.webp)
In May of 2024, the American Radio Relay League (ARRL), a national association for amateur radio, was hit by a severe ransomware attack that encrypted multiple internal systems, including desktops, laptops, and both Windows and Linux servers. The attack was a highly coordinated effort by organized criminals who had compromised ARRL's on-site and cloud-based systems weeks before deploying the ransomware. The breach was enabled by information purchased on the dark web. In response, ARRL swiftly assembled a crisis management team, engaged external security experts, and notified law enforcement.
The attackers demanded a multi-million-dollar ransom but eventually settled for $1 million because they did not gain access to compromising data. The payment, along with the costs of restoring the affected systems, was primarily covered by ARRL’s insurance.
The attack on ARRL is part of a broader trend in 2024, where ransomware payments and cryptocurrency thefts have surged. According to blockchain analysis firm Chainalysis, ransomware payments in the first half of 2024 reached nearly $460 million, a 2% increase from the same period in 2023.
Meanwhile, cryptocurrency thefts soared to $1.58 billion, an 84% increase compared to last year. The rise in ransomware payments is partly due to a tactic known as ‘big game hunting,’ where cybercriminals target large organizations that are more likely to pay substantial ransoms. This shift has driven the median ransom payment from $200,000 in early 2023 to $1.5 million by mid-2024.
While law enforcement efforts have disrupted some major ransomware operations, leading to a migration of affiliates to less effective malware strains, the overall impact on victims remains significant.
Following the attack, ARRL took several services offline as a precaution, including the Logbook of The World (LoTW), which, while not directly affected, relied on other compromised servers. ARRL announced that most systems have been restored, but infrastructure updates would take additional time to complete. Although the organization has not confirmed whether personal information was compromised, it did notify the Maine Attorney General’s Office in July that the personal data of 150 employees, including names, addresses, and Social Security numbers, might have been affected.
If your organization falls victim to a ransomware attack, it’s critically important to engage law enforcement and federal agencies. Deploying ransomware is a criminal act; reporting it is a legal requirement in most jurisdictions. Healthcare, insurance, banking, and many other industries require that ransomware attacks be reported to executive branch agencies such as the U.S. Department of Health and Human Services in the case of a healthcare breach. Reporting attacks helps track cybercriminal activity and counter similar incidents.
An important preliminary step to contain damage, protect sensitive information, and ensure business continuity is to have a thoroughly planned and tested incident response plan. A robust incident response plan must be created before an attack, not during or after because if you need it and don’t have it, it’s already too late.
First, isolate affected systems immediately to prevent the ransomware from spreading—disconnect devices from the network and disable WiFi, Bluetooth, and any other network capabilities. Disable any automatic maintenance tasks that could interfere with the investigation and recovery process and disconnect backups to prevent them from being encrypted by the ransomware.
Take a photograph of the ransom note using a separate device, which can be useful to have during the recovery process, specifically for attaching to reports filed with law enforcement and insurance companies.
Notify your IT security team right away to activate your organization’s incident response plan. Avoid shutting off or restarting infected devices, as this could trigger additional harm or wipe valuable forensic data. Instead, put the systems into hibernation mode to preserve all data in memory for future analysis.
Once the systems are isolated, identify the ransomware variant using tools designed to analyze encrypted files and ransom notes. Knowing the specific strain will help you understand how the ransomware spreads, which files it locks, and potential methods for removal. You may find decryption tools online, such as those provided by No More Ransom, which offers solutions for certain strains and make it unnecessary to pay the ransom.
If you manage to remove the ransomware, begin the recovery process by updating all system passwords and restoring data from clean backups. Employ the 3-2-1 backup rule: maintain three copies of your data in two different formats, with one copy stored offsite. This strategy improves your chance at a swift recovery without having to pay a ransom. Following the incident, conduct a security audit, apply all necessary software updates, and refine your incident response plan based on lessons learned.
Deciding whether to pay the ransom is a complex and high-risk decision. While paying might seem like the quickest path to regaining access to your data, it often backfires. Not only is there no guarantee that attackers will provide a working decryption key after payment. Additionally, organizations run the risk during negotiations of encouraging cybercriminals to take further action. In some cases, for example, a threat actor group not only posts the data they get their hands on, but also posts the organization’s network access including credentials, escalating the punishment.
Cybercriminals often keep track of victims who pay, marking them as willing to comply with demands, and may strike again, knowing that a payout is likely. This can create a vicious cycle of repeated attacks, each one potentially more damaging than the last. By paying, you also inadvertently fund and encourage further criminal activity, increasing the overall threat landscape. Instead of paying, focus on robust prevention strategies and strong incident response planning to minimize the likelihood of being victimized again.
Last month, NIST published its first set of post-quantum cryptography (PQC) standards, setting a new benchmark for enterprises, government agencies, and vendors to withstand future cyberattacks from quantum computers. The time to start transitioning is now. Discover what’s at stake with CyberWatch.
Hospitals and healthcare providers have increasingly become targets of cyberattacks, which pose significant risks to patient care and safety. This document examines the various ways in which cyberattacks can disrupt hospital operations, compromise patient data security, and ultimately affect the quality of patient care. It also explores strategies and best practices that hospitals can implement to mitigate these risks and enhance their cybersecurity posture.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
