Local and state governments are increasingly becoming ransomware victims. Even worse, some of them are paying large ransoms to get their data back. Find out how one county government avoided giving into the cyber extortionists’ demands.
An unprecedented number of government entities in the United States were besieged by ransomware in 2019. More than 110 local and state governments fell victim, some of which gave into the cyber extortionists’ demands. For example, two cities in Florida — Riviera Beach and Lake City — paid ransoms of $600,000 and $490,000, respectively, to get their records and systems back. The price wasn’t as high for the city of New Bedford in Massachusetts. Although the cybercriminals demanded a whopping $5.3 million, the city offered to pay $400,000, which the hackers accepted. Similarly, La Porte County in Indiana paid a reduced ransom thanks to negotiators who bartered it down to $130,000.
Although giving into cyber extortionists’ demands might be the quickest and easiest course of action for ransomware victims, it is contributing to the rise in ransomware attacks. The more local and state governments pay up, the more hackers will target them. Even worse, these government entities are often easy targets. They typically do not have the budget to properly protect their systems and data.
Because local and state governments are easy targets with a history of paying up, the onslaught of ransomware attacks is expected to continue. Many local governments have already become casualties in 2020. For instance, the cities of Ingleside (Texas), Oshkosh (Wisconsin), Racine (Wisconsin), and Wayne (Nebraska) fell victim, as did the counties of Grayson (Texas), La Salle (Texas), and Rockdale (Georgia).
One Victim’s Story
Like companies in the private sector, organizations in the public sector are usually reluctant to share detailed information about their ransomware attacks. The Rockdale County government, though, decided to go against this norm and share its story — an act to be commended, as organizations in all industries can learn from its experiences.
The first inkling that something was amiss occurred on February 6, 2020. Members of Rockdale County’s Technology Services department started receiving alerts that unusual activity was taking place on the county’s network. Upon investigation, they found that there was abnormally high CPU usage on several servers. At that point, the staff members suspected the network was under attack, so they followed the procedures recommended by the US Cybersecurity and Infrastructure Security Agency (CISA) for responding to a ransomware infection. The steps taken by the staff included:
- Immediately isolating the infected computers. The Technology Services staff either disconnected or powered down all the other machines in the network. This prevented the ransomware from spreading further, minimizing the attack’s impact.
- Immediately powering down the infected computers This minimized the damage on those machines and gave the staff more time to recover the data on them.
- Immediately taking backup data and systems offline. This ensured that the county’s backup files were secure and not encrypted by the ransomware.
- Changing passwords. The Technology Services staff members changed all online account passwords and network passwords after removing the affected computers from the network. They also changed all system passwords after the ransomware was removed.
- Contacting law enforcement. Rockdale County officials reported the ransomware attack to both state and federal authorities. CISA strongly urges ransomware victims to report their attacks to the US Federal Bureau of Investigation (FBI) or US Secret Service. These federal authorities have resources and tools that are unavailable to most organizations (e.g., they can enlist the assistance of international law-enforcement partners), which can help identify the perpetrators.
- Securing partial portions of the encrypted data for forensics purposes. Both the state and federal authorities have gathered this data and are using it to help identify the perpetrators.
Although the investigation is ongoing, the Technology Services staff and law enforcement officials have already determined that the attack was initiated by a phishing email that had a malicious attachment. Opening the attachment unleashed the ransomware, which was designed to encrypted Microsoft Office files and redirected Microsoft Windows startup processes. The staff and officials also found three other phishing emails that contained malicious links. Clicking one of these links would have similarly led to a ransomware attack.
Rockdale County’s remediation efforts are well underway. As of this writing, the Technology Services staff members have physically removed the infected endpoints as well as restored or rebuilt the compromised servers. They also have installed additional software that detects and protects against malware attacks on every computer in the network. They customized the software’s rules and settings to optimize its effectiveness.
In the near future, the county will be implementing solutions designed to filter out phishing emails and block suspicious Internet addresses. Other cybersecurity tools that monitor and respond to questionable network activities are also being considered.
As Rockdale County’s experiences demonstrate, organizations do not have to give into cyber extortionists’ demands if they become an unwitting victim of a ransomware attack. Instead, they can follow the incident-response recommendations of security experts like CISA, which apply to organizations in both the public and private sectors.
Even better, organizations in any industry can take measures that will lessen their likelihood of becoming a ransomware victim. Besides investing in cybersecurity tools and solutions, organizations can educate employees about ransomware attacks and how to avoid them. We can help you develop an effective strategy that will help keep your organization safe.
Computer Security Symbol – Password (red with multi colour background) flickr photo by Christoph Scholz shared under a Creative Commons (BY-SA) license