The Rise of Ransomware Attacks Against City Government

Written by Mark Hillyard

It may be hard to believe, but the first case of ransomware was recorded 30 years ago. It was not exactly advanced. In fact, it managed to only move files to a hidden location on the hard drive and only encrypt the names of the files. A demand of $189 was the “ransom” to recover the files. Alas, the decryption algorithm could simply be extracted from the malware code, thus making it unnecessary to even pay to recover the system.

Fast forward to 2019, and there were, by some estimates, ransomware attacks totaling some $11 billion (yep, that’s a “b”) in costs to organizations. There aren’t a lot of companies today that don’t know what ransomware is, and most understand just how dangerous and damaging it can be. But for many small, municipal and county governments, the reality of that pain was undeniably acute this year. Over 100 state and municipal governments and agencies were attacked in 2019—22 cities in Texas in a single day in August. Ransomware is no longer a buzzword or tech jargon. It is a reality that has begun to cost cities and towns across the U.S. millions in time and resources. It’s not just small towns, either. Atlanta, Baltimore, and most recently, Pensacola, FL, have been hit. But it seems that smaller municipalities with limited resources, aging systems, and—until now—not much incentive to focus on information security, have become the meal ticket for attackers across the board. Now, on a federal level, certain agencies have to adhere to DoD 8570/8140 training requirements in an effort to ensure that qualified cyber security personnel are fighting today’s elaborate threats.

Background: What is Ransomware and How Does it Work?

First, it’s a good idea to understand exactly how ransomware works. It is, by definition, malware—malicious software—that has been deployed within an environment – oftentimes as the result of an employee mistakenly clicking on a link in an e-mail. This is known as “phishing,” and while it takes many forms, the delivery of a malicious software package is generally the most effective goal of the would-be attacker. In the case of ransomware, the payload begins to encrypt the files on your hard drives (or network drives, if it is particularly nasty). Once it has run its course, it will inform the user(s) that the data has been encrypted, and that the only way to recover the system is by paying a sum of money.

Most ransoms are not outrageously large, though the amounts demanded are increasing on average. In Q1 2019, the average payout was $12,762 according to Coveware, a cyber security incident response firm. That number jumped to $36,295 in Q2. This 184% increase is largely attributed to the rise of a specific ransomware program called “Ryuk” that targets larger companies, thus increasing the ransom amount substantially. The system has gone under the radar for many years primarily because the amounts demanded were relatively small, and private companies are never keen on notifying the public that they have been compromised and their data either corrupted or stolen. That all changed, however, in 2017 when an especially prolific attack, known as “WannaCry,” was unleashed upon the world. This was known as a cryptoworm, which means it was able to replicate itself without user intervention (handy for attackers). Reportedly, over 200,000 systems were infected, and it cost organizations and individuals billions of dollars to eradicate and recover.

Large scale attacks against big cities have been sparse, but that makes a lot of sense, as larger governments tend to have the resources to better protect themselves. Still, the largest city hit in 2019, Baltimore, is spending a reported $18.2 million to recover from a ransomware attack that had demanded a paltry 13 Bitcoins (around $76,000 at the time). It’s no wonder that many cities and towns are simply transferring their risk of attack to insurance policies and paying the ransoms. Of course, this only encourages bad actors to continue the practice. And paying doesn’t always get those files back. In fact, by some estimates, up to 20% of those organizations that pay the ransom in full never get their files back.

Mitigation: How to Prevent Ransomware

So, how do governments with a tight budget and aging systems protect themselves from these attacks? There’s no one simple answer, but there are a lot of things that an organization can do to mitigate the risks.

Malware Awareness Training

The first, and always the most important, step is malware awareness training. Nearly half of all successful breaches, be they ransomware or some other type of attack, are the result of phishing and social engineering. That means that someone on the inside—an unsuspecting employee—clicks on an e-mail link that looks legitimate but instead loads malware onto the individual’s machine. There are plenty of humorous stories about Nigerian princes and unclaimed lottery winnings that swirl around the internet, social media, and coffee shops, but the reality is that most of the highly successful phishing e-mails look like real, work-related messages. I’ve seen plenty that are simply “spoofed” to appear as though they came from a high-ranking official inside the organization. And many people simply don’t question when the boss sends an e-mail stating something like, “Hey, go to [some fake link] and get me all the statistics regarding [some legitimate-sounding business idea].” *CLICK* and you’ve suddenly compromised your entire organization. It really is that simple. Consider that it is predicted that this sort of attack will happen every 11 seconds in 2020 (that’s ~2.86 million phishing attacks), and you can start to get an idea of how easy it is for attackers to inject malicious software into an uneducated staff’s organization. Train your staff to recognize the tell-tale signs of an illegitimate e-mail:

  • Check the “From” address. Often, you can simply hover over the sender’s e-mail address and see if it is, in fact, from that person; if you can’t verify the source, don’t click any links.

