Security

Ransomware Prevention Best Practices for State and Local Governments

Government agencies must put energy into stopping ransomware attacks before they encrypt valuable data.

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna and two cats, Grady and Princess.

The threat of ransomware attacks on state and local agencies is as persistent as it is pernicious in 2022. In March, Partnership HealthPlan of California, a nonprofit organization that manages healthcare for Medi-Cal patients in 14 counties in the state, was hit by a ransomware attack. In a cyberattack earlier this year, Bernalillo County in New Mexico had its computer systems disrupted by ransomware.

A recently released report, “The State of Ransomware in Government 2021,” underwritten by security firm Sophos, labeled the scourge of ransomware a “national emergency.”

Local governments were “far less successful at stopping the attacks” compared with other sectors, according to the report. Nearly 70 percent of local government respondents who were attacked said their data was encrypted. That’s a full 15 percentage points higher than the global average of 54 percent.

Meanwhile, a recent national survey shows that fewer than half of state and local governments have a ransomware incident response plan. Sponsored by Palo Alto Networks, the Center for Digital Government recently surveyed 200 state and local government leaders on the topic of ransomware. When asked whether they agreed or disagreed with the statement that “the ransomware threat will subside significantly over the next 12 to 18 months,” 78 percent of respondents disagreed (57 percent strongly disagreed).

While many security firms and resources from organizations such as the National Association of State Chief Information Officers focus on advising agencies to back up their data to mitigate the effects of a ransomware attack, there are steps they can take to prevent such attacks.

Those include increased cybersecurity training for users, using multifactor authentication, and ensuring software is regularly patched and updated. “There are things that all towns, cities and counties can do,” Karen Evans, the managing director of the Cyber Readiness Institute, writes in StateScoop. “These actions do not require large budgets, more technology or hiring more staff. They require a better understanding of how ransomware attacks occur and the implementation of policies that drastically reduce the ability for criminals to snatch valuable data.”

Click the banner below to get access to a customized cybersecurity content experience.

Is There an Increase in Ransomware Attacks on State and Local Governments?

During the COVID-19 pandemic, ransomware attacks in general increased 148 percent from the baseline levels reported in February 2020, according to a McAfee report. “Governments appear particularly vulnerable to malicious insider attacks, reporting the highest impact of such attacks among all surveyed industries,” the report states.

According to the 2022 “Cyber Threat Report” from SonicWall, two industries saw large spikes in malware in 2021: healthcare (121 percent) and government (94 percent). In North America, ransomware rose 104 percent in 2021, according to the report, just under the 105 percent average increase worldwide.

Other surveys also show a high prevalence of ransomware attacks on government. In January and February of 2021, researchers surveyed 248 government IT managers around the globe for the Sophos-sponsored survey. The goal was to provide context for IT leaders on how emerging cyberthreats are uniquely impacting state and local government agencies. Between state and local government, the report notes, “central government is a more frequent target than the local government.”

Overall, 40 percent of central government agencies experienced a ransomware attack within the previous year. Of the central government respondents that were not hit, 48 percent said they expected a future attack. While the numbers were lower for local governments, 34 percent were hit and 43 percent were missed but expected to be attacked, and they remain at risk.

On the other hand, anti-virus firm Emsisoft tallied up 77 state and local agencies across the United States that were struck by ransomware in 2021, which was down from the 113 it tallied in both of the two preceding years. Still, Emsisoft notes the attacks were “disruptive, costly and were the cause of at least 118 data breaches, most of which resulted in sensitive information being posted online.”

How Have Ransomware and Other Cyberattacks on Agencies Happened?

Government agencies that have been infected by ransomware attacks in recent years largely have fallen victim to phishing or social engineering attacks that malicious actors have used to steal credentials.

For example, in 2021, the Washington, D.C., Metropolitan Police Department was struck by the Babuk ransomware, a Ransomware as a Service attack. Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future, tells StateScoop that Babuk “uses a combination of phishing attempts and scans for low-hanging vulnerabilities, like open Remote Desktop Protocol ports,” the publication reports.

Other times, as was the case of a ransomware attack last year against the town of Geneva, Ohio, attackers simply exploit vulnerable IT systems. “It just happens to be that hackers saw a vulnerable system, and went after it,” Alex Hamerstone, advisory solutions director at security firm TrustedSec, tells local TV station WKYC.

“Modern ransomware tactics bear more resemblance to the attack techniques used by advanced nation-state attackers than they do to the simplistic malware attacks of years past,” Walt Powell, a field CISO at CDW, writes in a blog post.

“Multi-extortion is the latest tactic to emerge in ransomware attacks,” he writes. “Instead of simply encrypting files and demanding a ransom in exchange for the decryption key, attackers now steal as much information as they can from the target. With gigabytes of sensitive data in hand, they threaten the target with the disclosure of sensitive customer information, product plans and other valuable business data unless they promptly pay the ransom.”

Attackers are also growing increasingly sophisticated in their intrusion techniques, Powell writes. “They no longer rely on the opportunistic approach of deploying malware on the internet and hoping to infect users who click the wrong link,” he says. “Instead, they research prospective targets with deep pockets and then use a variety of approaches to gain access to the target’s network.”

That attack repertoire includes “sophisticated phishing attacks, technical attacks against the Remote Desktop Protocol (RDP) and even bribing insiders to grant them access to an organization’s network.”

“Once they establish an initial foothold, they move around inside an organization’s network and download as much data as possible before triggering an encryption routine,” Powell adds.

LEARN MORE: How Azure Attestation is improving government security.

How Does a State or Local Government Protect Itself from Ransomware?

Core elements of a ransomware response strategy include data backups. “Prioritize the data that is most critical to your organization and back it up,” reads the Cyber Readiness Institute’s “Ransomware Playbook.” “Make sure you can reinstall from the backups, which are often in the cloud, and that the backups are tested frequently.”

Early detection of attacks is also crucial for mitigation, the playbook notes, as is working with third-party partners that can “provide response support if an incident occurs.”

However, it’s crucial for cybersecurity teams for state and local governments to also think upstream and about how they can prevent ransomware attacks from being successful in the first place. A core element of that is making sure the agency’s software is as secure as possible. “Update your software with the latest security patches,” the CRI playbook states. “This critical preventative step will make it harder for malicious actors to compromise your system.”

Improving password security and implementing multifactor authentication is also crucial. “Insist employees use strong passwords or passphrases (at least 15 characters) and implement multi-factor authentication, which requires users to present more than one piece of evidence when logging in to an account,” Evans says. “This step alone prevents 99.9% of account-compromise attacks.”

According to Justin MacDonald, executive security strategist at CDW, other elements of a successful prevention approach include:

Asset management programs that track inventory and control the configuration of hardware and software
Vulnerability management programs that identify and remediate security issues before an attacker can exploit them
Privileged access management systems that mediate and monitor the use of administrative accounts
Endpoint protection technology that can detect and respond to an attack in progress
Agencies can also prevent ransomware attacks by shifting to a zero-trust architecture for cybersecurity.

“This emerging cybersecurity philosophy uses strong authentication to make decisions about access based on each user’s identity rather than his or her network destination,” Powell writes. “Secure access service edge solutions are a great way to integrate zero-trust access ideas into your current control stack. Even if you aren’t in a position to modernize your remote access approach, it is still important to review all your external network access. Internet-facing RDP continues to be one of the primary ways ransomware groups gain access to organizations’ networks.”

gorodenkoff/Getty Images