Sep 30 2021

Fact or Fallacy: Ransomware Targets Underfunded, Vulnerable Agency Networks

State and local governments can improve their understanding of ransomware with these basic details.

Ransomware is making headlines once again, as cybercriminals target high-profile organizations. A prominent example is Colonial Pipeline, a Texas-based oil pipeline system that shut down its entire fuel distribution following an attack in May. 

The attack resulted from a single compromised password used by hackers to gain entry into Colonial Pipeline’s networks. The hackers attacked successfully using ransomware.

Ransomware is a constantly evolving attack tool used by cybercriminals. In addition to costing agencies time and money, it can halt operations or even bring down an entire government network and associated services. Agencies can be better prepared to deal with such attacks by understanding which claims about ransomware are fallacies and which are fact.

RELATED: Get five questions a cybersecurity assessment must answer.

Fallacy: Ransomware Affects Only Windows Systems

While it’s true that Microsoft Windows is the biggest target of ransomware attacks, other operating systems are also affected by ransomware.

A 2021 study compiled by Safety Detectives found Windows OS is targeted most frequently (85 ­percent) by ransomware attacks, followed by macOS (7 percent), Android (5 percent) and Apple iOS (3 percent). Windows-based computers are the most commonly used and are more affordable than other OS-based computers, which makes them a perfect malware target. However, any system is susceptible to certain types of malware such as viruses and ransomware.

The first Apple macOS ransomware attack was detected five years ago. Since then, more and more attacks have been reported. Last year, K7 Labs uncovered macOS ransomware called ThiefQuest (also known as EvilQuest), which encrypts files, installs keyloggers and exfiltrates files from infected ­computers. 

Researchers have now discovered other variants of ThiefQuest with stronger capabilities than earlier known versions of the macOS malware.

Fallacy: Paying Ransom Guarantees the Return of Data

According to a Sophos poll of 5,400 IT decision-makers around the world, only 8 percent of ­ransomware victims got all their data back after paying the ransom. Almost a third (29 ­percent) recovered no more than half of their data. Meanwhile, the cost of remediation — from business downtime, lost orders and operational expenses, among other damage — jumped from an average of $761,106 in 2020 to $1.85 million in 2021. 

It’s 10 times more expensive for agencies to remediate an attack than to pay the ransom. That’s why the number of ­businesses choosing to pay skyrocketed from 26 percent in 2020 to 32 ­percent in 2021. The highest ransom payment reported was $3.2 million; the average was approximately $170,000.

EXPLORE: What are the risk preparedness lessons government can take from the Oldsmar hack? 

Fallacy: Backups Make Ransomware Recovery Easy

There is a common ­misconception that recovering from a ­ransomware attack is easy if an agency has backups. The reality is that ­backups can be difficult to restore if they are ­damaged or encrypted by hackers. 

Additionally, backups don’t address secondary forms of ­disruption. Resolving a ransomware attack isn’t simply about restoring files because that doesn’t fix the vulnerabilities that made the breach possible in the first place. Governments must know how hackers penetrated the network and whether they still have access.

Fact: Attackers Launch Ransomware Through Phishing

The shift to remote work during COVID-19 created a new target for cybercriminals: employees using unsecured personal devices on enterprise ­networks. As agencies quickly moved to work-from-home environments, some security controls were overlooked. Financial services and insurance executives became key targets for ransomware and ­fraudulent email messages (known as phishing) in the past year, according to Verizon’s 2021 data breach report.

$18 billion

The cost of ransomware attacks on state and local governments in 2020

Source:, “Report: Ransomware Attacks Cost Local and State Governments over $18 Billion in 2020,” March 22, 2021

Researchers at Proofpoint also saw a rise in ransomware attacks distributed by email last year. A newer attack, identified as Avaddon, targeted U.S. organizations specifically. It circulated in more than 1 million messages, sent to manufacturing, ­education, media and entertainment ­companies. 

Avaddon is an example of Ransomware as a Service, in which someone pays to use ­ransomware instead of building it themselves.

DIVE DEEPER: New forms of ransomware could target state and local governments.

Fact: Ransomware Is Typically Built Around Known Vulnerabilities

Ransomware attacks ­usually take place when a person inside an agency clicks on what looks like a legitimate attachment, which then downloads a malicious payload and encrypts data. Many of these attacks occur via email.

Yet, larger ransomware attacks are almost always built around known vulnerabilities that give hackers access to enterprise ­networks through remote logins and internet-facing servers. Hackers exploit these vulnerabilities and try to encrypt as much of the network as possible.

RiskSense identified more than 220 IT security vulnerabilities in the Common Vulnerabilities and Exposures database tied to attacks involving r­ansomware in 2020. The number of vulnerabilities has increased fourfold since 2019.

Fact: Cities and Utilities Are Prime Ransomware Targets

Cities and utilities are increasingly becoming attractive targets for ­ransomware because of the immediate real-world consequences. They ­provide critical services but often use outdated IT infrastructure, which has more vulnerabilities. According to BlackFog’s “State of Ransomware in 2021” report, there were 23 attacks in February 2021 alone, up from 16 in the same month of 2020. 

Tulsa, Okla., is dealing with a ­ransomware attack that happened in May. The city’s IT department received notice that some of its servers were ­communicating with a known threat site. A ­ransomware attack was launched on several ­systems and moved quickly through the ­network, prompting the city’s response team to shut down all services to stop the attack. The ­incident shows that ­ransomware can affect any public or private organization, disrupting business for days or weeks.

Getty Images: Poganka06 (cubes), Yuoak (icons)

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT