Threat Thursday: Ransomware in the Public Sector
Welcome to our new Threat Thursday blog series! Once a month, my colleague, Director of Product Management Chris Goettl and I will share information about some of the largest security threats and recent attacks we’re seeing hit worldwide. This month, ransomware in the public sector is stealing the stage.
As I look out my office window, I see a construction crew ripping up the blacktop parking lot. Apparently, there are foundational issues which need to be addressed and the only solution is to rip it all out and start over. This may be a very apt metaphor for what is happening in cybersecurity over the past several weeks. It seems criminals have identified a new set of targets, which represent some of society’s core institutions. I’m referring specifically to the recent flurry of ransomware attacks on federal, state, local and education government entities.
School’s out…forever? That’s what it may have seemed like when outbound communications cutoff in four Louisiana school districts, causing the governor to declare a state of emergency and call out the National Guard. This is the first time in Louisiana’s history that a cyber-attack is being treated like a natural disaster. If you are interested in learning more about this attack, watch my webinar that is available on demand here.
Somebody messed with Texas and it may take a while to recover. Twenty-three local government agencies were hit in a coordinated ransomware attack and all systems were taken offline. According to a source from ZDNet, the attack came from the well-known Sodinokibi (REvil) ransomware strain. I’ll be discussing this attack more in detail in an upcoming webinar.
While these two notable attacks seem a bit suspicious, it’s even more revealing when you look at a list of other attacks on state and local government in the past year, curated mostly by MSSP Alert:
- August 19, 2019: 22 local Texas government agencies suffer ransomware attack,
- July 25, 2019: State of Louisiana declares State of Emergency
- July 25, 2019: City Power, the electric utility for Johannesburg, South Africa, discloses ransomware attack.
- June 26, 2019: Lake City, Florida agrees to pay ransomware.
- June 20, 2019: Riviera Beach, Florida, discloses ransomware attack and payment.
- May 7, 2019: City of Baltimore hit with ransomware attack.
- April 2019: Cleveland Hopkins International Airport suffered a ransomware attack.
- April 2019: Augusta, Maine, suffered a highly targeted malware attack that froze the city’s entire network and forced the city center to close.
- April 2019: Hackers stole roughly $498,000 from the city of Tallahassee.
- March 2019: Albany, New York, suffered a ransomware attack.
- March 2019: Jackson County, Georgia officials paid cybercriminals $400,000 after a cyberattack shut down the county’s computer systems.
- March 2018: Atlanta, Georgia suffered a major ransomware attack.
- February 2018: Colorado Department of Transportation (CDOT) employee computers temporarily were shut down due to a SamSam ransomware virus cyberattack.
What’s particularly interesting to me, is what these new attacks have in common:
These aren’t opportunistic attacks from years gone by. Criminals are demanding higher ransoms of these government entities. They are targeting victims specifically, striking with greater precision and timing, and demanding large sums as ransom. The Louisiana school district attack is a great example. The timing of that attack (mid-August) was designed to inflict the most panic as it occurred just weeks before schools open for the fall.
Ransoms being paid
While not the case in Louisiana, a few government groups around the country have paid ransoms, some in excess of $500,000, to get their files back. The restoration rate is about 25% among those who pay ransoms. Often, these ransoms are funded by cyber insurance.
What does this mean?
By paying ransoms, government entities are guaranteeing that more criminals will attack government groups. In July, the US Conference of Mayors unanimously adopted a resolution to not pay ransoms associated with cyber-attacks. The resolution reads, “Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”
As you can imagine, it’s very tempting to “just pay the ransom” -- organizations hope to restore operations in a matter of hours, rather than days or weeks. The challenge with ransomware is that even with file backups, it still takes a very long time to complete all restorations. The massive restoration work is also a reason why government entities might call in the National Guard. Troops from the National Guard are usually part-time. On the cyber defense side, these troops are often security engineers or analysts in the private sector, with great skills that help with ransomware cleanup and file restoration.
What else is there?
Ransomware is highly customizable. Nation states can build specific ransomware as a method to infect and shut down enemies. We saw this with the Not Petya attack in 2018 against Ukraine. There is discussion that ransomware attacks could be used to disrupt free and fair elections by infecting voter ballot systems. A nation’s ability to withstand ransomware attacks must be considered a national defense initiative. If we are seeing state, local and education entities that are vulnerable to ransomware attacks, those might be the metaphorical cracks in the blacktop that indicate foundational issues deep below the surface.
Here are a few other major ransomware attacks we’ve seen this month:
- Ransomware attack demands $1M from Grays Harbor
- The cyberattack infected the computer systems with ransomware nearly two months ago, when an employee clicked on a bad link in a phishing email. The attack also happened when Grays Harbor IT staff was limited – on the weekend. Grays Harbor does have cyber insurance with a $1 million cap, and officials have not determined whether the missing records are permanently gone.
- Fortnite Players Hit with Ransomware
- The ransomware threatens to delete Fortnite players files on their computers unless they pay the hijackers in cryptocurrency. The ransomware, Syrk, is disguised as a software that can help players cheat at Fortnite.
But ransomware isn’t the only type of security threat in play this month. Here are a few other breaches and attacks you may also have seen in the news:
- Capital One Data Breach
- The personal information of more than 100 million individuals in the United States and approximately 6 million in Canada was compromised. Paige A. Thompson, 33, a former software engineer, stole the data by using scanning software that allowed her to identify customers who had misconfigured their firewalls. She also used stolen computer power to mine cryptocurrency (cryptojacking). Capital One has confirmed that 140,000 social security numbers and 80,0000 bank account numbers were obtained in the breach.
- MoviePass exposed thousands of customer card numbers
- MoviePass has exposed thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. The breach was discovered by Mossab Hussein, a security researcher at SpiderSilk, a cybersecurity firm in Dubai.
- Major new security flaw in Bluetooth
- The vulnerability allows an attacker to interfere when two devices try to connect, essentially letting a hacker to “break” Bluetooth security. The exploit has been named KNOB – Key Negotiation of Bluetooth – since it can occur when two devices are “negotiating” a secure connection. The best thing to do here is to patch! Make sure your software and firmware are up to date, as that will protect you from hacks.
- Fortinet Zero Day
- Not surprising, but hackers are now exploiting vulnerabilities that were made public earlier this year. Attacks have targeted VP products like Fortinet’s FortiGate, Fortinet released a patch to fix this vulnerability back in May, but if users didn’t take advantage, they could be at risk.
Disclaimer: Due to the length of time where breaches go undiscovered (often months or years), even after forensic analysis, approximately 55% of organizations are never able to definitively uncover the cause of a breach. These assumptions are based in part on similar incidents in other organizations and industry best practices for preventing these types of attacks. Ivanti assumes no liability or responsibility for any errors or omissions in the content of this webinar [or blog posting]. The information contained herein is provided on an “as is” basis with no guarantees of accuracy, completeness, timeliness or usefulness and without any warranties or conditions of any kind, express or implied.