In 2019, ransomware attacks hitting state and local municipalities, including school districts and local government agencies, have reached epidemic proportions. According to the latest Emsisoft report (“State of Ransomware in the U.S.”), there were 621 ransomware attacks that impacted government entities, healthcare service providers, school districts, and other educational institutions (such as colleges and universities) in just the first 9 months of 2019. These ransomware attacks are more than just crippling the ability of local government agencies to provide needed services – they are also having a direct financial impact on the ability of these municipalities to function. Things have become so bad, in fact, that legislators in Washington, D.C finally had to get involved in order to draft new legislation designed to help these municipalities prevent, mitigate and respond to ransomware attacks.
The state of ransomware in the United States
High-profile ransomware attacks have started to attract greater and greater public attention, primarily because such attacks are so highly visible. A private corporation might be able to “hide” a ransomware attack from the public, and simply pay a ransom on the side in order to get out of a very sticky situation. However, that’s simply not possible with public sector agencies in the United States. When schools, hospitals, or municipalities are unable to function because their IT systems have been taken offline, the results are visible to everyone.
Across the United States, ransomware attacks have interrupted municipal emergency services, closed down hospital emergency rooms, delayed property and real estate transactions, closed down entire school districts for days at a time, and resulted in both lost data or personal information and millions of dollars in extra costs for hiring IT contractors and incident response teams to clean up the problem and get the municipality or local government agencies back up and running.
In its “State of Ransomware in the U.S.” report, Emsisoft detailed the incidents of ransomware attacks across every major sector of society. For example, in the first 9 months of 2019, there were 68 attacks on state, county and municipal entities; 62 attacks on school districts and educational institutions (impacting a total of 1,051 schools or colleges); and 491 attacks on healthcare service providers. All of these ransomware attacks have potentially profound implications for society. Just think of hospitals – any shutdown in services for more than a few hours might have life-or-death consequences for patients.
High-profile cases of ransomware hitting local government agencies
Over the past nine months, there have been a number of notable cases of ransomware attacks hitting municipalities and local government agencies. In Louisiana, for example, a series of ransomware attacks on school districts in the northern part of the state led to the state’s governor calling a “state of emergency” and requesting federal assistance to deal with the problem. In Texas, a coordinated series of hacker attacks hit 22 different municipalities, all within a few days of each other.
Other high-profile ransomware attacks include Lake City, Florida and New Bedford, Massachusetts. The New Bedford case is particularly noteworthy because it involved a ransom demand of $5.3 million – the largest ever recorded for municipalities or local government agencies. The New Bedford authorities countered with a ransom offer of $400,000. Hackers turned that offer down, and that led to a massive and expensive cleanup operation as the municipality raced to get back online with data backup systems.
High-profile ransomware attacks have also been carried out on major cities, including both Baltimore and Atlanta, which have struggled with outside attacks on various elements of their IT infrastructure. In Baltimore, for example, hackers shut down the system for paying parking ticket fines and water bills. As the result of being attacked by a ransomware strain known as RobinHood, Baltimore was asked to pay a ransom of $76,000. When Baltimore refused, it led to total financial costs of more than $18 million to get the city back up and running. Atlanta’s city systems, too, have come under attack, resulting in disruptions, delays and interruptions in key city services.
New Senate bill to help combat ransomware attacks
As a result, both the House of Representatives and U.S. Senate have started to pass key legislation that might address some of the risks faced by municipalities and local government agencies across the nation. For example, the U.S. Senate passed a bill called the “DHS Cyber Hunt and Incident Response Teams Act.” This bill authorizes the Department of Homeland Security (DHS) to invest in and develop incident response teams that can be deployed by both public and private sector entities to help battle ransomware. The primary purpose, of course, is to protect state and local entities from cyber threats and make it easier for these entities to restore computer systems and IT infrastructure after they have been hit by a ransomware attack and regain access to critical data.
This Senate bill is bipartisan in nature and is quite similar to a bill already passed by the House. Thus, it should be fairly easy for the bill to pass through the congressional reconciliation process, after which it can be signed by U.S. President Donald Trump and put into effect. Stu Sjouwerman, Founder and CEO of KnowBe4, comments on the new Senate bill: “It’s a start. We’re still a long way from being sufficiently protected. The vast majority of ransomware attacks start with a phishing email. Bad guys are constantly coming out with new strains to evade detection. It’s important to know if your network effective in blocking them when employees fall for social engineering attacks, and use tools that give you a look at the effectiveness of your existing network protection by simulating ransomware infection scenarios and cryptomining infection.”
In some ways, this new counter-ransomware legislation will make IT incident response teams the cyber world’s equivalent of disaster relief teams sent out by the federal government after a huge national disaster, such as a hurricane or tornado. These incident response teams would have the technical expertise to get IT systems back up and running, and would also have the deep pockets of the federal government supporting them. As currently envisioned, the Senate bill will enable a variety of entities – including hospitals, banks, schools and police departments – to request federal assistance.
