ransomware attacks, from 2,673 in 2016 to roughly 3,000 in 2017. Ransomware perpetrators received more than $2.4 million in U.S.-based payments from their victims in both years.

Globally, though, ransomware is thought to have extorted a total of $8 billion.

Poor Security to Blame?

The blame for ransomware certainly falls on the hackers, of course. But protective measures or lack of them play a big role as well.

According to the FBI, the climb in ransomware attacks has been particularly severe against public-facing organizations, including state and local government, law enforcement, school districts, and hospitals.

Educational institutions are at particular risk: 10 times more likely to be hit with a ransomware attack than financial institutions and 3 times more likely than health care institutions.

Is the reason that they are less likely to have strong defensive security against cyber attacks? Possibly. Many educational institutions have been hit with budget cutbacks over the past decade, making state-of-the-art security an unlikely priority. Their IT departments tend to be smaller than those of large corporations.

Government organizations, such as local, state, and Federal agencies, are in the same budget-constrained boat. They earned a security rating that was just one notch up from the absolute bottom, according to a cybersecurity ratings organization.

They are also the second most likely to be hit with a ransomware attack.

Ransomware thieves may also hit government offices such as police departments for the same reason they hit hospitals: the ability to respond is necessary for public safety, so they may be perceived as more likely to pay the ransom.

Human error was partly at fault in the huge WannaCry attack.

Human Error to Blame?

But it’s not just educational institutions and government agencies with relatively weak security systems that may be fueling the rise in ransomware.

As industry public CIO Dive points out, many large cyber attacks have spread due to human fallibility. Phishing is still one of the most frequently used methods of opening a system to ransomware — and phishing requires a human clicking on an e-mail attachment.

Last year’s huge ransomware event, WannaCry, depended both on a certain degree of ignorance and poor updates of software. In other words, poor defense, coupled with a strong offense.

Another attack, Nyetya (NotPetya), was a wiper (an attack which wipes data), which also succeeded because of lack of software updates.

And, as the FBI points out, it’s also human error to respond to ransomware attacks. Meeting the demands for money may, like blackmail, simply create the possibility of continued attacks at a later date.

While it’s understandable that hospitals may feel they cannot risk nonfunctioning computer systems and thus pay a ransom, the fact remains that it’s almost always a bad idea in terms of business strategy.

In fact, NPR points out that in some ransomware cases, thieves have not been able to fulfill their end of the implicit bargain. Ransom has been paid, but the victims never received a promised encryption key that would have given them back their data.

So while ransomware attackers are the chief culprits, the lack of security and human error plays a role. All the more reason to invest in strong security and follow preventive measures against ransomware.