The spectre of ransomware
Uptime Institute Intelligence plans to release its 2019/2020 outages report shortly. This report will examine the types, causes and impacts of public outages, as well as further analyze the results of a recent Uptime survey on outages and impacts. The data will once again show that serious IT service interruptions are common and costly, with the impacts often causing serious disruption.
We have excluded one type of outage from the report: those caused by cyberattacks. Data integrity and cybersecurity is, of course, a very major issue that requires vigilant attention and investment, but it is not currently an area on which Uptime Institute researches and advises. Most security issues are data breaches; although they have serious consequences, they do not usually lead to a service interruption.
However, two forms of malicious attack can and often do lead to outages or at least a severe service degradation. The first is a Distributed Denial of Service (DDoS) attack, where a coordinated attempt is made to overwhelm a site with traffic. Uptime has tracked a number of these each year for many years, and security specialists say they are increasingly common. Even so, most organizations that are DDoS targets have developed effective countermeasures that minimize the threat. These measures include such techniques as packet filtering, load balancing and blocking suspect internet protocol addresses. As a result, DDoS attacks are showing up less frequently in our lists of outages.
The second type, ransomware, is emerging as a major problem and cause of outages. Ransomware attackers deny authorized users access to their own data; the hackers use malware to encrypt the user’s files and refuse to unlock them unless a ransom is paid. Often, operators have no choice but to take down all involved IT services in an attempt to recover access, restore from the last clean backup copy, and purge the systems of viruses. Outages can last days or weeks.
In the past two years, ransomware attacks have increased dramatically. The FBI investigated over 1,400 ransomware attacks in 2018. Government offices are a particular target. Kaspersky Research Labs, operated by security software supplier Kaspersky, identified 147 attacks on municipalities in 2019 (up 60%), in which the criminals demanded ransoms of $5.3 million. The IT Governance blog, based in the UK, recorded 19 major ransomware attacks globally in December 2019 alone.
Most US cities have now signed a charter never to pay a ransom to the criminals — but more importantly, most are now also upgrading their infrastructure and practices to prevent attacks. Some that have been targeted, however, have paid the ransom.
Perhaps the two most serious attacks in 2019 were the City of Baltimore, which refused to pay the ransom and budgeted $18 million to fix its problem; and the City of Atlanta, which also refused to pay the ransom and paid over $7 million to fully restore operations. The WannaCry virus attack in 2018 reportedly cost the UK National Health Service over $120 million (£92 million). And on New Year’s Eve 2019, Travelex’s currency trading went offline for two weeks due to a ransomware attack, costing it millions.
Preventing a ransomware attack has become — or should become — a very high priority for those concerned with resiliency. Addressing the risk may involve some stringent, expensive and inconvenient processes, such as multifactor security, since attackers will likely try to copy all passwords as well as encrypt files. In terms of the Uptime Institute Outage Severity Rating, many attacks quickly escalate to the most serious Category 4 or 5 levels — severe enough to costs millions and threaten the survival of the organization. Indeed, one North American health provider has struggled to recover after receiving a $14 million ransom demand.
All of this points to the obvious imperative: The availability and integrity of digital infrastructure, data and services is critical — in the fullest sense of the word — to almost all organizations today, and assessments of vulnerability need to span security, software, systems, power, networks and facilities. Weaknesses are likely to be exploited; sufficient investment and diligence in this area has become essential and must never waver. In hindsight we discover that almost all outages could have prevented with better management, processes and technology.
Members of the Uptime Institute Network can read more on this topic here.