There are several aspects to this “DHS Cyber Hunt and Incident Response Teams Act.” In addition to restoring IT infrastructure hit by a ransomware attack (or other cyber attack), it will enable proactive mitigation against cyber risks, making it much easier for municipalities to request IT support if they identify imminent cyber threats. Moreover, it will become much easier for state and local governments to partner with federal authorities and tap into the combined knowledge and expertise of national law enforcement authorities such as the FBI. In the past, the FBI has released data and information about ransomware attacks hitting the U.S., and is an important resource for state and local government authorities.
Dan Tuchler, CMO of SecurityFirst, highlights the importance of FBI involvement: “The FBI and IC3 are being proactive – warning targeted industry sectors, asking them to report attacks, and offering help in the proper course of action after the attacks. The FBI also advises US organizations to follow best practices, offering up a list of actions that should be taken in advance. It is amazing to see this list, which should be obvious and urgent for all IT departments, but we know they are stressed, constrained on budget and short on staff. So it’s valuable to get a best practices list from a trusted authority like the FBI.”
Moody’s report and cyber security recommendations to deal with ransomware
Given the dire context of ransomware attacks hitting municipalities and local government agencies, credit rating agencies have started to weigh in on the matter, warning that state and local governments could face ratings downgrades if they don’t get their cyber houses in order. For example, Moody’s Investors Service recently released a new report (“Ransomware Attacks Highlight Importance of IT Investment and Response Planning”) that details a few of the ways that municipalities can improve their overall cyber posture.
Acknowledging that ransomware attacks are growing in both frequency and intensity, Moody’s provides three key recommendations for how to deal with the problem. First and most importantly, municipalities need to be investing more in both IT infrastructure and personnel. Personnel can be either full-time staff or IT contractors, and they need to maintain oversight over the IT infrastructure of a municipality. Strong IT governance requires that these team members routinely test their IT systems for weaknesses.
Secondly, Moody’s recommends that local government agencies boost their overall financial flexibility and ability to respond to ransomware attacks. This is particularly important, given the escalating amounts of ransomware demands. If local government agencies lack the financial resources to cover such eventualities as restoring IT systems from data backups, then they need to build support links with larger state entities that do have these funds.
And, finally, Moody’s suggests much more caution and discretion when replying to ransom demands. As Moody’s points out, simply paying out a huge ransom does not guarantee that decryption keys will work as planned. Moreover, echoing ProPublica and its recent study of the negative implications of cyber insurers encouraging victims to pay out ransoms, Moody’s counsels that paying out a ransom demand is not always the best course of action. If there is a publicly available decryption key available, for example, then it might be better to avoid paying the ransom. And, given the fact that some ransom demands are coming from rogue state actors (e.g. Iranian nationals), municipalities need to be absolutely certain that they are not getting into an even deeper mess by negotiating with “sanctioned entities” (i.e. foreign entities that have been slapped with sanctions by the U.S. Treasury).
Final takeaway lessons
So will new legislation from Washington, D.C. and increased interest by third-party cyber security firms actually help to mitigate the ransomware crisis across America? In the short-term, of course, legislation such as the new Senate bill (“DHS Cyber Hunt and Incident Response Teams Act”) will not stop the epidemic of ransomware. The practice is simply too profitable for hackers right now. As Emsisoft points out in its 2019 ransomware report, ransom demands are escalating in size, and can now amount to millions of dollars. As long as municipalities and local government agencies continue to pay out these ransom demands, there is simply no incentive for hackers to stop. They realize that schools, police departments and hospitals simply can’t afford to go offline for days at a time, and are very amenable to the idea of just paying the ransom, getting the decryption keys needed to unlock files, and getting on with business as usual.
Moreover, the entire practice of local government agencies taking out cyber insurance to cover the risks of ransomware attacks might actually be making things worse, not better. According to a recent ProPublica report, for example, there appears to be a direct correlation between municipalities paying out ransom demands and a massive wave of new ransomware attacks proliferating across the nation. Cyber insurers often recommend paying the ransom, simply so that they can eliminate a lot of the costs of getting a school, municipality or hospital back up and running.
In the long run, however, new legislation from Congressional leaders in Washington, D.C. could go a long way in helping to eliminate the ransomware epidemic. That’s because the legislation encourages much more public-private cooperation, including the sharing of know-how and expertise between law enforcement and private cyber security vendors. The legislation also encourages the creation and development of much more robust IT infrastructure in order to prevent problems before they ever arise. As the old saying goes, an ounce of prevention is worth a pound of cure. By the time a ransomware attack hits, it’s already too late. It’s far better, from both a practical and financial perspective, to prevent these attacks from ever occurring in the first place.
Adam Laub, Chief Marketing Officer for STEALTHbits Technologies, views the new legislation coming out of Washington as very important in the long-run: “This legislation is not only warranted, but practically a requirement if our institutions are to have a fighting chance against these types of cyber attacks. Mega-corporations with significant cyber security budgets struggle to address these threats effectively. How could a school or local municipality even begin to do what’s needed without this kind of assistance and guidance? They simply don’t have the resources.”
At the end of the day, though, dealing with hackers and cyber thieves is a bit like playing a game of whack-a-mole. As soon as one attack vector is eliminated, another one will immediately pop up somewhere else. In 2018, for example, the buzz was around “cryptojacking.” That was replaced by “ransomware” in 2019. In 2020, most likely, we will be hearing about other attacks threatening both private and public sector IT infrastructure.