An individual threat actor is believed to be behind a recent attack that has locked up the agencies of nearly two dozen small cities and towns in Texas. 22 Texas municipalities, in mostly rural areas, were hit with a ransomware attack that crippled key city services such as payment processing operations and the printing of identity documents.
The attacker, whose identity is still unknown at this point, appeared to specifically target municipalities that are too small to have their own IT departments. If it is indeed the same party behind all of the attacks, it would be the largest coordinated ransomware attack yet on a government.
Everything is bigger in Texas, including ransomware attacks
The Texas ransomware attack follows a spate of similar attacks on US cities and counties in 2019. There have been over 60 this year alone, which represents over 1/3 of all such recorded attacks on US municipalities and is more than double the amount ever seen in any other year.
The Texas Department of Information Resources is investigating the incident, and has issued a statement indicating that this is the work of one particular threat actor. They also indicated that no Texas state systems were compromised.
Two Texas towns have publicly commented on the attack, verifying that they were breached. The city of Borger issued a statement notifying citizens that their ability to process all payments is offline indefinitely, and that birth and death certificates cannot be issued at this time. The city of Keene also issued a statement indicating that they are not able to process payments or access the accounts of utility customers. The mayor of Keene said that the city made use of outsourced IT software for these functions, and the software was managed by a third-party company that contracted with at least some of the other compromised municipalities. Three police departments reported being hit in the cities of Bonham, Graham and Vernon.
All of this indicates that this is essentially a case of vendor compromise; instead of attacking 22 different localities, the hackers appear to have simply compromised one government IT contractor and gained access to all of their clients. Given the reports of similar impacted entities (payment processing and vital records) from multiple locations, it is safe to assume the contractor handled work for specific types of government agencies rather than the entire city or town.
The hacker has demanded a collective $2.5 million USD ransom. There are no reports yet of any towns paying the ransom, but some other US cities (such as Lake City and Riviera Beach) in Florida ultimately opted to pay off the attackers. Cities that opt not to pay sometimes spend months getting all of their systems back online after a ransomware attack; this happened to the Texas city of Laredo several months ago.
Why does this keep happening to American cities?
Malwarebytes recently reported on this particular surge of attacks on municipal government agencies, finding a 365% increase in the past 12 months.
Cybersecurity is a matter of funding, and smaller cities and towns often get left behind. Municipalities of the modest size of the ones in this recent Texas ransomware attack generally do not have their own IT departments, and sometimes do not even have an IT specialist on hand or a specific person appointed to oversee these matters. These small cities and towns generally get by with a combination of help from the county and state governments and outsourcing to managed service providers, a patchwork that often leaves gaps. Texas neighbor Louisiana declared a state of emergency in late July due to a ransomware outbreak that ravaged public school districts. Colorado also did this in 2018 after state systems were attacked, which gave their IT staff access to assistance from the National Guard.
Cyber criminals love easy targets, and underfunded municipalities such as these are poorly defended yet still have enough revenue to be worth targeting with a ransomware attack. Getting the necessary funding to improve cybersecurity means raising taxes, something that is a hard sell even in good times. It’s nearly impossible when the municipality is dealing with all sorts of other problems that the public has a much higher awareness of and interest in – crumbling infrastructure, affordable housing, opioid addiction and so on.
Government agencies and ransomware response
The cybersecurity budgeting problem in small towns falls more on the side of emergency response than it does on proactive defense measures. Every type of organization, even well-funded enterprise-scale private companies, is vulnerable to this sort of ransomware attack. All it can take is the successful phishing of one employee somewhere in the organization, so the response plan is more critical than active measures (which are largely handled through software updates).
Better-funded organizations have regular backups; ideally, snapshot backups that are stored both locally and in the cloud. That makes recovery from a ransomware incident much easier. They also have an emergency response plan and the IT staff on hand to begin containing a breach once it is detected, as well as insurance that can pay the ransom demand for them if all else fails. When small cities with virtually no IT staff, no cyber insurance and an inadequate backup system are attacked, they are caught with their pants down. The two Florida cities that were hit this year were in this position and opted to pay nearly half a million dollars each to their attackers, as they estimated it would cost much more to rebuild their systems from scratch.
Pierluigi Stella, chief technology officer of Houston-based cybersecurity solution provider Network Box USA, shares a personal story that illustrates the unique difficulties that government organizations face:
“There’s no hope that our government entities will truly ever be protected against cyberattacks. None whatsoever.
“In the private sector, we’re used to doing things as and when needed. If we urgently need something new, we beg, we plead, we do whatever it takes, but we find the money and we acquire it. When it comes to the public sector, however, things aren’t quite the same.
“Recently, I had a meeting with the CIO of a city near Houston. We were talking about ransomware and tools to stem off the issue; and at one point, he told me, ‘Send me the numbers so I can put this in the budget for 2021.’ Wait, what? At first, I thought he was either joking, or confused. It’s August 2019, why are you mentioning 2021?
“Seeing my perplexity, he proceeded to explain that his budget cycle spanned October to September, and that the budget for 2020 was already full. There was no leeway for him to squeeze anything else in and therefore, he’d only be able to consider security measures to combat ransomware in the next financial year, i.e., October 2020 for the calendar year 2021.
“So, in a world wherein hackers come up with something new every single day, and we deploy new protections literally every minute, this city has to wait two years to get something they truly need today now. Which means that by the time they do get it, it’ll be useless because, you know, hackers would’ve moved onto something new, and the vicious cycle starts all over again …
“Government entities must find a way to properly empower someone to make decisions quickly, use the budget as necessary, when it’s necessary, and stay on top of issues as they arise, and certainly not two years later. Unless that happens, this will never be anything but a lost cause.”
The problem is exacerbated by city government officials who won’t share details that could help other small municipalities to avoid being hit by ransomware, out of everything from personal political fears to the notion that they will invite more attacks.
At the moment, these cities are in the crosshairs of cyber criminals. In the future, their computer systems might be a target for attacks by nation-state actors. Possibilities include hacks of traffic systems to cause accidents and snarl traffic, posting misinformation on electronic messaging signs, utility shutoffs and compromise of any smart devices in use.