Pay us or else
Our cites are under attack, and most communities are unaware just how vulnerable they are. Ransomware is a nefarious tool bad actors are using to enrich themselves by holding data captive. Municipalities are particularly susceptible to these threats, and the hackers know this. Unless proactive steps are taken now, your municipality will be hit. It’s not a matter of if, but when.
The city of Atlanta knows this well. In March of last year, the southern transportation and economic hub was struck with an attack that affected numerous city services and programs including utilities, courts, and parking. Many city officials were forced to work with paper forms.
While much of the information about the attack is privileged information, at the time Reuters reported Atlanta devoted $2.7 million to recover from the attack, but later estimated it would need $9.5 million.
On November 26, 2018, the Department of Justice indicted two Iranian hackers with the attack, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri. The New York Times reported the two individuals were responsible for the widespread SamSam ransomware.
While Atlanta’s attack was noted for its duration and the sheer number of services impacted – in June 2018 Reuters reported a third of the software programs used by the city remained offline or partially disabled – smaller ransomware attacks are shockingly frequent. While not every attack makes the news, the threats are pervasive.
Rita Reynolds, the Chief Technology Officer at the National Association of Counties says the threat ransomware poses is significant, and that many communities aren’t prepared to prevent an attack. “It is definitely a large threat,” she says. “It’s not a matter of if it’s going to happen, it’s when is it going to happen and how do we minimize the impact.”
And these attacks are becoming much more frequent. High-profile cases like the attacks that hit Baltimore and Atlanta make headlines, but Reynolds says the problem is much more pervasive than the general population understands. “Even in the past three months to five months, I’ve seen an increase in ransomware attacks on local government. Counties are contacting us quite a bit asking what they can do.”
But before you can protect yourself, you first need to understand the threat.
What is Ransomware?
Ransomware is malware that blocks access to a system, device, or file until a ransom is paid. Once it infects a computer, the ransomware encrypts files on the infected system, although some variants erase files or block access to the system using other methods, according to materials from the Center for Internet Security (CIS).
The Center’s Chief Technical Officer, Brian Calkin, says, ransomware in layman’s terms is actually pretty simple to think about. “It’s a virus that’s on your computer and what it does is in the background, unbeknownst to the user, it encrypts all your files – typically things like your word documents and your photos and your music – all of those things that are not easily recoverably.” Most of the time you can still use your computer, he says, but certain files will be unavailable to you.
You’ll be presented with a screen that informs you you’ve been the victim of a particular attack, and instructions for how to pay the ransom. “Typically, this is anywhere between 500 and a couple thousand dollars,” Calkin says. The payment will be accepted in some form of cryptocurrency – more than likely bitcoin. Once the payment is received, the attacker will provide the victim with a socalled “key” that decrypts the data. In many cases there’s a timer running. If payment is not made in the allotted timeframe, the key will be destroyed and the data will be irrecoverable.
While this might be a nuisance on a personal computer, it becomes truly problematic when the machines being attacked are connected to a network. Then the malware can spread throughout the entire system, locking down critical components and grinding operations to a halt, Calkin says.
Most of the time these attacks are opportunistic, Calkin explains, meaning they are not targeted at a specific individual. Instead, bad actors behind these attacks are casting a wide net, hoping to ensnare as many individuals as possible and, by extension, infect as many machines as they can.
However, this isn’t always the case. “In some cases compromises are very targeted,” Calkin says. “If, for example, they find a particular vulnerability on a system they are able to determine belongs to a large city like Atlanta or Baltimore they realize they have something potentially more lucrative, so they’ll use their access to the vulnerable system to deploy their ransomware attack.
The majority of the time, though, the main vector for these attacks is a social engineering process known as phishing. Phishing is usually performed via email where a bad actor will pose as a trusted source with the intention of obtaining sensitive information or getting someone to download a malicious payload, according to CIS. While many phishing attempts are obvious, the methods and strategies are becoming increasingly sophisticated.
Why are local governments a target?
Local governments are attractive targets for cyber criminals for a number of reasons. Reynolds explains one issue is that oftentimes the equipment being used is woefully outdated. “We have machines in use that really should have been retired years ago. I’d like to think no one is still using a Windows 95 machine, I know they’re still out there.”
