What Incident Responders Can Learn from the Lilu Ransomware Attacks on Texas Government Entities

On the morning of August 16, 2019, almost two dozen small towns in Texas found themselves under attack. Ransomware had infected their IT systems, and bad actors were demanding payment through Bitcoin to return the systems to normal. Otherwise, the towns wouldn’t be able to provide basic services such as accepting utility bill payments, issuing birth and death certificates and supporting email systems used by city workers and police officers. For some towns, the ransom was in five figures, but the mayor in one municipality said the attackers asked for $2.5 million to unlock the files.

These events represent the largest coordinated attack on government entities that has ever been detected. Texas state and federal authorities were immediately alerted as the towns struggled to recover. The FBI issued a warning that did not specify who was responsible but identified the malware as the Sodinokibi virus, a strain first seen in April. The Texas Department of Information Resources said that the evidence pointed to a single actor or group.

No statewide systems were impacted, but the attacks only underscore the growing threat of ransomware to municipalities, government agencies and other public organizations.

A rapidly growing cybersecurity issue

This year marks the 30-year anniversary of the first ransomware attack: PC Cyborg. Ransomware is now one of the most common types of cyber attacks, and according to the research firm Recorded Future ransomware aimed at state and local governments is on the rise. Since 2013, at least 169 examples of hackers breaking into government computer systems have been recorded. In 2019, more than 60 attacks have been announced as of August, and the actual number might be even more since not all attacks are publicized.

In Texas as elsewhere, towns, smaller cities and rural counties are especially attractive targets since they lack the resources, expertise and up-to-date technology defenses usually available to larger municipalities. At the same time, cities like Albany, N.Y., and Baltimore, Md., along with the entire Georgia courts system, have been recently targeted by ransomware.

Pay or fight back?

Government law enforcement officials advise ransomware victims not to pay, saying it only encourages more criminals to wage more attacks in the future. However, a recent study found that about 17 percent of municipal targets hit with ransomware decide to pay up.

Officials in Lake City, Fla., paid $460,000 in Bitcoin when they faced the potential collapse of their systems and the mass deletion of their files. The ransom amount was paid by insurance, although the government still had to cover a $10,000 deductible.

Baltimore took another approach. Hackers who disabled the city computers in May demanded about $76,000 to release the city’s files and allow employees to regain access to their computers. The mayor said the city would not pay the ransom, in part because there was no guarantee the files would be unlocked. As a result, the city wound up paying more than $5.3 million on computers and contractors to help bring systems back online one by one. The combination of lost revenue and city expenditures has been estimated to be more than $18 million.

How the bad guys get in

In the Texas attacks, the pathway was probably a communications channel used by law enforcement agencies and managed by a third-party systems-management firm. Once inside the channel, the hackers had to target only one system, which connected them with municipal networks across the state. At that point, it was fairly easy to deploy software to encrypt and lock up a town’s data.

The initial entry point for the Texas attacks was most likely a phishing email, which is a favored strategy for ransomware. Last year, hackers hit Allentown, Pa., with a malware package that shut down the city government’s computers for weeks. An investigation showed that when an Allentown city employee took a laptop with him while traveling, it missed software updates that might have blocked the malware. The employee unwittingly clicked on a phishing email, and when he returned to the office, the malware spread rapidly. The attack cost about $1 million to clean up. Improved defenses are now costing Allentown about $420,000 a year.

Response and recovery

The impact from the attacks in Texas could have been worse. Over the past several years, the state has created a system centralizing incident response, so security and IT staff in the towns under attack knew who to call to get immediate help. Some of the towns’ computer systems are now back online, while others are being restored by state and federal cybersecurity experts, including members of the National Guard in Texas.

The FBI, the U.S. Secret Service’s San Antonio office, the Department of Homeland Security and the Texas Department of Information Resources are all conducting ongoing investigations of the attack, where it came from, and who was behind it.

In the meantime, these agencies and other organizations are advising municipalities to review and follow basic security protocols to increase their defensive posture. These include updating software and operating systems with the latest patches, enabling strong spam filters to prevent phishing emails from reaching end users, restricting users’ permissions to install and run software applications, limiting administrative access, and configuring firewalls to block access to known malicious IP addresses.

Another approach involves determining whether systems and networks have already been penetrated. Compromise assessments help determine whether a network is breached using proprietary scans to proactively discover the presence of malware and persistent threats – active or dormant – that have successfully evaded an organization’s existing security defenses. The best defense is offense when it comes to ransomware, and a compromise assessment is an effective first step in that direction.

Texas Attacks Must Inform Other States as Ransomware ‘Only Getting Worse,’ Says Krebs

(Visited 11 times, 1 visits today)

Chris is co-founder and Chief Product Officer of Infocyte, as well as a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice. Infocyte is the result of Chris’ experience hunting adversaries within some of the largest and most targeted defense networks in the world. His experience building the U.S. Military's first malware hunting team provides him with an unmatched level of operational expertise and equips him with a highly refined perspective on how to tackle today's security threats. From a decade of military service, Chris draws on both leadership and deep technical experience serving in various roles such as cryptographic systems maintainer, cyber warfare officer and Air Force pilot. Prior to co-founding Infocyte, Chris served as the U.S. Air Force Computer Emergency Response Team's (AFCERT) first Chief of DCC Operations. In this role, he led a team of 28 operators tasked with finding, tracking, and neutralizing state-sponsored threats on the Air Force's $2B, 800k node enterprise network. He personally conducted and/or oversaw 350+ adversarial hunt, rapid response and threat engagement missions on networks throughout the world. Chris holds a B.S. in Electrical & Computer Engineering from Oregon State University.

Leave a Reply

Latest from Cybersecurity

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security