A recent surge of ransomware attacks against local governments, law enforcement agencies and school systems across the United States can be traced to an increase in activity by a hacker group known to employ financial malware to take over targeted computer systems and extract large payments, according to cybersecurity firm CrowdStrike.
The activity comes from a Russia-based group CrowdStrike dubbed Wizard Spider, which operates a banking trojan known as TrickBot. That virus has been frequently associated with the Ryuk ransomware, which has been identified as the culprit in at least 13 public-sector cyberattacks since last October, including several that elicited six-figure payouts from local governments in Georgia, Florida, and Indiana, and most recently a school district in New York.
“It’s big-game hunting,” Adam Meyers, CrowdStrike’s vice president of intelligence, told StateScoop last week. “What they’re doing is getting into the environment with a banking trojan. Then they get to a system where they can exploit the ransomware.”
While the Wizard Spider group developed the TrickBot trojan, the Ryuk ransomware that encrypts infected computers and demands payments has been attributed to a subsidiary cell that CrowdStrike calls Grim Spider. Research the firm published earlier this year gave “medium-high” confidence that Grim Spider, like its parent organization, operates out of Russia.
The first eight months of 2019 were particularly lucrative for the Ryuk malware’s authors. So far this year, Ryuk is known to have collected $400,000 from rural Jackson County, Georgia; nearly $600,000 from Riviera Beach, Florida; $490,000 from Lake City, Florida; $130,000 from LaPorte County, Indiana; and $100,000 from the public school district in Rockville Centre, New York.
“It’s been a heavy year of activity,” Meyers said. “They have some high likelihood of getting organizations to pay the ransom.”
Ryuk’s demands also tend to be far greater than those by other forms of ransomware. In July, it asked for an average payment of nearly $518,000, compared to an average of about $53,500 for all ransomware attacks, according to Coveware, a firm that helps organizations recover from ransomware. The company also found that while ransomware attacks have grown more rampant across all sectors, government victims typically pay nearly 10 times as much as the private sector.
But CrowdStrike’s Meyers said it appears hacker groups like Wizard Spider and Grim Spider have found a “soft underbelly” in local governments, which often lack strong internal cybersecurity capabilities.
“I think the problem with a lot of the state and local agencies is that they don’t have the resources,” he said. “[The hackers] know they have them in a position where they will feel the pressure to pay the ransom. There’s a lot of money being made.”