More than 70 US cities and towns have been hit with ransomware attacks so far this year with all levels of state and local governments the intended victims of nearly two-thirds of all ransomware attacks according to new analysis by the cybersecurity firm Barracuda Networks. These statistics include the recent sweep of attacks that struck 22 Texas towns and cities, which officials say was led by a single threat actor.
Barracuda’s researchers conducted a deeper dive on 55 ransomware attacks on state, county and local governments that have taken place this year and found that 38 were on local governments, 14 were on county governments, and three were on state governments. Nearly half of the government victims, around 45%, were small municipalities with populations of fewer than 50,000 residents, and 24% had fewer than 15,000 residents.
Two towns and one county government payed the ransoms. Lake City, Florida, paid around US$500,000 (42 bitcoin), and Riviera Beach paid about $600,000 (65 bitcoin). In La Porte County, Indiana, officials paid $130,000 in ransom.
Combined with the large cities, which accounted for 16% of the municipal ransomware attacks studied by Barracuda, it’s clear that state and local governments are in attackers' crosshairs. There is no clearly visible end in sight to this growing crisis.
It’s no surprise, then, that Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has elevated ransomware attacks to one of its top priorities. CISA Director Chris Krebs recently says he’s intent on developing a ransomware “doctrine” similar to how feds and states deal with hurricanes.
How local governments can protect themselves
Until then, all local governments can do to protect themselves is undertake the necessary cyber hygiene steps recommended by Barracuda and most cybersecurity experts. Among the chief hygiene tasks are for organizations to invest in spam filters, phishing and malware protection, advanced firewalls, adequate and offsite backup and awareness training to steer users away from clicking on phishing links, the dominant vector for delivering ransomware.
But where can those small municipalities, or even large ones for that matter, turn to when they find themselves in the grip of a ransomware attack? To answer that question, we spoke to Brian Calkin, CTO of the Center for Internet Security, an arm of the Multi-State Information Sharing and Analysis Center (MS-ISAC).
What is the MS-ISAC?
The MS-ISAC is a federally funded information sharing organization whose mission is to improve the overall cybersecurity posture of the nation's state, local, tribal and territorial governments through focused cyber threat prevention, protection, response, and recovery. The MS-ISAC’s principal members are generally state CSOs or their equivalents. The MS-ISAC also includes representatives from state DHS offices, as well as law enforcement and others in the physical security field.
The MS-ISAC has over 6,000 members across the country to help states, cities and town deal with security threats such as ransomware. When attacks hit, “We then field the information and then we then very quickly turn it back around to the other folks that can benefit from it at a state, local, territorial and tribal government level,” Calkin says. “And we also have very tight relationships with our federal government partners. So, we work very closely with department, Homeland Security and other federal agencies, federal law enforcement to get the word out to them as well.”
Although the MS-ISAC doesn’t talk about its members or the work it does on behalf of its members, Calkin addressed how his organization might help in hypothetical situations such as the recent attacks in Texas. “When something like what happened in Texas happens, hopefully they're reaching out to us very early on, letting us know what's happened, what they're doing,” he says.
Why municipalities are under attack
In an interview earlier this year, Gary Hayslip, former CISO of San Diego and currently director of information security (CISO) at SoftBank Investment Advisers, foreshadowed the kind of interconnected attacks that happened in Texas. “Cybercriminals aren't stupid. …They will go ahead and seek the leverage [to] get the most bang for their buck. So, they'll attack a region [or] maybe the same thing with colleges. They don't attack one college. They'll attack a whole group of colleges.” The attacker hopes to be successful getting into one of them to use as a foothold to get into the others, Hayslip adds. "It's the same thing with municipalities. A lot of municipalities are connected together; they share information together.”
The same dynamic may have been at play in Texas, although Calkin doesn’t think the attackers are focused on regions as much as they are on the same kind of interconnected attacks Hayslip referenced. “They may have found a vulnerable system in Texas that they were able to get access to, able to get a foothold on,” Calkin says.
“But once they did, once they have done that, then they could potentially identify as the target the source organization…behind it. Then they will handle things a little bit differently,” says Calkin. “They will be much more methodical in their approach as far as what they're compromising specifically within the organization. If they have the ability to move laterally throughout the network to other agencies, for instance, and compromise additional systems or, in the case of Texas, a much broader set of agencies, then they can command a much higher ransom amount.”
Information sharing is key
Whether it’s one or multiple municipalities asking for help from MS-ISAC, “we have the ability to send a team people on site to do incident response, to do malware analysis and forensics, all at no cost to them because we are federally funded, at least that part of CIS is federally funded,” Calkin says. “Once we have enough information gathered to share, that’s when we issue what we call a cybersecurity alert and that would go out to the membership at large and say, ‘Hey everybody.’ In some cases, we may identify a particular victim or entity if they're comfortable with us doing so.”
Almost every day CIS issues alerts about ransomware or other malware attacks so that governments can be aware of what their peers are experiencing and “then encourage everyone to report whatever they know and are seeing back to us. We can then continually get information reported and distributed back out as broadly as possible and just keeping that process going,” Calkin says.
State and local governments don’t have to start with the MS-ISAC when seeking help in the midst of a ransomware attack. They can start with the FBI or local law enforcement or cybersecurity experts. “I would encourage them to contact whomever they're most comfortable with, familiar with,” Calkin says.
“If it's us, that's great. If not, we will get looped in. I would just encourage them to contact someone for help first versus going about it on their own for fear that they don't want their, for lack of better term, ‘dirty laundry’ aired more and more broadly. I think that it's important that people reach out for help, because that's what we're here for in particular.”
Of course. the best solution for all state and local governments, as well as any organization in the public or private sectors, is to head off ransomware attacks before they occur. To that end, the CIS has published benchmarks offering best practices and community-built guides that any organization can use to make an individual computer system more secure.
These practices, “literally list out step by step where you ought to go to make your Windows computer more secure,” Calkin says. “When you are hit with ransomware, you have a plan in place so that you're not all scattered and running around without a real plan of action.”