Ransomware is on the rise again, and 2019 saw a spike in attacks targeting public sector and municipal entities. Phil Muncaster finds out more.
There has been something of a renaissance in ransomware attacks over the past year. Global detections soared by 74% from H1 2018 to H1 2019, according to Bitdefender. Yet, although the high-water mark for infections was undoubtedly 2017, thanks to WannaCry and NotPetya, attacks never really went away. Although some hackers started to dabble with cryptojacking as an alternative way to make money, the ransomware business model has proven remarkably resilient.
While stand-out attacks on the likes of NorskHydro and Demant have cost the firms over $120m in combined losses so far, it was arguably the US public sector that was hardest hit in 2019. The question is, can local municipalities recover, and what lies in store for 2020?
Cities Under Attack
There is no doubt that attacks are on the rise. Recorded Future’s senior solutions architect, Allan Liska, was able to find evidence of 46 ransomware attacks on state and local governments in 2016, dropping to 38 the following year and bouncing back to 53 in 2018. However, in the first nine months of 2019 alone, 68 state, county and municipal entities had been impacted, according to Emisoft.
These included the cities of Baltimore, which refused to pay a ransom in a decision costing it over $18m (thus far). On the other hand, many local governments, including Florida’s Riviera Beach ($600,000) and Lake City ($460,000) did decide to pay up. That’s despite a resolution passed at the United States Conference of Mayors (USCM) in July not to cooperate with online extortionists.
Reports described the Baltimore attack as one of the most severe ever experienced in the US, “affecting nearly every important aspect of city life.” However, even in less severe incidents, local civil servants have often been forced back to using pen and paper, as email systems are taken offline, billing and payroll systems suffer outages, the criminal justice system grinds to a halt, and in some cases even emergency services are impacted.
Attacks have also had an impact on local schools. In the first nine months of 2019 there were an estimated 62 incidents involving school districts and other educational institutions, potentially impacting operations at over 1050 schools, colleges and universities, according to Emisoft. In the case of the Moses Lake School District, which covers 16 schools, the district decided to back up data from three- to four-month-old copies rather than pay the $1m ransom. Crowder College reported a massive $1.6m demand, whilst Monroe College in New York was hit with a $2m ransom note in July.
For schools, as for local government offices, the rationale is the same: hackers know these organizations may be less well protected than many private sector firms, but run critical public services that may force them to pay up or risk chaos.
A Growing Attack Surface
“The greatest challenges they face are their use of legacy operating systems and the vast ecosystems of entities whom they support and therefore must implicitly trust,” says Tom Kellermann, cybersecurity strategist at VMware Carbon Black and former presidential commission appointee. “This exacerbates their attack surface, making it easier than ever for sophisticated hackers to enter and steal valuable information and data.”
Often, attacks have involved hackers using island hopping techniques to compromise municipalities via the MSPs and ISPs that provide them with services, he adds. For example, in August, 23 local government entities in Texas were affected after an attack on their MSP.
“This exploitation of the information supply chain has become commonplace,” Kellermann tells Infosecurity.
"This exploitation of the information supply chain has become commonplace"
Kevin Lancaster, general manager of security solutions at Kaseya, also believes increased media coverage may have piqued the interest of cyber-criminals.
“Even though data shows that governments often do not pay the ransom, there could be a false perception among malicious attackers that they do, due to the extensive media coverage of these kinds of attacks,” he tells Infosecurity. “The resulting media coverage may also play into the ego of the attackers.”
In fact, this certainly appears to be the case if we look at the ever-increasing ransom demands on local government and school organizations this year. It may also be the case that hackers are encouraged to launch copycat attacks if they read that a municipality has agreed to pay up because they were insured.
Time to Fight Back
On the plus side, most of the attacks we’ve seen over the past year in the US appear to have been using similar TTPs. These mainly revolve around social engineering in the form of malware-laden phishing emails, or targeting of Remote Desktop Protocol (RDP) clients, specifically through brute force/credential stuffing attacks.
According to Scott Styles, data orchestration and resiliency lead at Raytheon Intelligence, Information and Services, this means that a few common best practices – like AV, up-to-date patches, optimal configuration management, and back-ups – can have a big impact.
“In addition, a ‘defense in-depth’ approach should be a top consideration to stay ahead of future threats. Ransomware, by its very nature, uses the operating system and its resources to carry out an attack. Therefore, hardening the operating system and underlying hardware can address a wide variety of advanced persistent threats and zero-day exploits posed by malware,” he tells Infosecurity.
“Lastly, organizations should consider implementing a ‘data-driven’ approach that can differentiate between normal processing and ransomware behavior. This approach leverages the operating system and underlying hardware to enhance the behavioral analysis and machine learning necessary to automate and accelerate the response to a ransomware attack in near real-time.”
This approach should be used alongside a strong backup and disaster recovery plan, according to Kaseya’s Lancaster.
“A foolproof method of backing up data would be a combination of onsite and cloud backup, also known as hybrid cloud backup. An onsite backup is especially handy when facing internet connection issues due to system disruption, and is highly efficient and less expensive than other methods,” he explains. “Remember, backups are only as good as your recovery. Periodically test the restore process to ensure that restored files from backups are accurate. If the worst happens, you should be able to recover your data without thinking and get it back exactly the way it was before.”
"Organizations should consider implementing a ‘data-driven’ approach that can differentiate between normal processing and ransomware behavior"
The Bigger Picture
This is all very well, but funding shortfalls can make these investments problematic, according to Johannes Ullrich, SANS Institute dean of research.
“Public entities often have a hard time articulating the need for a sufficient investment in information security and disaster recovery. Spending often lacks coordination across IT departments which are organized by political structures versus functional and business structures,” he says. “Public entities also have a hard time competing for talent, not just due to problems matching private sector compensation, but also due to work environments that do not attract the type of individuals required to perform cutting edge information security work.”
Yet progress is possible. Louisiana state governor John Bel Edwards set up a Cyber Security Commission to help local municipalities respond quicker to emerging threats, which they needed to do twice in 2019 after ransomware attacks struck. The senate has also passed a new law which will require the Department of Homeland Security (DHS) to build dedicated teams tasked with providing technical support and incident response assistance to affected organizations.
With fears that ransomware could be used to disrupt the 2020 Presidential elections, recognition of the threat at a federal level has come not a moment too soon. As bad as the impact of attacks has been on local municipalities over the past year, serious interference in November could only serve to magnify the issue.