Ransomware attacks against utilities and local governments are on the rise around the country. For example, just after Baltimore’s 9-1-1 emergency response system went offline in March, the city of Atlanta ground to a halt because of a ransomware attack in April. By October, the city of West Haven, Connecticut was struggling to regain access to 23 of its servers, while financial servers in the city of Muscatine, Iowa were also targeted by the malicious software. And in North Carolina, Onslow County’s water utility was crippled by ransomware, only two weeks after Hurricane Florence brought epic flooding to the region.
What Is Ransomware, and Why Is It Used?
Ransomware is a form of malware used to lock up, or encrypt, computer files and deny access to critical data. Attackers promise, albeit sometimes deceptively, to restore data access only after victims pony up large sums of cash or cryptocurrency like bitcoin.
Cybercriminals like ransomware for several reasons. For one, it can be wickedly successful simply by sending an email. This is known as a phishing scam — where an attachment is disguised as a trustworthy file and directed to a target’s inbox. Once that file is downloaded and opened, it takes over the victim's computer. Even more dangerous are phishing scams with built-in social engineering tools that trick users into granting privileged, administrative access. There are other, more aggressive forms of ransomware that don’t rely on email trickery, but rather seek to exploit security holes to infect computers.
What Makes a Local Government or SMB Appealing to Attackers?
One theory for the recent uptick in attacks that target local municipalities, utilities, state governments and even small businesses is the desire to steal the intellectual property (IP) of the intended targets. Given that IP is generally thought of as an intangible asset, its value can fall into three broad categories – market-based, cost-based or based on estimates of past and future economic benefits.
For local governments, economies are tied to the ability to access data (and the ability to serve the public welfare is contingent upon access to data), so the stakes are high. If a cybercriminal is successful at locking away the massive amounts of data generated, collected and owned by local governments, they can disrupt all citizen-facing services. For small business owners, a ransomware attack can significantly cripple the health of a business and, in some cases, even cause the business to be shuttered.
Another theory for ransomware attacks on local governments is to inflict visible damage on the system or government officials. Often, safeguarding vital data is the job of a civil servant hired in a technical role, but the ultimate responsibility for that data lies with the elected officials. Successful cyberattacks can be viewed as a betrayal of the public’s trust, and if a cybercriminal believes a specific city might pay quickly, they’re likely to be a tempting target.
Finally, cybercriminals could launch ransomware attacks simply to expose the poor cyber hygiene or security deficiencies of a local government.
Ransomware Prevention Tips
So, what can small business owners or government officials do to avoid ransomware? And what are the recommended contingencies to keep commercial or government operations continuing to serve their communities in the unfortunate event that they are victimized by ransomware?
Ideally, a comprehensive cybersecurity posture would include a holistic, integrated plan for securing people and systems. The weakest points – especially with phishing attacks – are the people, and it only takes one successful attack to create chaos.
In order to defend critical infrastructure, local governments and businesses alike must be able to detect, respond to and recover from these types of attacks. Therefore, robust disaster recovery and business continuity architecture is necessary to assess risks and potential threats in order to keep a list of primary tasks needed to retain operations and any pertinent information on data backups.
Also, backing up files to the cloud should happen frequently and automatically. Doing so won't stop a malware attack, but it can make the damage much less significant. Furthermore, data protection tools like encryption, and anti-virus and anti-malware software are among the best practices local governments can implement to ensure that they can still do their jobs after a ransomware attack.
Another option is to employ user behavior analytics, which is an emerging solution that uses analytics technologies, like machine learning and deep learning, to discover abnormal and risky behavior by users, machines and other entities on the network. This can help detect security incidents that traditional tools do not see, because they do not conform to predefined correlation rules or attack patterns, or because they span multiple organizational systems and data sources.
The old adage, “an ounce of prevention is worth a pound of cure” could have helped cities like Atlanta and West Haven to avoid being victims of ransomware. For instance, spreading awareness and offering proper training to city employees on the detection of email phishing scams would be well worth the time or costs associated with having done so. The same could also be said for keeping operating systems patched and automating updates to ensure that there are fewer vulnerabilities to exploit.
Finally, local governments should keep a precise inventory of all devices that are attached to their networks and data stores, and segment the network as needed to filter the traffic that can infect vital systems. Using Indicators of Compromise (IoCs) can help government officials to uncover the Tactics, Techniques and Procedures (TTPs) the criminals are using, and by tracking these threats, they can know with a high level of confidence if there has been an intrusion. The earlier a problem is detected, the quicker government officials can react and prevent a catastrophe from impacting constituents.
About Steve Grewal
Steve Grewal is a former deputy CIO at GSA. He also served as a former CIO, CTO and CISO at the US Department of Education. Presently, Steve is CTO at Cohesity, and is a member of the Federal Advisory Board of Exabeam.