{
	"id": "14628266-7cd6-4468-9dbc-4d27ca276200",
	"created_at": "2026-04-06T00:22:14.420551Z",
	"updated_at": "2026-04-10T03:28:35.431701Z",
	"deleted_at": null,
	"sha1_hash": "cc62081da804a5a9d6e23071f7e3a385ef8b771a",
	"title": "Story of the year 2019: Cities under ransomware siege",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 409857,
	"plain_text": "Story of the year 2019: Cities under ransomware siege\r\nBy Kaspersky\r\nPublished: 2019-12-11 · Archived: 2026-04-05 23:14:52 UTC\r\nRansomware has been targeting the private sector for years now.\r\nOverall awareness of the need for security measures is growing, and cybercriminals are increasing the precision of\r\ntheir targeting to locate victims with security breaches in their defense systems. Looking back at the past three\r\nyears, the share of users targeted with ransomware in the overall number of malware detections has risen\r\nfrom 2.8% to 3.5%. While this might seem like a modest amount, ransomware is capable of causing extensive\r\ndamage in the affected systems and networks, which means this threat should never be overlooked. The proportion\r\nof ransomware targets among all users attacked with malware has been fluctuating, yet appears to be decreasing,\r\nwith the figure for H1 2019 showing 2.94% compared to 3.53% two years ago.\r\nShare of users attacked with ransomware from all users attacked with malware (download)\r\nThe overall number of users attacked annually has changed. Kaspersky experts usually observe from around\r\n900,000 to almost 1.2 million users targeted by ransomware every six months.\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 1 of 13\n\nNumber of users attacked with ransomware, H1 2017-H1 2019 (download)\r\nDespite there being many extremely sophisticated cryptor samples, the mechanism behind how they operate is\r\npainstakingly simple: they turn the files on victims’ computers into encrypted data and demand a ransom for the\r\ndecryption keys. These keys are created by threat actors to decipher the files and transform them back into the\r\noriginal data. Without a key, it is impossible to operate the infected device. The malware may be distributed by the\r\ncreators of the threat, sold to other actors or to the creators’ partner networks – ‘outsourced’ distributors that share\r\nthe profit from successful ransomware attacks with the technology holders.\r\n2019 has seen this plague actively shifting towards a new target – municipalities. Arguably, the most prominent\r\nand widely discussed incident was that in Baltimore, which suffered from a large-scale ransomware campaign that\r\nknocked out a number of city services and required tens of millions of dollars to restore the city’s IT networks.\r\nBased on publicly available statistics and announcements monitored by Kaspersky experts, 2019 has seen at least\r\n174 municipal organizations targeted by ransomware. This is an approximately 60% increase from the number of\r\ncities and towns that reported falling victim to attacks a year earlier. Whereas not everyone has confirmed the\r\namount of extorted funds and whether a ransom was paid or not, the average demand for ransom ranged from\r\n$5,000 to $5,000,000, and on average was equal to around $1,032,460. The numbers, however, varied greatly, as\r\nthe funds extorted from small town school districts, for example, were sometimes 20 times smaller than those\r\nextorted from city halls in big municipalities.\r\nHowever, the actual damage caused by attacks, according to estimates by independent analysts, often differs from\r\nthe sum that the criminals request. First of all, some municipal institutions and vendors are insured against cyber-https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 2 of 13\n\nincidents, which compensates the costs one way or another. Secondly, the attacks can often be neutralized by\r\ntimely incident response. Last but not the least, not all cities pay the ransom: in the Baltimore encryption case,\r\nwhere officials refused to pay the ransom, the city ended up spending $18 million to restore its IT infrastructure.\r\nWhile this sum might seem way more than the initial $114,000 requested by the criminals, paying the ransom is a\r\nshort-term solution that encourages threat actors to continue their malicious practices. You need to keep in mind\r\nthat once a city’s IT infrastructure has been compromised, it requires an audit and a thorough incident\r\ninvestigation to prevent similar incidents from occurring again, plus the additional cost of implementing robust\r\nsecurity solutions.