This is a problem, Reynolds says, because the technology used in those operating systems don’t have the capacity to address today’s security needs.
Staffing is also a critical issue. Brian Vecci, a field Chief Technology officer at software company Varonis, says that many municipalities are understaffed, and their IT staffs in particular are overworked. Many cybersecurity professionals are offered larger salaries in the private sector, so it’s difficult for local governments to stay on the cutting edge.
Finally, Local governments are also a favorite target because of the nature of what they do. Governments deal with a tremendous amount of data, and the services they provide are critical. Vecci says at the end of the day, ransomware attackers are looking to get paid. If they know they can cripple critical municipal services, they are far more likely to cash in.
The reason we’re seeing so many successful attacks these days is because they are becoming more sophisticated. Phishing attacks are becoming more clever, and the software itself is readily available for anyone to use. In the past, if you wanted to attack an individual or organization, you’d have to write the malicious code yourself. Now, ransomware has become a service. Vecci says. “It used to be relatively sophisticated individuals or groups of individuals [launching these attacks],” he says. “Now if you Google “ransomware as a service” you can go to a website and give them some email addresses and a third party will launch the attack for you.”
What do I do If I’m attacked?
Unfortunately, if ransomware makes it into your network, it’s already too late. While there are resources available with known decryption keys like nomoreransom.org, it’s fairly rare that data can be decrypted without paying the ransom, Vecci says.
“Hopefully you’ve got good backups,” Vecci says. “If you don’t that’s a problem. Then it becomes you have to pay the ransom if you want the data back.” However, sometimes the attack is so widespread that you have no recourse. You either have to rebuild everything from scratch or pay up.
Understandably, this solution isn’t the most palatable one. Calkin says there are negative ramifications for giving into the demands of bad actors, but unfortunately there’s little recourse. “There are all sorts of philosophical issues with this. If you pay the ransom, are you perpetuating the problem? But in some cases, when you don’t have a backup, the almost guaranteed way to get your files back is to pay the ransom.”
Obviously getting to the point of making that decision should be avoided. By its very nature, the only way ransomware can be dealt with is for it to be prevented from occurring in the first place.
How can I protect my community?
Reynolds says the response to cyber threats in local government used to be reactive, but to stay secure with today’s threats it’s important to be proactive. One of the best ways to do this, she says, is by rethinking the way file systems are set up, and who has access to what.
She likens it to a house. You have a fence around your property to keep people out, and cameras to monitor who comes to the door. The door is locked, and your valuables are locked in a safe. Not everyone who comes in the house can or should have access to what’s inside.
Traditional networks weren’t set up like this, but many IT professionals are understanding just because you have access to the network doesn’t mean you should have local admin rights on that device. If everyone has access to everything, a ransomware attack can spread quickly and unmitigated. Reynolds suggests reworking who has access to what on the network – not to be punitive, but to make the environment as secure as it can be.
Vecci agrees with this notion. “The root of the problems is that files have been open to way too many people. Making sure that the right people have the right access to the right file is a hard thing to do, and it’s often completely unmonitored. It’s hard to figure out when something like ransomware is happening.”
Another proactive way to protect networks from attack is to ensure that all software is up to date with the latest patches. “Everybody needs to make sure their servers and end-user workstations are up to date with security patches,” Reynolds says. While it might seem daunting, it’s a critical defense mechanism.
Training is also crucial. There are tools available to test end-users to see how likely they are to fall victim to a phishing email, Reynolds says. This should be done often to help the workforce remain vigilant and aware of the warning signs.
This isn’t to suggest that protecting an organization from ransomware is strictly the responsibility of the IT department, though. Elected officials play a major role as well, Reynolds says. Leaders must understand that their prioritization of this issue sets the tone for their organization. It’s the responsibility of leadership to do exactly that.
Part of this responsibility is to make use of available resources. “Every local government should be a member of MS-ISAC – the Multi-State Information Sharing and Analysis Center,” Reynolds says. Many of the center’s resources are free of cost, and it provides access to alert systems, awareness and education materials as well as cybersecurity table-top exercises to help local governments improve their security postures.
For more information on Ransomware, visit the Center for Internet Securty at www.cisecurity.org.