'It's A Lot More Attractive To Target A City': An Expert Explains Tulsa Ransomware Attack

May 10, 2021

The City of Tulsa is dealing with a ransomware attack that happened over the weekend. Some systems have been taken offline.

The city's comments have been limited, but we spoke to Tyler Moore, Tandy Professor of Cyber Security at Tulsa University, for some background. Listen or read on to learn how ransomware works, and why these attacks have been getting worse across the country.

Tyler Moore: So the way ransomware works is a cyber criminal infects a computer with malicious software. Then they lock all of the data so that it's completely unreadable. The only way to get the data back is to pay the criminal a ransom, usually in Bitcoin. So that's at its core how the attack works.

Ransomware has actually been around for many years. At first they just targeted people randomly, they'd lock computers. But what they found is it's a lot more attractive financially to target a city or a company with ransomware as opposed to just a random person on the internet.

Elizabeth Caldwell: Yeah. Does this work? I mean, do they get their money?

TM: Oh, it absolutely works. If if it didn't work, they wouldn't be doing it, right?

The way cyber criminals operate is they're not particularly creative. They find a formula that works and they stick with it. So ransomware started around a decade ago, and we've seen more and more of it. It continues to happen because it continues to work.

The problem is that people operate computer networks that are not fully secure. And what happens is the attackers will scan many computer networks across thousands and thousands of companies. They eventually find some that are vulnerable. What's interesting is they often don't even attack every one that they find is vulnerable. Instead they get in, look around, and figure out if this is likely a target that would be willing to pay.

When they hit a target like that, like a municipal government or a pipeline operator, then they know that's where they want to focus their efforts to make the attack work the most.

EC: Right. Because these are systems that can't afford to be offline for very long. So they'll just pay.

TM: Exactly. Yeah. So, I mean, there's a few reasons why we're seeing the types of victims we're seeing. 

At first we saw a lot of ransomware targeting hospitals because that's another area in which attacks attacks really matter. People need to be able to have these critical services. We've instead seen a shift more recently to cities because they have services that need to be available, but also they're running older IT infrastructure and it often has greater vulnerabilities. And the third piece of the recipe is because most cities have insurance policies that will help pay the ransom and the overall cost of the ransomware incident.

EC: Man, that's wild. I guess I always just thought, 'That'll never work, you're going to get caught.' Do they get caught?

TM: Well, that's the thing. The thing about cybercrime is that the attacker doesn't have to be in the same place, right? They can be across the world. And if you're in a different country, actually tracking down that criminal and arresting them can be very expensive and hard to do.

In many cases these criminal actors can operate with impunity effectively because there's no likelihood they're going to be arrested. Occasionally we do see gangs get arrested, but it's pretty rare and they can often operate for years before before they get tracked down.

EC: Right. And so is that why they want Bitcoin, because that's harder to track as well?

TM: Exactly. So one reason why ransomware has proliferated so much is because Bitcoin is now a way to monetize the payments. Before you had cryptocurrencies, it was much harder to extort someone for ransom over the internet. You couldn't just take their credit card information or if you did that could always be reversed. The thing about Bitcoin is that every transaction is irreversible. And so once you've paid it, there's no way to get it back. It's also much harder to track back to an identity than, say, a bank transfer.

EC: Uh, sorry, I don't know that much about Bitcoin, but what can you actually buy with Bitcoin now? What are they doing with that? Those funds?

TM: So Bitcoin has been around since 2009. It was created with this vision of an alternative money supply, and people would buy and sell things instead of paying with dollars. But in practice, how is Bitcoin really used today? It's used to speculate on the financial value of it. So people buy Bitcoin thinking the price will go up. Secondly, it's used by cybercriminals to do things like extort people with ransomware. People aren't actually using Bitcoin to buy and sell goods. There are a few places where you can do it, but that's the vast minority of what people are actually doing with these currencies.

EC: So should Bitcoin exist? What's the upside?
 

One Bitcoin equals $56,736.50

TM: Well, that's a good question, right? So there is some potential for cryptocurrencies. We pay every time we swipe our credit card. We pay a couple of percent to the credit card networks and banks, which is not great. 

I think cryptocurrencies could introduce competition for lower fees. I think that's all very positive. I think a lot of the reality has been a little less good, because what we've seen instead is that the system gets abused by criminals.

It's an entirely unregulated market and people are putting lots of money in there. Right now they're seeing the price go up, but when the price goes down we're going to see a lot of bad things happen.

EC: Right...

TM: That's probably a whole different interview.

EC: That's amazing. So...and there's all these new ones now, like the dog coin?

TM: Dogecoin. Yes. Yeah. Dogecoin actually has been around for many years. It sort of was created as a joke. And then the price would go up periodically because people on the Internet would decide, 'Hey, we're going to buy Dogecoin,' and the price would go up. Then the fad passes and it goes down again.

In some of the research I've done in my group, we've actually looked at thousands of cryptocurrencies - because there are thousands of them - and there are groups that will pump and dump these coins in order to drive up prices. They're very brazen about it. You join the right Telegram or Discord group and you can see them coordinating, trying to bid up prices. So I mean the whole marketplace for cryptocurrencies is such an unregulated morass right now. I would not encourage anyone to put in any money they don't want to lose.

EC: Okay. So back to the city. So the way that they could have prevented this is to have a better IT infrastructure, but maybe that's...

TM: Well, I think you can't prevent all cyber attacks, right? You just have to try to manage it as you would any other risk that a city is going to face. And so, the way to deal with ransomware is yes, to invest in the cyber security of your IT infrastructure.

There are certain things you can do to make yourself less likely to be hit by ransomware. You can invest in solid backups. You can ensure that the software that you're running is up to date, which as a consumer, it's maybe a little easier. We just click the button on our phone or we'll update our operating system. You know, the IT systems in a city or a company are more complicated than that, so  they have to have a process that will manage the updates and apply them appropriately. And that's hard to get right. It takes effort and investment.

One thing that's positive potentially that we're seeing with what appears to be the city's ransomware incident, and also the pipeline incident, is that the systems have been taken offline. They're saying it's been done as a precaution. So previously when cities are hit with ransomware, often it infects all of their computer systems and things go offline for weeks or even months.

What appears to have happened here is the attackers got a foothold somewhere in the network, impacted some part of their systems, it was detected, and then other systems were shut down as a precaution to try to prevent the spread to those systems. It's causing us some near-term pain now because we can't access those systems, but hopefully they'll get control over the infection, eradicate it, and then bring the systems back online, and the damage will have been somewhat limited.

EC: Okay. So by eradicate it, do you mean pay?

TM: That's a good question. So if you want to get the data back then paying is the only way to do it. Now it's an open question whether or not you should pay. It kind of depends upon the value of the data that has been encrypted. If you have good backup systems then you don't need to pay, right? You could just take the systems offline, determine how the attacker got in. You can update your software, do whatever you need to then bring your systems back up online and don't pay.

It's in the cases where attackers really get in and have compromised many systems that the cost benefit shifts to thinking about maybe paying the ransom. But the real challenge, I think, is that even when it makes sense for a single city or a single organization to pay the ransom, we know that overall it's bad for society because that just encourages the criminals to target the next city.

We've seen the prices that ransomware is charging rise. It used to be just a few thousand dollars just five or six years ago. The last statistic I saw was for 2020: $300,000 was the average ransom paid. We're seeing this skyrocketing because the victims are paying. And so they can keep asking for more. There are insurance policies that are helping to defray the costs. We just see this escalation that ultimately is bad for society because the attackers are going to keep doing it until we stop paying.

EC: Right. So we stop that by having better backups...

TM: So one thing you can do is limit the scope of the pain of experiencing ransomware. Fundamentally it's a coordination problem, right? We need either norms or laws in place that are going to actually either prohibit the paying of ransom or actively discourage the paying of ransom. If you can make it to where it's far less likely that you're going to pay the ransom, then suddenly the people who are cyber criminals are going to find something else to do with their time.

As long as we're paying it's like shooting fish in a barrel. They're going to keep doing it until it doesn't work anymore.

EC: Okay. And just to clarify, so they're not particularly interested in personal information, they just want the money from the city?

TM: So ransomware typically is profit motivated. They've found a way to make money. Now, historically, ransomware would just encrypt data and then not decrypt it again unless you pay the ransom. But what we have seen over the past year or two are these gangs who will sometimes threaten to disclose personal information, right? So maybe they've obtained personal information and encrypted it, and then they will threaten to disclose it to the world unless the ransom is paid.

We have no details in this case, what they're saying to the city of Tulsa at this point. Essentially any way in which they can make it more likely that you'll want to pay, they'll do it.

EC: Right. Okay. I think that's good. Do you have anything else to add?

TM: Let's see. I think, yeah, I think we have way more than enough to cover it.