Is There an Increase in Ransomware Attacks on State and Local Governments?
During the COVID-19 pandemic, ransomware attacks in general increased 148 percent from the baseline levels reported in February 2020, according to a McAfee report. “Governments appear particularly vulnerable to malicious insider attacks, reporting the highest impact of such attacks among all surveyed industries,” the report states.
According to the 2022 “Cyber Threat Report” from SonicWall, two industries saw large spikes in malware in 2021: healthcare (121 percent) and government (94 percent). In North America, ransomware rose 104 percent in 2021, according to the report, just under the 105 percent average increase worldwide.
Other surveys also show a high prevalence of ransomware attacks on government. In January and February of 2021, researchers surveyed 248 government IT managers around the globe for the Sophos-sponsored survey. The goal was to provide context for IT leaders on how emerging cyberthreats are uniquely impacting state and local government agencies. Between state and local government, the report notes, “central government is a more frequent target than the local government.”
Overall, 40 percent of central government agencies experienced a ransomware attack within the previous year. Of the central government respondents that were not hit, 48 percent said they expected a future attack. While the numbers were lower for local governments, 34 percent were hit and 43 percent were missed but expected to be attacked, and they remain at risk.
On the other hand, anti-virus firm Emsisoft tallied up 77 state and local agencies across the United States that were struck by ransomware in 2021, which was down from the 113 it tallied in both of the two preceding years. Still, Emsisoft notes the attacks were “disruptive, costly and were the cause of at least 118 data breaches, most of which resulted in sensitive information being posted online.”
How Have Ransomware and Other Cyberattacks on Agencies Happened?
Government agencies that have been infected by ransomware attacks in recent years largely have fallen victim to phishing or social engineering attacks that malicious actors have used to steal credentials.
For example, in 2021, the Washington, D.C., Metropolitan Police Department was struck by the Babuk ransomware, a Ransomware as a Service attack. Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future, tells StateScoop that Babuk “uses a combination of phishing attempts and scans for low-hanging vulnerabilities, like open Remote Desktop Protocol ports,” the publication reports.
Other times, as was the case of a ransomware attack last year against the town of Geneva, Ohio, attackers simply exploit vulnerable IT systems. “It just happens to be that hackers saw a vulnerable system, and went after it,” Alex Hamerstone, advisory solutions director at security firm TrustedSec, tells local TV station WKYC.
“Modern ransomware tactics bear more resemblance to the attack techniques used by advanced nation-state attackers than they do to the simplistic malware attacks of years past,” Walt Powell, a field CISO at CDW, writes in a blog post.
“Multi-extortion is the latest tactic to emerge in ransomware attacks,” he writes. “Instead of simply encrypting files and demanding a ransom in exchange for the decryption key, attackers now steal as much information as they can from the target. With gigabytes of sensitive data in hand, they threaten the target with the disclosure of sensitive customer information, product plans and other valuable business data unless they promptly pay the ransom.”
Attackers are also growing increasingly sophisticated in their intrusion techniques, Powell writes. “They no longer rely on the opportunistic approach of deploying malware on the internet and hoping to infect users who click the wrong link,” he says. “Instead, they research prospective targets with deep pockets and then use a variety of approaches to gain access to the target’s network.”
That attack repertoire includes “sophisticated phishing attacks, technical attacks against the Remote Desktop Protocol (RDP) and even bribing insiders to grant them access to an organization’s network.”
“Once they establish an initial foothold, they move around inside an organization’s network and download as much data as possible before triggering an encryption routine,” Powell adds.
How Does a State or Local Government Protect Itself from Ransomware?
Core elements of a ransomware response strategy include data backups. “Prioritize the data that is most critical to your organization and back it up,” reads the Cyber Readiness Institute’s “Ransomware Playbook.” “Make sure you can reinstall from the backups, which are often in the cloud, and that the backups are tested frequently.”
Early detection of attacks is also crucial for mitigation, the playbook notes, as is working with third-party partners that can “provide response support if an incident occurs.”
However, it’s crucial for cybersecurity teams for state and local governments to also think upstream and about how they can prevent ransomware attacks from being successful in the first place. A core element of that is making sure the agency’s software is as secure as possible. “Update your software with the latest security patches,” the CRI playbook states. “This critical preventative step will make it harder for malicious actors to compromise your system.”
Improving password security and implementing multifactor authentication is also crucial. “Insist employees use strong passwords or passphrases (at least 15 characters) and implement multi-factor authentication, which requires users to present more than one piece of evidence when logging in to an account,” Evans says. “This step alone prevents 99.9% of account-compromise attacks.”
According to Justin MacDonald, executive security strategist at CDW, other elements of a successful prevention approach include:
- Asset management programs that track inventory and control the configuration of hardware and software
- Vulnerability management programs that identify and remediate security issues before an attacker can exploit them
- Privileged access management systems that mediate and monitor the use of administrative accounts
- Endpoint protection technology that can detect and respond to an attack in progress
- Agencies can also prevent ransomware attacks by shifting to a zero-trust architecture for cybersecurity.
“This emerging cybersecurity philosophy uses strong authentication to make decisions about access based on each user’s identity rather than his or her network destination,” Powell writes. “Secure access service edge solutions are a great way to integrate zero-trust access ideas into your current control stack. Even if you aren’t in a position to modernize your remote access approach, it is still important to review all your external network access. Internet-facing RDP continues to be one of the primary ways ransomware groups gain access to organizations’ networks.”