\r\nAttack scenarios vary. For instance, an attack may be the result of unprotected remote access. In general, however,\r\nthere are two entry points through which a municipality can be attacked: social engineering and a breach in un-updated software. A vivid illustration of the latter problem has been observed quarterly by Kaspersky experts: the\r\nall-time leader of almost all rankings of ransomware most frequently blocked on user devices is WannaCry. Even\r\nthough Microsoft released a patch for its Windows operating system that closed the relevant vulnerability months\r\nbefore the attacks started, WannaCry still affected hundreds of thousands of devices around the globe. And what’s\r\nmore striking is the fact that it still lives and prospers. The latest statistics gathered by Kaspersky in Q3 2019\r\ndemonstrated that two and a half years after the WannaCry epidemic ended, a fifth of all users targeted by cryptors\r\nwere attacked by WannaCry. What’s more, the statistics from 2017 to mid-2019 show that WannaCry is\r\nconsistently one of the most popular malware samples, accounting for 27% of all users attacked by ransomware in\r\nthat time period.\r\nAn alternative scenario involves criminals exploiting human factors: this is arguably the most underestimated\r\nattack vector, as training of employees in security hygiene is nowhere near as universal as it should be. Many\r\nindustries lose a tremendous amount of money due to employee errors (in some industries this is the case for half\r\nof all incidents), phishing and spam messages containing installers for dangerous malware are still circulating\r\naround the web and reaching victims. Sometimes those victims may be managing the company’s accounts and\r\nfinances and not even suspect that opening a scammer email and downloading what appears to be a PDF file on\r\ntheir computers can result in a network being compromised.\r\nAmong the many types of municipal organizations attacked throughout 2019, some attracted more attacks than\r\nothers.\r\nThe most targeted entities were undoubtedly educational organisations, such as school districts, accounting for\r\napproximately 61% of all attacks: 2019 saw operations against more than 105 school districts, with a whopping\r\n530 schools targeted. This sector has been hit hard, yet demonstrated a resilience: while some colleges had to\r\ncancel classes, many educational institutions adopted a position of continuing studies despite a lack of technical\r\nsupport, claiming that computers have only recently become part of the educational process, and that staff are\r\nperfectly capable of teaching pupils without them.\r\nCity halls and municipal centers, meanwhile, accounted for around 29% of cases. Threat actors are often aiming\r\nat the heart of processes that, if stopped, will result in an extremely problematic interruption of vital processes for\r\nthe vast majority of citizens and local organizations. Unfortunately, such institutions are still often equipped with\r\nweak infrastructure and unreliable security solutions, as the workflow (especially in small, quiet towns or villages\r\nwithout advanced infrastructure) does not require high computing capacities. As a consequence, the locals often\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 3 of 13\n\ndon’t bother updating old computers because they appear to still be functioning well. This might be related to a\r\ncommon mistake, whereby security updates are associated with design changes or technical developments\r\nintroduced in the software, while their most vital function is in fact closing breaches found by white- or black-hat\r\nhackers and security researchers.\r\nAnother popular target was hospitals, accounting for 7% of all attacks. While some black-hat hackers and\r\ncybercriminal groups claim to have a code of conduct, in most cases attackers are motivated purely by the\r\nprospect of financial gain and go for vital services that cannot tolerate long periods of disruption, such as medical\r\ncenters.\r\nFurthermore, around 2% of all institutions subjected to an attack were municipal utility services or their\r\nsubcontractors. The reason for this might be that such service providers are often used as an entry point to a whole\r\nnetwork of devices and organizations, as they are responsible for communications in terms of billing for multiple\r\nlocations and households. In the scenario where threat actors successfully attack the service provider, they might\r\nalso compromise every locality that particular vendor or institution services. In addition, the disruption of utility\r\nservices may result in disruption to vital regular operations, such as providing online payment services for\r\nresidents of the town or city to pay their monthly bills – this adds to the pressure the victims’ experience and\r\npushes them towards a short-term, yet seemingly effective solution – paying the ransom.