There are more and more reports in the media about cyber attacks with ransomware on cities, municipalities and their administrations. However, no administration pays the ransom. So who benefits from all this? Richard Werner, business consultant at Trend Micro, gives very interesting answers to B2B CYBER SECURITY in an interview.
The list of cities and communities attacked is now really long. Only recently were 12 Bavarian communities paralyzed and blackmailed. Before that, there was a cyber attack with ransomware on the IT service provider South Westphalia-IT by the Akira ransomware group. The provider supplies, among other things, 72 municipalities with IT services. All processes within the communities are still partially disrupted.
Communities under attack don’t pay ransoms – why all this?
All of the attacks have one thing in common: the requested ransom was of course not paid, which was to be expected. Why then do APT groups and other cyber gangsters attack communities when there is nothing to be gained there? We asked Richard Werner, Business Consultant at Trend Micro, this question and more. The expert has some interesting answers.
B2B Cyber Security: “City administrations have been attacked more and more recently. Does it just seem that way in the media or can you confirm it?”
Expert in an interview: Richard Werner, Business Consultant at Trend Micro
Richard Werner, Trend Micro: The public perception is certainly distorted to some extent: most attacks still occur on private sector companies – i.e. potentially “paying customers” for cybercriminals. However, successful attacks on private companies are rarely reported in the news - if at all, then only in very large companies. If local authorities are paralyzed, this has a serious impact on the population, which is why it is at least reported in the local press. This type of attack therefore appears more often in the news.
German local governments: This shows that there has actually been an increase in ransomware incidents recently...
At the same time, however, this does not mean that municipalities can be given the all-clear. Authorities are among the most frequently attacked organizations internationally and are regularly among the top 3 affected sectors - and the trend is rising. In addition, the negative consequences for the population are regularly massive, as already mentioned.
The website provides a clear overview of the situation in Germany “Municipal emergency operation“, which collects reports on IT security incidents in German local governments. It can also be seen here that there has actually been an increase in ransomware incidents recently. So the situation is really serious.
B2B Cyber Security: “No city pays ransom, but rather reorganizes the administration. Then why are they targets?”
Richard Werner, Trend Micro: There are several reasons for that. On the one hand, authorities are relatively “soft targets”. In many places, a lack of personnel and low budgets create challenges when it comes to operating modern IT architectures - not to mention the corresponding security. This makes it relatively easy to attack these targets, which may be used to train new “recruits”. However, attacks are often automatic and require little effort for criminals.
B2B Cyber Security: “Are the attackers perhaps hoping for something other than a ransom?”
Richard Werner, Trend Micro: Worldwide, the “payment behavior” of victims has declined. Cyber attackers are therefore changing their business model. An important source of income is trading stolen data. Personal data can be easily sold in the digital underground and authorities in particular usually have a lot of it. If encryption is carried out by attackers these days, it must be assumed that data has already been leaked beforehand. Encryption will still be carried out if possible. It then serves as an additional source of income, but also to cover tracks.
This data is not only sold, but can also be used for further attacks. When thinking about business email compromise and other social engineering attacks, data from public registries can be of great value. The use of generative artificial intelligence – keyword “deepfakes” – is making such attacks increasingly easier.
Many perpetrators also have a political motivation and consciously want to harm authorities and public institutions...
In addition, it can also be assumed that many perpetrators have a political motivation and consciously want to harm authorities and public institutions. It is not always easy to clearly distinguish between financial and political motives - especially if the perpetrators are not made particularly difficult.
And ultimately, cybercriminals are just people who like to boast about their achievements. When victims are reported, attribution is usually made. Successful attacks are regularly discussed and commented on in darknet underground forums. If a criminal group has paralyzed an entire city, they gain enormous “street credibility” among their peers. This notoriety also serves to acquire further “affiliates” or “subcontractors” of a ransomware group. If such an attribution is also made publicly in the media, it also has the effect of maximizing the threat to other victims.
B2B Cyber Security: “Some attacks look more like disruption than attacks – do you see it that way?”
Richard Werner, Trend Micro: As already said: the motivations of the perpetrators are diverse and cannot always be separated. Causing disruption is certainly also a key aspect of ransomware attacks. We see that criminal groups act on behalf of nation states or are at least tolerated by them as long as they only attack “the right” victims - especially in Eastern Europe. There are also likely nation-state actors at work in the Middle and Far East who are using ransomware for purely destructive attacks. They encrypt data without ever contacting the victim, demanding a ransom, or enabling decryption.
But I would like to emphasize once again: regardless of the motivation of the attackers, the damage is enormous and the effects on the population are often serious. It is therefore essential, especially on the municipal side, to focus on data security and the security of digital infrastructures. Security must be taken into account right from the start in all digitalization processes in administration.
Editor/sel
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.