The Ransomware Scourge That Threaten Today's City Governments
After a ransomware attack, depending on the breadth of the incident, systems affected and security measures in place, recovery time can take months – or even years. Recently, malicious actors targeted two major cities – Atlanta and Baltimore – with ransomware attacks, causing officials to surrender control of their systems, halt critical services and endure extensive reputational and financial damage.
After the March 2018 attack in Atlanta, officials within sectors like utilities and court services were forced to fill out papers manually to complete day-to-day tasks. Hackers also knocked out airport Wifi, encrypted sensitive data, gained access to dash-cam footage and disabled online bill-paying portals. When federal agencies were forced to intervene and assist in the recovery process, critics scorned the city’s IT department for its negligence to implement proper security procedures that could have mitigated damages. Following the attack, Atlanta had to delay financial planning for 2019 and re-delegate government funds – to a tune of $2.6 million – to relieve the monetary repercussions of the event. Even months later, and after members of the Iranian hacker group SamSam were indicted for the attack, Atlanta was still recovering, implementing new policies and upgrading its IT infrastructure in an effort to prevent future attacks.
Recently, Baltimore City was targeted by ransomware attacks, which caused system-wide outages across several government agencies and continues to affect daily processes long after the incident was detected. Officials are still unable to electronically process real estate transactions or even utility bills. To make matters worse, the ransomware attack followed on the heels of Baltimore City Mayor Catherine Pugh issuing her resignation, leaving Mayor Bernard C. Jack Young with a long list of arduous tasks after being in office for a mere five days. Like Atlanta, RobbinHood, the ransomware strain that infected Baltimore’s system, caused city-wide outages and affected nearly every sector within the government. However, unlike in Atlanta, the threat actors responsible for the Baltimore attack leveraged EternalBlue, a reportedly stolen NSA toolset, to carry out their malicious activities.
Whether Baltimore or Atlanta were specifically targeted, or hackers randomly identified vulnerabilities in their infrastructure while scanning a long list of IP addresses, both cities were left to wonder – how could we have prevented this?
Security Technology Executive (STE) editorial director Steve Lasky discussed the ransomware scourge that has created problems for government and other organizations in recent years, with Chris Duvall, senior director with the Chertoff Group.
STE: Discuss some of the trends in ransomware including ransomware as a distraction for a larger scale attack.
Chris Duvall: There are a number of alarming trends we seen related to ransomware. For example,
- Mobile devices: More and more organizations are leveraging BYOD to reduce infrastructure costs and allow employees to work without geographic constraints. This could introduce new, unguarded vectors into the corporate network from employee devices, with the potential to lock users out of required, sensitive data housed on their own device. Combine this with the added incentive of extorting individual users for access to their personal data (passwords, videos/photos, messages), and threat actors can effectively extort two for the price of one.
- Internet of Things: In addition to the corporate environment (e.g., servers, endpoints, boundary devices) and user devices (e.g., smartphones, tablets, personal laptops), the breadth and depth of “things” connected to the Internet (e.g., appliances, cameras, thermostats) is staggering – and increasing. Anything with Wi-Fi is now a potential target for ransomware, and society’s reliance on connectivity means the attack landscape will only continue to grow. For example, recall the October 2016 Mirai botnet attack that took down multiple, large internet service providers in Europe and North America due to multiple denial of service attacks committed by thousands of compromised internet-enabled cameras and home routers. Perhaps scarier is that security researchers are increasingly concerned about the vulnerability of “smart cars” or self-driving vehicles. With vehicles having the ability to access the Internet, one must consider the safety and security implications of a loss of vehicle operations or control that has been subverted by ransomware.
- Pace of innovation: While many newer operating systems and applications are incorporating security considerations during design and development, significant vulnerabilities still abound in today’s technologies. Additionally, not all organizations are adopting these new technologies at the same speed with which they are being deployed. Therefore, IT and security professionals must contend with legacy systems and applications, while simultaneously learning about the new features, potential issues, and coverage challenges of new systems and applications. This provides threat actors with a target environment rich with potential vulnerabilities that a ransomware campaign can exploit.
- New forms of/improvements to ransomware: Ransomware itself is changing and those writing the malicious code are adapting and improving their craft. Security researchers are discovering that ransomware is being adjusted to fool or bypass identification algorithms. New tactics, techniques, and procedures (TTPs), such as slowing or randomizing the encryption process and/or infecting and then hibernating until a later date, are becoming increasingly common avoidance TTPs. Ransomware developers are tightening their coding and are becoming encryption key management experts, which is a dramatic shift from previous ransomware development.
STE: What are the average recovery times for ransomware victims and the extensive consequences of an attack?