\r\nLet’s take a closer look at the malware that has been actively used in attacks on municipalities.\r\nThe besiegers\r\nRyuk\r\nWhile not all organizations disclose technical details about the ransomware that hits them, Ryuk ransomware\r\n(Detection name: Trojan-Ransom.Win32.Hermez) has been cited as a reason for incidents in municipalities\r\nnoticeavly often. It is known to be notorious for attacking large organizations and governmental and municipal\r\nnetworks. This malware first appeared in the second half of 2018 and has been mutating and actively propagating\r\nthroughout 2019.\r\nGeography\r\nTOP 10 countries\r\nCountries %*\r\n1 Germany 8.60\r\n2 China 7.99\r\n3 Algeria 6.76\r\n4 India 5.84\r\n5 Russian Federation 5.22\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 4 of 13\n\n6 Iran 5.07\r\n7 United States 4.15\r\n8 Kazakhstan 3.38\r\n9 United Arab Emirates 3.23\r\n10 Brazil 3.07\r\n*Percentage of users attacked in each country by Ryuk, relative to all users attacked worldwide by this malware\r\nRyuk has been seen all over the world, although some countries have been affected more than others. According to\r\nKaspersky Security Network statistics, in 8.6% of cases it attempted to attack German-based targets, followed by\r\nChina (8%) and Algeria (6.8%).\r\nDistribution\r\nThe threat actors behind Ryuk employ a multi-stage scheme to deliver this ransomware to their victims.\r\nThe initial stage involves infecting a large number of machines by the Emotet bot (Detection name: Trojan-Banker.Win32.Emotet). Typically this is achieved by sending out spam emails containing a document with a\r\nmalicious macro that will download the bot if the victim allows the execution of macros.\r\nSpam message with a malicious document attached\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 5 of 13\n\nThe malicious document\r\nAt the second stage of the infection, Emotet will receive a command from its servers to download and install\r\nanother piece of malware – Trickbot (verdict: Trojan.Win32.Trickster) – into the compromised system. This piece\r\nof malware will allow the threat actors to carry out reconnaissance in the compromised network.\r\nIf the criminals find they have infiltrated a high-profile victim, for example, a large municipal network, or a\r\ncorporation, they will likely continue to the third stage of the infection and deploy Ryuk ransomware to numerous\r\nnodes in the affected network.\r\nBrief technical description\r\nRyuk has been evolving since its creation and there is a certain variation between the numerous samples existing\r\nITW. Some of them are built as 32-bit binaries, others are 64-bit; some variants contain a hardcoded list of\r\nprocesses that will be targeted for code injections, other variants allowlist several processes and will try to inject\r\nall others; the encryption scheme also sometimes differs from one sample to another.\r\nWe will describe one of the recent modifications discovered in late October 2019 (MD5:\r\nfe8f2f9ad6789c6dba3d1aa2d3a8e404).\r\nFile encryption\r\nThis modification of Ryuk uses a hybrid encryption scheme employing the AES algorithm to encrypt the content\r\nof the victim’s files, and the RSA algorithm to encrypt the AES keys. Ryuk uses the standard implementation of\r\ncryptographic routines provided by Microsoft CryptoAPI.\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 6 of 13\n\nThe Trojan sample contains the threat actor’s embedded 2048-bit RSA key. The private counterpart is not exposed\r\nand may be used by the criminals for decryption if the ransom is paid. For each victim file Ryuk will generate a\r\nnew unique 256-bit AES key that will be used to encrypt the file content. The AES keys are encrypted by RSA and\r\nsaved at the end of the encrypted file.\r\nRyuk encrypts both local drives and network shares. Encrypted files will get an additional extension (.RYK), and a\r\nransom note containing the email of the criminals will be saved nearby.\r\nRansom note\r\nAdditional functionality\r\nTo cause more damage in the network, this Ryuk variant uses a trick that we haven’t observed in other\r\nransomware families before; the Trojan attempts to wake other machines that are in a sleeping state but have been\r\nconfigured to use Wake-on-LAN.