Across the United States, local governments and public sector entities have endured a growing number of ransomware attacks throughout the year. And perhaps no region has been harder hit than the state of Louisiana. In July, four school districts in the state were hit with the Ryuk ransomware attack, forcing Governor John Bel Edwards to declare a state of emergency. And now, on November 18, the state has experienced an even more extensive Ryuk ransomware attack – this one impacting Louisiana’s Office of Technology Services (OTS), which includes the systems of some of the biggest state agencies, including the Office of Motor Vehicles (OMV) and the Department of Health.
Ryuk ransomware attack, Part 2
As in the case of the first Ryuk ransomware attack, which targeted Louisiana school districts, Gov. John Bel Edwards once again declared a state of emergency, which helped to free up more resources to deal with the cyber attack. In addition, Gov. Edwards called into action the state’s cybersecurity response team, which includes the Office of Technology Services, the Governor’s Office of Homeland Security, the Louisiana State Police and the National Guard.
As a precautionary step, OTS immediately took offline all of its servers in order to contain the spread of the Ryuk ransomware attack. This obviously led to a number of state services being unavailable online for an extended period of time. In some cases, websites were back up and running within a span of several hours. However, in other cases – as in the case of the Office of Motor Vehicles – some digital assets remained unavailable for several days as the state went about restoring its computer systems from backups.
James McQuiggan, Security Awareness Advocate at Knowbe4, notes the importance of being able to act quickly and effectively in the aftermath of an attack: “This is an excellent example of having a robust and dedicated team of security experts to deal with incidents when they hit your organization. Being able to recover quickly and return to normal operations is important for the employees and the customers, as it provides them with a strong sense of confidence that the organization takes security seriously. Ransomware is going to be a strong and profitable attack vector for criminals until organizations can repeatedly reduce the impact of an attack with strong business continuity and incident response programs that include less downtime and no payout.”
Overall, this second Ryuk ransomware attack was much more damaging and extensive than the first Ryuk ransomware attack. In this round of attacks, approximately 10% of the state’s 5,000 servers were affected, and approximately 1,500 of 30,000 computer systems statewide were damaged. What made the attack particularly difficult for the state was that it hit the Department of Health (which handles Medicare) and the Office of Motor Vehicles – these are both highly visible and important state agencies where downtime of even a few hours can cause a long string of other problems.
The good news, though, is that the state did not pay a ransom during the Ryuk ransomware attack. According to the FBI, this is now standard practice in the event of any type of ransomware attack. Paying a ransom will only encourage hackers to seek out new victims that they can shake down for money. In addition, Louisiana officials say that there was no anticipated data loss as a result of the Ryuk ransomware attack. Moreover, the Ryuk ransomware attack did not impact the tallying of votes for the gubernatorial election, in which Gov. John Bel Edwards narrowly won re-election.
Other incidents of Ryuk ransomware
The state of Louisiana is not the only public sector entity that has been hit with an attempted Ryuk ransomware attack. For example, there have been Ryuk ransomware attacks on Georgia’s court system and on two Florida cities. In addition, cybercriminals have carried out similar types of ransomware attacks against large commercial entities as well, with the most prominent of these being Mexico’s PEMEX oil company. All told, according to the FBI, there have been over 100 documented attacks involving ransomware against state and local governments in the United States in 2019.
Remedies and mitigation
In October 2019, the FBI warned that cybercriminals would be stepping up their attacks on public sector entities and local governments. According to the FBI, hackers view these entities as “soft targets” that can be easily exploited. For one thing, the scope of services provided by government agencies is so mission-critical that governments cannot afford to be offline for days at a time, so some have simply paid the ransom in order to get up and running as quickly as possible. In the case of a Ryuk ransomware attack, cybercriminals typically ask for a ransom of least $300,000, with some demands escalating to $1 million.
So what can be done to prevent another occurrence of the Ryuk ransomware attack? As the FBI notes, the only real defense is “good cyber hygiene.” This means that backup systems need to be in place, all data backed up, and cybersecurity response teams ready to go at a moment’s notice. In addition, state and local governments should have policies and procedures in place, and offer their employees adequate training on how to spot a potential ransomware attack. In the case of a Ryuk ransomware attack, for example, phishing emails are generally used to initiate the attack.
Seth Blank, Director of Industry Initiatives at Valimail and co-chairman of the Election Security Special Interest Group (ES-SIG) of the email industry group M3AAWG, comments on lessons learned from this ransomware attack: “One of the key ways governments can close the door against such attacks is to adopt industry best practices, and in particular Domain-based Message Authentication, Reporting and Conformance (DMARC) standard, a vendor-neutral authentication technology that allows organizations to protect their emailing domains from spoofing. This is the most effective way to prevent the most damaging types of phishing, and the U.S. federal government has already made huge strides in this direction, thanks to a forward-thinking directive from the Department of Homeland Security in 2017. But state and local governments, including Louisiana and its largest parishes, remain unprotected. To stop these crippling cyberattacks, state and local governments need to implement proper best practices, starting by locking down the primary vector for such attacks by preventing the phish from getting to inboxes in the first place — which can be done by validating sender identity. Implementing DMARC is the critical first step.”
Cyber attacks and natural catastrophes
One reason why the Ryuk ransomware attacks in Louisiana have garnered so many headlines is because Louisiana has been particularly aggressive in dealing with the attack. In both of the Ryuk ransomware attacks, Louisiana declared a state of emergency. Typically, this extraordinary event only happens in the case of a major natural disaster, such as a hurricane or tornado. So Louisiana is leading the charge for getting cyber attacks to be thought of in the same way as natural disasters.
Clearly, states need to be doing more to prevent future ransomware attacks. As of July 2019, just 15 of 50 U.S. states had a cyber disruption response plan in place. Given the growing scope of ransomware attacks across the U.S., this number is simply too low. It’s time for all state and local governments to come to grips with the potential threat posed by ransomware.