Ransomware attacks matured in 2019, report says

Threat actors that target IT organizations like local governments and school districts have elevated their tactics, according to a new report from CrowdStrike.
malware skull with a beard
(Getty Images / StateScoop)

Cybersecurity threats to IT organizations, especially state and local governments, got more sophisticated in 2019, pressing tech officials to get more aggressive in how they defend their networks and conduct incident response after the attack, according to a report published Tuesday by the information security firm CrowdStrike.

The company found that the five most common malware infections it helped its clients with last year — Trickbot, Emotet, Ryuk, Dridex and BitPaymer — came from criminal groups, some of which appear to be collaborating with each other.

“We still see this being a staged attack cycle that leverages a number of different types of malware,” said Thomas Etheridge, CrowdStrike’s vice president of services.

The CrowdStrike report includes descriptions of hacker groups that use techniques seen in many ransomware attacks last year against U.S. cities, some of which elicited six-figure payments by governments desperate to regain control of their networks and applications. CrowdStrike’s researchers say there’s been a rise in such “big-game hunting,” attacks that target large organizations that are “especially sensitive to downtime,” raising the temptation for victims to cede to financial demand.


In one common attack scenario, a group that CrowdStrike calls “Mummy Spider” installs Emotet, a popular Trojan, using phishing emails to steal user credentials and enter a network. Mummy Spider then hands off access to a group CrowdStrike calls “Wizard Spider,” which then installs a second Trojan, called Trickbot, which can move laterally across the compromised network and eventually trigger a download of a ransomware virus known as Ryuk. CrowdStrike has previously said that the Wizard Spider group operates out of Russia.

[ransomeware_map ]

Ryuk ransomware has been used in at least 23 U.S. state and local government entities since it first appeared in late 2018, according to StateScoop’s Ransomware Attacks Map. In 2019, Ryuk attacks collected $400,000 from rural Jackson County, Georgia; nearly $600,000 from Riviera Beach, Florida; $490,000 from Lake City, Florida; $130,000 from LaPorte County, Indiana; and $100,000 from the public school district in Rockville Centre, New York.

CrowdStrike says in its report some hackers are now also using tools granting access to Active Directory, a Microsoft Windows service that manages network permissions and access. Using tools like BloodHound, an open-source JavaScript web application, an actor can map out a network to find vulnerabilities. But organizations like school systems or local governments can also use it to find their weak spots.

Beyond tools, hackers are improving their tactics against IT organizations by targeting managed service providers, Etheridge said, which has the effect of “supersizing the attack vector” by distributing ransomware to a wider set of victims. Attacks on third-party IT providers resulted in several incidents last year of multiple cities or school districts being infected simultaneously.


The increase in cyberattacks that come by way of a third-party provider, he added, means that officials who negotiate technology contracts need to apply more scrutiny to their prospective vendors.

“It starts during the contracting relationship with that service provider,” Etheridge said. “Are you asking the right question about the service provider, not just what they’re doing for you, but what they’re doing internally?”

As ever, though, internal behavior remains the most crucial thing for IT organizations to focus on if they’re going to reduce the chances they’re compromised. CrowdStrike’s report recommends the usual prescription of using aggressive endpoint detection and response tools and installing security patches. But above all, individual cyber hygiene is most important.

“Primarily, from a state, local and government perspective, it’s important to remember employees are the front line,” Etheridge said. “A large chunk of our initial threat comes from spearphishing emails. Employees need to be held accountable for their own practices.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts