Why are so many US public entities being hit by ransomware?
(NOTE: This article comes to us courtesy of the Emsisoft blog. It was written by Jareth who says “a picture is worth a thousand words but unfortunately I can’t draw…” We hope you’ll take 5 minutes and read it. It is a well-written, easy-to-read, and very informative article. We thank the Emsisoft team and Jareth for allowing us to share this article with all of you.)
Within the same week in June 2019, two Florida towns fell victim to ransomware and paid a little over $1 million to hackers to retrieve their data and regain control of their servers.
“I would’ve never dreamed this could’ve happened, especially in a small town like this,” said the mayor of Lake City, one of the two Florida towns victimized by ransomware.
Hackers have the public sector in their sights
The Florida towns are the latest victims in a string of ransomware attacks on US governments. Since 2013, there have been 169 successful ransomware attacks on state and local US governments, according to figures collated by threat intelligence company Recorded Future.
In 2018, Atlanta, Georgia, was hit hard by SamSam ransomware, which knocked out a range of critical public services, including water requests, court fee payments, online bill payments and warrant issuances. In April 2019, Ryuk ransomware infected a number of municipalities across the US, disrupting department phone lines in Imperial County, California and forcing system shutdowns in Stuart, Florida. A slew of local police departments have also been affected by ransomware in recent years, including sheriff’s offices in Maine, Arkansas and Lauderdale.
On May 2019, hackers used a new strain of the RobbinHood ransomware to take control of 10,000 computers belonging to the Baltimore government. The hackers threatened to delete the data unless the city handed over about $75,000 worth of bitcoin.
Baltimore refused. As a result, government email systems and payment platforms were forced offline for weeks, leaving citizens unable to access a wide range of essential services. In total, the attack caused the city $18 million in damage – enough to pay the original ransom 240 times over.
These incidents have prompted speculation over whether the attacks are being carried out by run-of-the-mill opportunists out to make a quick buck, or state-sponsored cyberterrorists hell-bent on causing wide-scale economic disruption.
Why are public entities targeted?
The main objective of ransomware is financial gain. Many departments in the public sector are responsible for providing services that are essential to a city’s functioning. If these services are taken offline for extended periods of time, it can have far-reaching consequences on the citizens who live in the area.
As a result, many cybercriminals believe that public departments will respond more quickly than organizations in the private sector and be more willing to hand over the ransom in order to minimize downtime and keep their systems running smoothly. Ransomware attacks on public entities also receive a lot of media coverage, which reinforces the idea that the attacks are highly profitable.
However, research shows that this may not be true. According to Recorded Future, just 17 percent of state and local government entities affected by ransomware pay the ransom. Meanwhile, figures from CyberEdge show that almost half (45 percent) of private organizations hand over the money.
Why are local departments less likely to cooperate? It largely comes down to protocol. At both a federal and local level, most municipalities strongly discourage their departments from making ransomware payments. In much the same way that most countries won’t negotiate with terrorists, many public entities have policies against making ransomware payments. No-payment policies are intended to disincentivize further ransomware attacks.
It is important to note that money isn’t always the primary goal. In some cases, cybercriminals single out public entities with the aim of gaining notoriety, which can raise the profile of their name and lend weight to future attacks. In other situations, ransomware attacks are politically motivated and designed to cause maximum disruption to a specific region or organization, or used as a smokescreen to disguise more devious cyberespionage.
Why are public entities vulnerable to ransomware?
Whenever it comes to light that a government department has been affected by ransomware, there’s usually one question on the tip of the public’s collective tongue: How could this happen? Given that public departments provide critical services and are often responsible for safeguarding thousands of private records, shouldn’t their systems be up to the task of preventing ransomware?
In an ideal world, public entities would invest heavily in cybersecurity and have robust strategies in place to mitigate the effects of ransomware. Unfortunately, this isn’t the case, and many public entities are actually more vulnerable to ransomware than private companies. There are two main reasons for this:
1. Outdated technology
The world of malware moves quickly, and those caught using old technology are at greater risk of infection. Many local public departments either don’t have the budget to keep their cybersecurity infrastructure up to date, or are kept far behind the curve due to bureaucratic inefficiencies.
According to a report by ICMA, 29.3 percent of local governments rely on cybersecurity technology that is one generation behind current best practice. Even more worryingly, a further 8.7 percent depend on technology that is more than one generation behind current best practices. Relying on antiquated cybersecurity solutions leaves local governments more vulnerable to attack.
2. Big attack surface
Government departments exist to serve the public. They tend to have lots of public-facing web services, which means there are many possible points of vulnerability that can potentially be exploited by ransomware distributors.
In addition, public entities often employ many people who must have access to servers. This makes for a bigger attack surface and increases the chances of human error, which can lead to ransomware infection.
Ransomware and local governments
The recent ransomware attacks on Florida, Baltimore and Atlanta serve as a reminder that the public sector is certainly not immune to the effects of ransomware.
While the recent attacks undoubtedly taught the affected cities some important lessons in cybersecurity, it’s unlikely that they’ll be the last to experience such an attack. Until we see a radical shift in how municipalities approach ransomware and cybersecurity in general, it seems probable that we’ll continue to see more ransomware attacks on the public sector in the future.
Emsisoft provides virus, malware, PUPs, and ransomware protection. See our Emsisoft page.
Read the original Emsisoft blog post by Jareth here.
Yes, there is easy money to be made from this. As said, this is a good way for a country to try out a cyber attack on another country, secretly as well. This want be going away anytime soon.
Whenever this topic is raised I always wonder why the one major insurance against ransomware never seems to be mentioned and that is BACKUP?
If these municipalities had competent and up-to-date backups in place they could thumb their noses at the hackers and simply restore their data to new servers and start over preferably with updated cybersecurity.
All they would lose is maybe a tiny amount of data and a small amount of down time.
Why are these organizations so lax at backing up? And why does nobody mention this simple precaution?
Generally, ransomware infects the backups as well – even if they’re stored “in the cloud”. Most good backups are real-time backups, meaning once the ransomware is introduced it is backed up to backup(s) as well. The only way to prevent this would be to make backups every day and store them separately – and then if ransomware was introduced, the pristine backup could be used. However, this would mean some loss of data. Almost all ransomware is introduced into the system when an employee is tricked or induced into clicking an email link. Therefore, besides having adequate security software that protects against ransomware, training employees to THINK before they click links. It does not take a lot of technical savvy to hover over a link to find out where it leads. And shortened URLs can also be unscrambled to find the ultimate destination.
Employees are often fooled by links like this – you’re eligible for a free $50 Kohl’s coupon. This is just an example and if you do click that link you’ll open our start page which is quite safe. But if you hover over that link you can tell right away it does go to Kohls and is a link to our start page.
It’s a complex and multi-faceted problem and therefore it’s not a very simple problem to solve.