Over the past couple of years, state and local governments have increasingly become a top target for ransomware attacks. In 2019 alone, government entities reported 163 ransomware attacks — a nearly 150 percent increase in reported attacks from 2018 — with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs.
Even though mass distribution ransomware attacks on individuals and small businesses will continue to be a lucrative strategy for criminals who consider end users to be low-hanging fruit, more and more criminals are carrying out targeted attacks specifically on organizations that continue to rely on outdated operational systems and subsequent technology to generate revenue. Such organizations that are under attack include state and local government and educational institutions.
Just a few months ago, hackers infiltrated the city of Florence, Alabama’s, information technology systems, successfully deploying ransomware and demanding nearly $300,000. Furthermore, earlier this year in May, Texas’ statewide operations were hit by two separate ransomware attacks, targeting the Texas Department of Transportation and the Texas Office of Court Administration. Unfortunately, local governments are prime targets for attackers, given their limited budget and lack of skilled cybersecurity professionals as well as their reliance on legacy systems.
So, how can government entities avoid becoming a target of such attacks? It is crucial that organizations take a proactive approach and understand how to effectively prepare for ransomware attacks before damage even occurs. Below, I explain the necessary steps for accomplishing a successful preparation plan.
Prepare for the Reality of an Attack
Governments need to recognize that the possibility of a ransomware attack is only increasing with time. As such, they must think ahead and prepare for the real possibility of an attack. To do so, organizations must patch aggressively, limit privileged access, create backups, prepare a response plan and prioritize educational training.
Eliminate Key Vulnerabilities
Since ransomware is accomplished through malicious software that allows a hacker to restrict access to an organization’s vital information, all systems should be aggressively patched and a secure configuration should be ensured across systems, applications, and data in order to bolster defenses. Secure configuration encompasses the implementation of least privilege access and the removal of administrative privileges on endpoint systems.
Strong IT hygiene is pivotal, and this fundamental step will differentiate between which targets are low-hanging fruit in the eyes of the attacker. When known vulnerabilities are eliminated and when configurations are secure, organizations proactively protect themselves from several damaging threats. Specifically, the chances of malware being able to enter a computer are significantly reduced as a result.
It’s also important that government organizations understand that a primary vulnerability that attackers exploit are employees themselves. Ransomware infections are often instigated when an employee falls victim to a phishing email, which then provides an attacker the opportunity to plant malware. It’s crucial that governments take proactive measures that focus on educating employees. User awareness training is an effective way to teach people how to avoid becoming a victim to phishing email messages. Educational cybersecurity training is more prudent now than ever, with many attackers relying on sophisticated social engineering tactics. End users need to know what to expect and what to look for to avoid infection.
Implement Strict Access Controls and Zero Trust
Another critical aspect of preparing for a ransomware attack is assigning least privilege to better manage access permissions of employees. Often, ransomware attacks compromise an end point or end user and then leverage compromised privileges to laterally move to exploit additional key operational systems. If the privileges of the user are minimal, it makes it extremely difficult to access and infect the other systems.
As an example, many organizations have one file share accessible to everyone within the company, changing access requirements to a least privilege and as-needed basis can significantly limit damages caused by a ransomware infection. There is a lot of risk associated with access to file shares, and thus access should be strictly managed to reduce risk.
Additionally, government organizations should consider the implementation of Zero Trust, which involves strong identity governance, privileged access management, and segmenting of systems, applications, and data. Principles of Zero Trust are built on inherently not trusting users, devices, networks, and access to sensitive resources. Zero Trust initiatives improve the chances at containing an incident before it ever becomes a breach. In other words, an incident involving a compromise of one identity type (users, devices, network traffic, applications, or data) will not constitute a compromise of all identity types. If any of the identity attributes are inconsistent or risky, Zero Trust can help to intelligently respond with additional authentication methods or other compensating control so that the chances of lateral movement and of ransomware infecting and impacting business operations is reduced.
Ensure Backups Are Protected
Not only can ransomware destroy original files, but it can also encrypt backup files if they are not stored appropriately, which would leave an organization crippled. Next, government organizations should have plans in place to frequently backup all documents to an offline and an off-site location that cannot be affected by ransomware. An offline location often involves physical tapes that are either not connected to the network or exist on a separate off-site network. This strategy minimizes the impact associated with business continuity and disaster recovery.
Thus, it is imperative to create and to continuously verify that files are securely stored and can easily be restored in the case of an attack. It is important to note that organizations should not only rely on network shares and cloud storage for backup locations but also utilize offline locations. If files are encrypted or corrupted as a result of a ransomware attack and are automatically backed up to the network or the cloud, then the backup files could also be corrupted in storage locations.
Focus on Reducing Response Time
After protected backups are in place, governments must then develop an incident response (IR) plan centered around ransomware attacks. By ensuring an IR plan, state and local governments can thoroughly prepare for sophisticated targeted attacks that have the potential to halt critical operations. An IR plan details the specific actions that professionals within the government must execute in order to remediate the situation. It is crucial that everyone within the organization is aware of their role and impact in responding to a threat. This plan is put into action as soon as an incident is detected, reducing the amount of time it takes to stop or contain a serious threat. Time is of the essence when stopping a serious situation; thus, a prompt response is pivotal.
Furthermore, even though security budgets are tight for state and local governments, they should strongly consider transferring funds to support endpoint protection tools that can immediately detect and automatically respond to infections in the initial stages. The ability to detect ransomware infections early on is crucial to deescalating the incident and making certain that operations continue to run without delay or interruption.
Understand the Corresponding Costs
Lastly, to better prepare, state and local governments should consider investing in a good cyber insurance policy that explicitly covers not only the cost of a ransom itself but also the cost of lost revenues and of recovery. For example, the city of Baltimore was hit with a ransomware attack last year that demanded the payment of $76,000. Since the city did not pay the ransom, which is the recommended course of action in most cases, they were left with the restoration costs and revenue losses that totaled over $18 million. The city did not invest in cyber insurance, so they didn’t have access to the critical recovery assistance that was needed. Thus, from a pure risk-management perspective, a credible cyber insurance policy is most likely worth its weight in gold in situations such as this.
Ultimately, to pay a ransom or not is a business decision. The ethics and downstream effect of paying a ransom all point to not paying the ransom; yet, it is important to note that there is no guarantee that not paying will be the best course of action.
Government organizations who have invested in cyber insurance policies must ensure that they are aware of what is and what is not covered in terms of ransomware attacks. For example, in some cases, certain policies will not cover incidents caused by negligent security practices and programs.
If cyber insurance was not invested in prior to an attack, government organizations can engage with consulting firms and incident response firms that specialize in ransomware attacks. The majority of firms carry bitcoin that can be leveraged if a company chooses to pay the ransom.
Lastly, if government organizations are affected by a ransomware attack, they can also consider involving the National Guard and law enforcement. When a state of emergency is declared by a government and when the National Guard is invoked, access to previously unavailable funding to remedy the situation can be provided.
Plan for the Expected Impacts of Ransomware
Overall, it is critical to understand the impacts of a ransomware attack — which can do more damage than the cost of the ransom alone. When suffering from a ransomware attack, governments can experience a significant decrease in productivity, inadvertently inconvenience citizens, and permanently lose pertinent data.
Now is the time for federal, state and local government entities to review and ramp up current ransomware detection and prevention strategies and make certain that all the pivotal steps to successfully prepare for an attack are made. This proactive approach will ensure continued, uninterrupted support to U.S. citizens.