Last year, we reported that ransomware attacks against local governments were on the rise. As noted then, ransomware is a variation of malicious malware designed to block access to a computer system or network until a sum of money is paid. Ransomware spreads through emails containing malicious links or attachments, or by visiting compromised websites. Ransomware may not be triggered immediately — it can lay dormant for days, weeks, or months, and can be triggered by keystrokes or your face looking into your computer’s camera.
In a recent Deloitte Center for Government Insight report, it was revealed that in 2019 over 163 ransomware attacks targeted local and county governments, resulting in $1.8 million paid to cybercriminals behind the attacks and tens of millions of dollars spent in recovery costs. This was a significant jump in attacks from 2018, where 55 publicly reported incidents resulted in less than $60,000 in ransom. Hackers are increasing their attacks against local governments, and on average demand 10 times what they demand from private-sector companies.
Deloitte noted three key aspects as to why governmental entities are seeing increases in ransomware attacks:
- Governmental organizations tend to have insurance. While many areas of insurance are flat, cyber insurance remains a profitable segment. In 2018, for every dollar in premiums collected from policyholders, insurers paid out approximately 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance.
- Governmental organizations leave gaps in their network and system security. These gaps can include not applying relevant software patches or installing critical updates, irregular system backups, and cybersecurity training for staff. IBM research indicates many local and state governmental agencies are overconfident in their attitudes toward malware and cybersecurity incidents, finding only 38% of employees are trained on ransomware prevention.
- Governmental organizations need to maintain critical services. The theft of data can prevent the ability of government to provide services to those they serve, locking up their abilities to do everything from issuing marriage licenses to law enforcement’s ability to access crime or incident reports. In this case, it can feel imperative that ransom demands are paid in order to continue providing essential services.
These factors create a feedback loop, according to Deloitte state and local government sector leader Srini Subramanian. “The more [governments] are paying out, the more money criminals are demanding,” he says. “The criminals like targeting governments because they pay. And cyber insurance is paying because it is the fastest way to recovery, and it is likely the most cost-effective way as well.”
However, paying ransom for your software isn’t a guarantee the data can or will be recovered. As Deloitte notes, some malware such as NotPetya may ask for ransom even though it cannot ever decrypt the data, while some attackers may simply refuse to send the decryption key. According to one survey of 1,200 cybersecurity professionals, less than half of those who paid ransom regained access to their data.
As guardians of taxpayer money, governmental organizations need to ask themselves what they can be doing today to protect their systems and prevent ransomware attacks. The recommendations we listed last year are still relevant, including keeping your anti-virus software up to date; creating strong, unique passwords that are changed regularly; performing regular, automated backups and keeping the backups segregated; enabling multifactor authentication, especially for remote logins (which is particularly relevant this year); regular security awareness training for employees; not opening, clicking links, or downloading attachments from emails from unverified senders; and not visiting compromised websites.
“Connected devices, digital systems, and integrated data mean governments have the opportunity to serve people and communities like never before, said Deborah Golden, Deloitte’s principal and cyber risk services executive. “It also means there is a large surface for cyber criminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless.”
With that in mind, here are some additional suggestions to help prevent ransomware attacks:
- Smarter systems architecture. Failures to manage patch cycles, elderly operating systems that are close to or have gone beyond end-of-support dates, and tight budgets preventing modernization are contributing to ransomware infection rates. IT modernization can only be deferred for so long and given the financial damage ransomware can cause, revamping old systems to prevent these attacks needs to be considered sooner rather than later. In some cases, updates may not be enough and new systems receiving manufacturer system support may need to be considered.
- Staff training. As important as continuous maintenance of machines is the basic cybersecurity education and training for every civil servant, employee, contractor, or elected official who has access to government networks. It only takes one click to compromise a network, and everyone who is part of the network should understand the basics of how to protect it. The most advanced cybersecurity tools in the world cannot make up for poorly trained workers.
- Patch management and air gaps. Adequate patch management practices should be enforced and both data compartmentalization and air-gapped networks (that is, computers or networks that have no network interfaces, either wired or wireless, connected to outside networks) for backups should be considered.
- Cyber insurance. While cyber insurance can cover the cost of ransomware attacks, its use should be considered with care. These policies can have a knock-on effect of incentivizing threat actors to push for large payouts.
While the steps outlined above will help in preventing ransomware attacks, UCIP is always happy to offer additional training and information on this subject. For additional assistance, please contact Alex at firstname.lastname@example.org.
If you fall victim to a ransomware attack, please contact UCIP immediately. Additionally, the Salt Lake City field office of the FBI should be contacted as soon as possible at (801) 579-1400.