\r\nRyuk does this in order to maximize the attack surface: the files located on network shares hosted on sleeping PCs\r\nare unavailable for access, but if the Trojan manages to wake them, it will be able to encrypt those files as well. To\r\nachieve this, Ryuk retrieves the MAC addresses of the nearby machines from the local ARP cache of the infected\r\nsystem and sends broadcast UDP packets starting with the magic value {0xff, 0xff, 0xff, 0xff, 0xff, 0xff} to port 7\r\nwhich will wake up the targeted computers.\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 7 of 13\n\nFragment of the procedure implementing Wake-on-Lan packet broadcast\r\nOther features of the Ryuk algorithm that are more conventional for ransomware families include: code injection\r\ninto legitimate processes in order to avoid detection; attempting to terminate processes related to business\r\napplications to make the files used by these programs available for modification; attempting to stop various\r\nservices related both to business applications and to security solutions.\r\n \r\nPurga\r\nThis ransomware family appeared in the middle of 2016 and is still being actively developed and distributed\r\naround the world. It has been recorded targeting municipalities. One of the features of this malware is that it\r\nattacks regular users as well as large corporations and even governmental organizations. Our products detect this\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 8 of 13\n\nmalware as Trojan-Ransom.Win32.Purga. The Trojan family is also known as Globe, Amnesia or Scarab\r\nransomware.\r\nGeography\r\nTOP 10 countries\r\nCountries %*\r\n1 Russian Federation 85.59\r\n2 Belarus 1.37\r\n3 Turkey 0.85\r\n4 India 0.80\r\n5 Kazakhstan 0.74\r\n6 Germany 0.62\r\n7 Ukraine 0.54\r\n8 China 0.46\r\n9 Algeria 0.40\r\n10 United Arab Emirates 0.40\r\n*Percentage of users attacked in each country by Purga, relative to all users attacked worldwide by this malware\r\nDistribution\r\nThroughout this family’s existence, the criminals behind it have used various types of infection vectors. The main\r\nattack vectors are spam campaigns and RDP brute-force attacks.\r\nAccording to our information, this is currently the most common attack scenario:\r\n1. 1 The criminals scan the network to find an open RDP port\r\n2. 2 They try to brute-force credentials to log in to the targeted machine\r\n3. 3 After a successful login, the criminals try to elevate privileges using various exploits\r\n4. 4 The criminals launch the ransomware\r\nBrief technical description\r\nPurga ransomware is an example of very intensively developed ransomware. Over the last couple of years, the\r\ncriminals have changed several encryption algorithms, key generation functions, cryptographically schemes and\r\nso on.\r\nHere we will briefly describe the latest modification.\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 9 of 13\n\nNaming scheme:\r\nEach modification of Purga uses a different extension for each file and a different email address to contact.\r\nDespite using various extensions for the encrypted files, the Trojan uses only two naming schemes, which depend\r\non its configuration:\r\n1. 1 [original file name].[original extension].[new extension]\r\n2. 2 [encrypted file name].[new extension]\r\nFile encryption\r\nDuring encryption the Trojan uses a standard scheme that combines symmetric and asymmetric algorithms. Each\r\nfile is encrypted using a randomly generated symmetric key, then this symmetric key is encrypted with an\r\nasymmetric key and the result is stored in the file, in a specifically built structure.\r\n \r\nStop\r\nThe notorious Stop ransomware (also known as Djvu STOP) was first encountered at the end of the 2018. Our\r\ndetection name for this family is Trojan-Ransom.Win32.Stop and, according to our statistics, in 2019 alone the\r\nvarious modifications of Stop ransomware attacked more than 20,000 victims around the world. Unsurprisingly,\r\naccording to our KSN report for the third quarter of 2019, Stop ransomware finished seventh among the most\r\ncommon ransomware.\r\nGeography\r\nTOP 10 countries\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 10 of 13\n\nCountries %*\r\n1 Vietnam 10.28\r\n2 India 10.10\r\n3 Brazil 7.90\r\n4 Algeria 5.31\r\n5 Egypt 4.89\r\n6 Indonesia 4.59\r\n7 Turkey 4.30\r\n8 Morocco 2.42\r\n9 Bangladesh 2.25\r\n10 Mexico 2.09\r\n*Percentage of unique users attacked in each country by Stop, relative to all users attacked worldwide by this\r\nmalware\r\nDistribution\r\nThe authors chose to distribute their malware primarily through software installers. When users try to download\r\nspecific software from an untrusted site or try to use software cracks, instead of the desired result their machines\r\nbecome infected by the ransomware.