Duvall: Recovery times can vary greatly depending on how far the ransomware is able to spread, the types of systems impacted, and the organization’s preparation for a potential event. For example, if an organization has a particularly “flat network” – i.e., many machines are interconnected and have not been segmented into separate, secured domains, has extensive legacy equipment, and irregularly backs-up its sensitive data then a ransomware incident could be catastrophic. However, an organization that practices a “layered defense” strategy with extensive segmentation, configuration management and hardening, up-to-date patch management and rigorous data back-up and testing may experience little to no operational impact.
STE: What are some of the most common best practices for dealing with ransomware hackers and recovering from a breach?
Duvall: Start by considering the following fundamentals of an effective ransomware prevention plan.
- Understand Your Risk - Risk is comprised of threats to the firm, vulnerabilities an adversary could exploit and the potential impact of an attack. A lack of understanding of who is interested in your/your clients’ sensitive data, how the data could be accessed and what would be the consequence if the data were exposed can leave your organization woefully unprepared – an attractive lure for an attacker.
- Promote Security Awareness - Ransomware is often initiated by an employee opening an attachment, clicking a link or otherwise acting on a seemingly friendly/ordinary request (e.g., a “memo” emailed as an attachment from a co-worker’s email address). Train employees to spot potential ransomware attempts, and continuously promote a culture of security and vigilance in the office.
- Perfect the Basics - While trendy features like artificial intelligence and machine learning can be helpful in spotting threats and vulnerabilities, prioritizing the latest and greatest tricks over foundational security elements creates serious vulnerabilities that new gadgets may not solve. Don’t let fundamental security practices such as closing unnecessary ports, preventing unauthorized machine-to-machine communication and applying software patches in a timely manner fall to the wayside when onboarding new security personnel, implementing new policies and procedures and adopting new security tools.
- Back Everything Up - Ransomware’s point of leverage is withholding valuable data; ransom demands are much less enticing, therefore, when you retain all critical information through backups. Institute a comprehensive, rigorous and tested backup strategy to lessen a potential attack’s damage.
- Identity Authentication - Encourage security by requiring strong passwords that include 12 or more characters with upper- and lower-case letters, numbers and special characters, and mandate password changes periodically: every 30 to 60 days is recommended. Multi-factor authentication adds an additional layer of security, especially for employees logging in remotely or from unrecognized devices.
STE: One analysis from CyberEdge found that 45% of organizations hit with ransomware end up paying a ransom. Another, from RecordedFuture, found that at least 17% of state and local government entities pay. So, do you pay or do you not?
Duvall: Law enforcement and security advisors generally discourage paying the ransom because it encourages future ransomware attacks and because paying the ransom does not guarantee that the data will be returned. There is also the chance that even if the decryption keys are provided, the data will be irretrievably corrupted during the process thereby making it useless even after release. Obviously, sometimes the risk of compromising critical, confidential client data outweighs the risk of ransom payment, and we tell clients to carefully consider the benefits and tradeoffs of the specific situation when deciding whether to pay up.
STE: What are some of the ways cities and enterprises can take action to prevent these attacks?
Duvall: Unfortunately, there is no easy fix. Cybersecurity is complex and has many aspects that need to be addressed to mitigate all manner of threats. At its most basic, we work with organizations to select, understand and use an established security risk management framework, such as the NIST Cybersecurity Framework or the Center for Internet Security’s Critical Security Controls, to guide the building of its security program.
Using the framework, we help the organization implement sound, foundational principles first such as understanding what are the “crown jewels,” i.e., the most valuable and important data and information and what types of threat actors would be interested in them. We help clients to understand what devices, systems and networks they have, what they are connected to and who is responsible for their upkeep. We determine if the organization effectively manages key security area such as user and customer identities and access controls, endpoint and network configuration hardening, vulnerability scanning and patching, activity logging, analysis and alerting on anomalous events, etc. All of these activities need to take place to help prevent successful attacks.
STE: How does obsolete infrastructure potentially increase a network’s chance of becoming a ransomware target?
Duvall: All infrastructure has vulnerabilities and older or more obsolete infrastructure has previously identified well known vulnerabilities and associated ways to exploit those vulnerabilities. In layperson’s terms, it is easier to break into a house if you know where they hide the backdoor key versus testing each door and window to see if they are unlocked.
STE: Several years ago, hospitals seemed to be the favorite targets of ransomware attackers, but they responded quickly to the threat of malware by bolstering cybersecurity with new hardware and software. Why have cities been so slow to move on meeting the threat?
Duvall: We don’t believe cities have been slow to meet the threat – we believe it is more that cities have extensive and far-reaching responsibilities that, unfortunately, provide an ample target rich environment for attackers. Cities must be open and available to their constituents – i.e., the boarder public – and therefore have a multitude of services and information about those services accessible by the Internet.
Cities have vast interconnected, infrastructures in support of these services, which can allow for rapid and broad infection spread. Cities also have many competing needs for resourcing, with cybersecurity just one of many. It may not be uncommon for a city budgeting committee to have to weigh building a new water treatment facility, investing in fire trucks and/or law enforcement response equipment or purchasing updated endpoint protection technology. Hard choices indeed.