Ransomware Attacks Ramp Up on State and Local Governments

Written by Joe Kozlowicz on Wednesday, August 28th 2019 — Categories: Security

Ransomware is a digital attack in which an executable or malicious link opened by an unsuspecting (and likely untrained) user installs a program that blocks access to applications, phone systems, and/or data until a ransom is paid. It’s been making the rounds for many years now. But only lately have hackers begun zeroing in on a specific vertical: state and local governments.

In 2019, over 22 governments have been affected by ransomware – and that number was prior to recent news breaking that an additional 22 small towns in Texas were all targeted in a single coordinated attack.

Over 200 state, county, or city government IT systems have been targeted in recent years. With thousands and thousands of cities and towns across America, that may seem like a drop in the bucket. But ransomware is becoming easier and easier to distribute and users continue fall victim; usually via phishing emails or web exploits that deliver malware without any user action outside of visiting an apparently innocuous site.


Why are governments becoming a preferred target for ransomware?

Governments are an attractive target because they often have lax information security standards and training, often due to lack of funding and outdated IT systems and modes of operation. Departmental systems often work closely with other branches, so malware can easily spread. They also maintain crucial safety systems and public services that can not afford downtime, adding urgency to restore operations as quickly as possible, no matter the price.

The dozens of attacks this year include high profile cities like Baltimore as well as smaller sites like Lake City, Florida. Ransoms demanded range from 13 bitcoins worth about $76,000 at the time of ransom all the way up to $2.5 million for one of the towns in Texas.

The US Conference of Mayors agreed to a resolution to refuse to pay any ransoms. That may be wise. While paying the ransom is a relatively easy way to get your files back, it can also seem attractive if the ransom is fairly low. After all, an emergency IT resolution could run into the tens of thousands of dollars already, especially if outside service providers are required.

For example, Atlanta recently declined a $51,000 ransom. Their officials testified in front of Congress that the cleanup cost over $7 million. But paying up can encourage further attacks due to the success of prior ransoms. There’s also no guarantee the hacker won’t take your money and run.

There are often few options once ransomware has been installed. If you don’t take preemptive measures or maintain a backup or disaster recovery environment, you may have to either pay the price or else start your IT infrastructure over mostly from scratch, suffering major downtime along the way. When it comes to government services, that can be critical public resources for safety and services.

How can you improve your chances of avoiding or mitigating ransomware?

There are a few steps your IT department should take to try and avoid a ransomware infection in the first place, as well as some methods that could help mitigate the damage should one slip through.

One less common ransomware attack vector is through Remote Desktop Protocol. Closing RDP ports can help avoid this method. Another less common infection point is through removeable media like USB keys. Users should be trained to never attach any removeable storage that did not come from a trusted source – definitely NEVER any device left laying around that they do not recognize.

With user behavior comes phishing and social engineering training. This really needs to be hammered home, as annoying as they may find regular videos and quizzing. The most common way for ransomware to be installed by far is through clicking on or opening a malicious email. With careful parsing of incoming mail, well-designed Exchange rules, and regular training refreshes, phishing can be avoided.

When it comes to your IT systems themselves, be sure to install and maintain a leading antivirus and antimalware tool on all workstations and servers.

If all these efforts fail and your infrastructure still ends up locked down by ransomware, a well-designed backup or disaster recovery plan can roll your systems back to an acceptable point in time where you do not lose too much. This can often be preferable to an expensive ransom or cleanup, though some costs may still be incurred to spin up the backup.

Finally, cyber-insurance can help manage costs if you have no other options, even if your decision is to pay the ransom. Some cities have cut their out-of-pocket down to 10 or 20% or less of the total cost. Of course, your monthly premium is another factor, but cyber-insurance is becoming more and more of a necessity in the modern cyberworld.