 

Real example of a malicious e-mail sent to Beyond20 staff – masked as our CEO, Erika Flora
  • Ensure that there are no glaring grammatical errors—many, if not most, phishing e-mails come from foreign countries, and they often contain very obvious misspellings or completely nonsensical phrases
  • Require that people do not send unsolicited links within your organization—if everyone commits to never sending a link without being asked directly to do so, then any staff member can simply ignore e-mails with links in them.
  • Train everyone to hover their mouse over any link in an e-mail, whether the link was requested or not, to make sure that it is going somewhere legitimate.

These are all governance and policy solutions that can be extremely powerful in educating employees on the dangers of inbound e-mail. Even better, they are all relatively free to implement. Be advised: Such awareness should be reinforced frequently. Many organizations require annual, or even semi-annual, malware awareness training for all employees.

Access Control Policy

From there, you can work to mitigate other employee-instigated breaches by limiting access to external websites, restricting software downloads and installs, and shoring up privileged access to various internal resources. These are highly effective controls that can significantly reduce attack vectors for bad actors. Most employees will be less than thrilled that they cannot install that really cool looking bit of software on their workstation or laptop, but the reality is that so-called privileged access (the ability to install software and configure a system with elevated, or administrative, privileges) is the largest entry point for malware in any organization. This effort is a combination of administrative and technical controls:

  • Do not allow users to have local administrative control of their systems—this is annoying to most users, but without this control, a would-be attacker could crack a user’s password and gain full control over their workstation, installing any sort of malicious software the attacker desires.
    • On that note, require that users have complicated passwords; not just a bunch of random characters, which will just have your administrators resetting/unlocking accounts frequently. Have a look at “diceware” passphrases—these are incredibly powerful phrases that are nearly impossible to predict.
  • Ensure external access to your systems is limited, or even eliminated unless absolutely necessary. If you must allow users to access your network from the outside, install a VPN.
    • Speaking of VPNs, if your users have laptops (or mobile devices that use your internal network) that they can use on public wi-fi (eww!), invest in a solid VPN service subscription—unencrypted wireless connections in the wild are incredibly vulnerable.
  • If your organization has the resources, invest in a Privileged Access Management (PAM) system—this is a way to control who can access resources and when.
  • Invest in anti-virus software. It is worth it, and there are a lot of great tools available now that can not only discover, quarantine, and eradicate malware, but they also provide a great deal of data on what sorts of attacks your specific organization is facing.

If you can effectively take these two steps: malware awareness training and access control policies, you will mitigate over 90% of all attack vectors for ransomware attacks.

Regular Software Patches and Updates

It’s hard. It’s irritating. It can be disruptive. And it requires resources to maintain. But vulnerable software makes up the remaining attack surface for ransomware. And the more out-of-date the software, the easier it is to breach. There is an entire sub-industry of career offensive cyber security experts who do nothing but hunt for bugs and vulnerabilities in commercial software. It is where the majority of emergency patches and software security updates originate. Bug bounty hunters are an important part of overall security for most major operating systems and software offerings. But that means there are plenty of bad actors doing the same: finding and exploiting so-called “zero-day” vulnerabilities—those bugs that have not yet been made public or reported to the software company. Keeping your software up to date is crucial in protecting your data.

Recovering from a Ransomware Attack

So, you’ve been breached. Whether or not you choose to pay the ransom (or have insurance to do so), there is a period of recovery after the fact. The average time to recover from a ransomware attack is 9.6 days. Most municipal governments are hard-pressed to get back up and running fast. The services they provide are often critical to the community—water, sewer, trash, police, fire, etc. When their systems go down, these services, and the community at-large, suffer.

Disaster Recovery / Business Continuity Planning

When any type of breach occurs, be it ransomware or just a nasty virus, it is essential to have plans for how to not only recover from the attack, but how to keep the lights on (sometimes literally). Disaster recovery and business continuity planning needs to happen now. Not next quarter, not after things go off the rails. Now. If your organization doesn’t have a disaster recovery or business continuity plan in place, then your organization is facing an enormous uphill battle should something go wrong. Chances are you do have something in place today, just not something that deals specifically with cyber security attacks. Change that as soon as possible. A security breach can be just as devastating to your organization as a natural disaster.

Backup / Restore Services

This one may sound like a no-brainer, but backups are absolutely essential. And they should be kept offline as much as possible. A ransomware attack can only encrypt files it can access. If you have daily backups of your mission-critical data in an offline storage facility, you can recover most of it quickly and efficiently. Most of all, the money and time invested in this practice pays for itself many times over should you ever require it.

Conclusion

Though it may seem daunting, these controls, techniques, and practices can be invaluable to help protect your organization should attackers come beating your doors down. There are also a lot of resources, especially for public sector agencies, available. The Department of Homeland Security has established a new agency, called CISA (not to be confused with the ISACA CISA certification) which is designed to help protect infrastructure. The agency provides plenty of documentation and resources to help smaller agencies and local governments protect themselves from cyber attacks. NIST also provides a lot of guidance in its special publications (primarily in the 800 Series) on securing critical systems and protecting infrastructure. Please don’t be the next ransomware headline. Still have questions? Get in contact with Beyond20 and we will be happy to help guide you to better security posture.

Originally published January 01 2020, updated January 01 2020