Baltimore is still struggling to recover from a ransomware attack that first crippled Charm City more than two weeks ago.
As NPR reports, “the online aspects of running the city are at an impasse. Government emails are down, payments to city departments can't be made online and real estate transactions can't be processed.”
It may be weeks more before the city's services return to something resembling normal — manual workarounds are being put in place to handle some services now, but the city's water billing and other payment systems remain offline, as well as most of the city's email and much of the government's phone systems.
The scourge of ransomware, in which attackers seize control of digital assets and hold them hostage in exchange for payment, continues to haunt state and local governments.
Government agencies should follow ransomware protection and recovery best practices to ensure their services are not taken offline the way Baltimore’s have been, experts say. That includes user education as a first line of defense to ensure they do not click on malicious links that will introduce ransomware, as well as robust and redundant backups of applications and data.
Why Do Ransomware Attacks Persist as a Threat?
Last year, ransomware attacks targeted state and local governments of all sizes, from Atlanta to Alaska's Matanuska-Susitna Borough, from the Port of San Diego to the Colorado Department of Transportation.
The attacks have continued to succeed in 2019. In January, a ransomware attack on the city of Del Rio, Texas, shut down City Hall servers and forced officials to resort to pen and paper to provide services. The city of Sammamish, Wash., had to declare a city emergency after ransomware took hold of its systems, affecting storage drives and internal shared files.
“I think it is a sleeping giant,” Alan Shark, executive director of the Public Technology Institute, says about ransomware. “I think people, even some of the people in the security business, have said, ‘It has peaked’ or, ‘It’s not that bad.’ I think it’s our No.1 concern still.”
Attackers work by finding vulnerabilities and exploiting them, Shark notes. “They are able to extract such damage because of the inherent weaknesses in local government compared to the private sector,” he says.
Shark says some of those weaknesses include not having enough IT leaders who are adequately trained in cybersecurity, or having CIOs who are doubling as CISOs and are stretched thin by their responsibilities.
Danny Allan, vice president of product strategy at backup solution provide Veeam, says the attacks are continuing because “success begets success.”
“As ransomware continues to compromise places like the city of Baltimore and similar places, it becomes an attractive attack vector because it’s working,” he says. “The quantity and quality and scope of the attacks will continue to grow in 2019.” Allan believes the market is only a few years into a 10-year cycle of ransomware growing and then fading as a malware threat.
Allan pins state and local governments’ susceptibility to ransomware on a lack of resources. “They don’t have the resources to apply to locking down the systems,” he says. “That makes them a more attractive target for the attackers.”'
Ransomware Protection Best Practices
When it comes to ransomware protection, Allan advises that all security is incremental, and recommends agencies focus on what he dubs “the first line of defense and the last line of defense.”
The first line is user education. Generally, ransomware gains a foothold in an agency because a user does something he or she shouldn’t have done, like opening a suspicious email or clicking on an unknown link. Agencies need to provide continuous user training on security and best practices to all employees to avoid common mistakes like that, Allan says.
Shark adds that training should be given at all levels of an organization — including for its leaders, who should be seeking security certifications and keeping up with the latest threats.
Agencies also need to regularly review their policies and ensure they have a business continuity plan in place and that it is practiced, Shark says. Policy reviews on cyber awareness should not be a once-a-year event, he says. “People who think they are checking off a box because the state requires it are missing the point,” he says.
Ransomware Recovery Depends on Backups
If a ransomware attack gets through all of the layers of an agency’s security — intrusion detection and prevention and anti-malware software among them — then agencies need to be able to recover from the attack, Allan says. The goal is not only to have a backup of critical data that is easy to use but that can be easily shown to work in demonstrations to mayors and other city or county leaders, Allan says.
Shark advises that local governments invest in redundant systems, including housing data backups in offsite remote locations that can kick in like a backup generator in the event of an attack. Shark says it does not matter if this backup is in the cloud or not. The goal is to have data backup “where it can be best maintained and where you have ready access.”
Agencies cannot engage in ransomware recovery unless they have backups, Allan notes.
“Backup needs to be simple and easy,” he says. “But if you can’t recover, then all the backups in the world don’t work. The real focus has been on fast recovery.”
Ransomware hits home not because an agency’s files or servers have been encrypted and held hostage, Allan says, but because that then renders government services inoperable.
To achieve the fastest ransomware recovery possible, state and local governments have to get the most granular recovery possible, Allan says. For example, if an email attachment has been encrypted, an agency would not want to recover the entire email inbox, just the encrypted file.
Agencies also need to have monitoring and reporting tools running so that they can be alerted when a ransomware attack is occurring. Those telltale signs include CPU cycles and memory cycles that show anomalous activity. There are specific algorithms that ransomware attacks run, Allan notes, and if they are running in the middle of the day, for example, that might be a sign that an attack is underway.
“If you are reacting to ransomware, it’s already too late,” he says.
The best backup and recovery tools are simple, reliable across all systems and flexible across different IT architectures, Allan adds.