\r\nBrief technical description\r\nFor file encryption, Stop ransomware uses a randomly generated Salsa20 key, which is then encrypted by a public\r\nRSA key.\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 11 of 13\n\nFragment of code from the file encryption routine\r\nDepending on the availability of the C\u0026C server, Stop ransomware uses either an online or offline RSA key. The\r\noffline public RSA key can be found in the configuration of each malicious sample.\r\nDumped fragment of the malware\r\nConclusion and recommendations\r\n2019 has been a year of ransomware attacks on municipalities, and this trend is likely to continue in 2020. There\r\nare various reasons why the number of attacks on municipalities is increasing.\r\nFirst of all, the cybersecurity budgeting of municipalities is often more focused on insurance and emergency\r\nresponse than on proactive defense measures. This results in cases where the only possible solution is to pay the\r\ncriminals and facilitate their activities.\r\nSecondly, municipal services often have numerous networks that include multiple organizations, so hitting them\r\ncauses disruption on many levels at the same time, bringing processes across entire districts to a halt.\r\nWhat’s more, the data stored in municipal networks is often vital for the functioning of everyday processes, as it\r\ndirectly concerns the welfare of citizens and local organizations. By striking such targets, cybercriminals are\r\nhitting a sensitive spot.\r\nHowever, simple preventive measures can help combat the epidemic:\r\nIt is essential to install all security updates as soon as they appear. Most cyberattacks exploit vulnerabilities\r\nthat have already been reported and addressed, so installing the latest security updates lowers the chances\r\nof an attack.\r\nProtect remote access to corporate networks by VPN and use secure passwords for domain accounts.\r\nAlways update your operating system to eliminate recent vulnerabilities and use a robust security solution\r\nwith updated databases.\r\nAlways have fresh back-up copies of your files so you can replace them in case they are lost (e.g. due to\r\nmalware or a broken device) and store them not only on a physical medium but also in the cloud for greater\r\nreliability.\r\nRemember that ransomware is a criminal offence. You shouldn’t pay a ransom. If you become a victim,\r\nreport it to your local law enforcement agency. Try to find a decryptor on the internet first – some of them\r\nare available for free here: https://noransom.kaspersky.com\r\nEducating employees about cybersecurity hygiene is necessary to prevent attacks from happening in the\r\nfirst place. Kaspersky Interactive Protection Simulation Games offer a special scenario that focuses on\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 12 of 13\n\nthreats relevant to local public administration.\r\nUse a security solution for organizations in order to protect business data from ransomware. Kaspersky\r\nEndpoint Security for Business has behavior detection, anomaly control and exploit prevention capabilities\r\nthat detect known and unknown threats and prevent malicious activity. A preferred third-party security\r\nsolution can also be enhanced with the free Kaspersky Anti-Ransomware Tool.\r\nSource: https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nhttps://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/"
	],
	"report_names": [
		"95456"
	],
	"threat_actors": [
		{
			"id": "9099912b-a00a-4afb-8294-c6d35af421a1",
			"created_at": "2023-01-06T13:46:39.338108Z",
			"updated_at": "2026-04-10T02:00:03.292102Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarab",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486",
			"created_at": "2022-10-25T16:07:24.158325Z",
			"updated_at": "2026-04-10T02:00:04.884772Z",
			"deleted_at": null,
			"main_name": "Scarab",
			"aliases": [
				"UAC-0026"
			],
			"source_name": "ETDA:Scarab",
			"tools": [
				"Scieron"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434934,
	"ts_updated_at": 1775791715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc62081da804a5a9d6e23071f7e3a385ef8b771a.pdf",
		"text": "https://archive.orkl.eu/cc62081da804a5a9d6e23071f7e3a385ef8b771a.txt",
		"img": "https://archive.orkl.eu/cc62081da804a5a9d6e23071f7e3a385ef8b771a.jpg"
	}
}