As hackers target U.S. cities, Las Vegas signs on to resolution not to pay future ransoms
Earlier this year, hackers brought the city of Baltimore to its knees. City employees were locked out of even the simplest systems, and email and phone systems were crippled as citizens were prevented from completing transactions such as paying a water bill.
What would become weeks of administrative carnage stemmed from a run-of-the-mill ransomware attack in which information stored on malware-infected computers was locked behind encryption. In broken English, a ransom note obtained by the Baltimore Sun demanded money and threatened the city with deletion of key data, reading in part, “We won’t talk more, all we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”
For Baltimore, regaining quick control — if the hackers kept their word — would have meant paying 13 bitcoin, or about $100,000 at the time of the attack. But the city refused to pay, spending roughly one month and more than $18 million to restore services — and joining a list of cities looking to lock out hackers by cutting off ransom payouts.
That list includes Las Vegas, which just last week signed onto a resolution from the U.S. Conference of Mayors — cosponsored by Las Vegas Mayor Carolyn Goodman and Baltimore Mayor Bernard C. “Jack” Young — in which member cities agreed not to pay ransoms related to malware attacks.
The only way for a city to quickly escape a data encryption wall is to give in to the demands of hackers — but even that is no guarantee.
“If you don't make a backup, I don't think there's any way to decrypt it,” Dr. Yoohwan Kim, an assistant professor of computer science at the University of Nevada, Las Vegas, said of data encrypted by ransomware. “Even if you pay the ransom, in some cases they don't get [the data] back. These are not really good businesspeople, sometimes they give the key, sometimes not.”
Even if cities refuse to pay up, they may still face massive costs associated with rebuilding crucial systems, upgrading security features and dealing with the loss of sometimes invaluable data.
“It could be $1,000, $1 million or almost immeasurable,” Kim said. Even smaller municipalities can be hit with major costs from an attack, such as when Allentown, Pennsylvania paid more than $1 million to recover from a ransomware attack in 2018.
And in Las Vegas, the threat of an attack may even be higher than other U.S. cities. A 2018 study by the security firm Coronet found the Las Vegas metro area to be the most insecure in the country because of relatively low state funding for cybersecurity and tens of millions of tourists or convention attendees connecting to unprotected public wifi networks at hotels, casinos and restaurants.
As the value of data in any given system rises, so too do vulnerabilities, Dr. Shamik Sengupta, executive director of the University of Nevada, Reno Cybersecurity Center, said.
“The more high profile data that you have, the more sensitive data that you have or are storing, the more vulnerable you become to these attacks,” Sengupta said. “Attackers will always try to attack these organizations with more sensitive information, information that they can lock down so that they can actually get the money out of it.”
The City of Las Vegas’ Director of Information Technology, Michael Sherwood, was not available for an interview. However, in a statement emailed to The Nevada Independent, he said that content-borne attacks, or those stemming from phishing emails or malicious websites, were something the city is “especially vigilant about.”
“Cyber attacks are part of daily life for city governments, and we are constantly looking for ways to reduce our exposure,” the statement read. “The City of Las Vegas is constantly examining ways to reduce and protect its digital assets and remains diligent in improving our cybersecurity programs.”
Still, human fallibility may leave the gates open for the infection of a virus or malware. In particular, phishing emails remain one of the easiest ways to enter a secure system, especially as hackers move away from the mass spam emails of old and toward new, more sophisticated personalized emails that trick a user into trusting the attacker.
“They know you, they know your name, your colleague’s name,” Kim said. “They can customize so it's realistic, it looks like its coming from your friend, maybe your teacher or your parents or even human resources. So people trust it and then click on the links and then download all this malware.”
A successful phishing attempt results in the installation of malware, sometimes on an old, outdated system that may be rife with security holes or backdoors. Perhaps most damaging among these holes is the exploit known as EternalBlue, a hole in computers running Windows which allows malware to jump from computer to computer unseen. First developed by the NSA and then released publicly in 2017 by a hacking collective calling itself the Shadow Brokers, EternalBlue has been behind ransomware attacks both large and small — from the WannaCry attacks in 2017 which struck tens of thousands of computers worldwide, to a 2018 attack which compromised city computers in Allentown.
Even as the frequency of ransomware attacks fell through 2018 in favor of other, more lucrative attacks, according to an annual security study by IBM, cyber security experts say uses of EternalBlue as an exploit still reached all-time highs in early 2019.
And though Microsoft patched the vulnerability in 2017 — shortly before the WannyCry attack — hundreds of thousands of machines have yet to install those updates. According to the search engine Shodan, which logs machines connected to the internet, more than 400,000 computers in the U.S. remain susceptible to EternalBlue, by far the most of any country.
Ultimately, experts say that — unlike a Trojan Horse attack, where the damage done to a computer can be reversed — there is no way to extract or repair data once a machine has been compromised by a ransomware attack, and the one workaround lies in what you do before an attack happens.
“The only thing that you can do to prepare is to backup, every day or at least every week,” Kim said. “If you have a good backup, if you get hit by the ransomware you can go back to the backup and then load it back.”