lolloj - Fotolia

Ransomware attacks on local and state governments increasing

State and local governments are experiencing a rise in ransomware attacks. Experts sound off on what's triggering this trend and offer best practices for defense.

It's not just enterprises that fall victim to ransomware attacks. According to Recorded Future, such attacks against local and state governments are on the rise.

A report published earlier this month from the Boston-based threat intelligence firm catalogued 53 ransomware incidents involving local and state governments in 2018, compared to 38 the year before.

There were 21 reported ransomware attacks against state and local governments in the first four months of 2019 -- excluding the attacks on Lynn, Mass.; Cartersville, Ga.; and Baltimore -- said Allan Liska, senior security architect at Recorded Future and author of the report.

Liska listed a total of 169 ransomware incidents affecting state and local governments since 2013.

"There are vulnerable systems in state and local governments that happen to be the same kind of systems that the bad guys are looking to exploit," Liska said.

According to Recorded Future, attackers are often not specifically targeting local and state governments. They're targeting networks' communication protocols like Microsoft's remote desktop protocol, Liska said, because older versions of RDP have a ton of exploits and a lot of state and local governments happen to leave these systems open.

"Often you can brute force your way into one of these open RDP servers and that then gives you direct access into the network," he said.

Unfortunately, if you look at the landscape of state and local governments ... they tend to be under-resourced and therefore they tend to be high-value targets.
Marc French Senior vice president and chief trust officer, Mimecast

Criminals are opportunistic and go after easy targets, and those tend to be the organizations that have the least amount of investment and protective measures in place, said Marc French, senior vice president and chief trust officer at Mimecast.

"Unfortunately, if you look at the landscape of state and local governments ... they tend to be under-resourced and therefore they tend to be high-value targets; they also have interesting data like driver's license information, or healthcare data, or tax information," French said.

It creates a perfect storm for opportunistic criminals, he added.

Liska said cybercriminals think there's an opportunity because of the outsized media coverage such attacks get, which makes them think they are going to be paid. But state and local governments are less likely than other sectors to pay the ransom, the report found.

Big game hunting

Endpoint security vendor CrowdStrike has observed a significant occurrence of targeted ransomware attacks, dubbed "big game hunting," in the past 12 months. Many of these big game hunting attacks -- which causes widespread disruption and comes with a steep ransom demand -- are targeting state and local governments, said Adam Meyers, vice president of intelligence at CrowdStrike.

In the last few months there has been reported big game hunting attacks on Cartersville, Ga.; Potter County, Texas; Baltimore; Cleveland Hopkins Airport and Greenville, N.C., Meyers said.

"Big game hunting actors look for organizations that cannot have down time and are potentially unprepared for the complex recovery that would be required to get back online," Meyers said via email. "They also likely perceive these targets as capable of paying a steep ransom. Municipalities, utilities and operational environments are all ripe targets for these actors."

But these ransomware attacks are preventable, he added.

"Having visibility on the endpoint, an operations team which is abreast of current threats and a security-driven approach are all critical," he said. "In addition, a solid backup system and table-topping these types of incidents can ensure quick recovery without paying a ransom."

Defending against ransomware attacks

Experts expect ransomware attacks on state and local governments to rise in the next couple of years.

"I do think until it's less profitable, meaning people aren't paying the ransom because they figured out how to protect themselves, ransomware attacks will continue to rise," said David Dufour, vice president of engineering at Webroot. "Government entities do need to put the backups in place, and put a restore plan in place and then you'll see a decline."

Most enterprises have the finances to have a good security posture, Dufour said, but local and state governments lack such resources.

"I don't see a lot of government entities have done that mainly because they don't have the budget," he said. "Enterprises commit to that because most enterprises make a profit and they contribute some of that profit to the overhead expense of being able to recover. It's just part of their disaster recovery plan, where governments just don't have the funds to do that."

A lot of state and local governments are also spending their allocated resources to protect against phishing campaigns, but most cybercriminals aren't using phishing as the method of delivering ransomware anymore, Liska said.

"They are protecting against the wrong thing," Liska said. "A sort of centralized accounting of the type of ransomware attacks and how it works would allow local and state governments to better say, 'Oh, I should be putting my resources here to defend my network rather than where I'm putting them now.'"

Liska also advised state and local governments to get an external view of their networks.

"They need to have somebody come in to make sure that all of the systems are closed to ensure that what they think the security posture of the network is, is actually the reality of the security posture of their network," he said.

For those with multiple users on their networks, Liska said, they should make sure their backups aren't connected in a way that the ransomware can jump through it and encrypt their backups.

"A good backup is really one of the best defenses against ransomware because if you can restore and restore quickly you can get your operations back and running faster."

Mimecast's French urged local and state government IT professionals to not be afraid of reaching out for help.

"What I've seen to be successful in the past is there are organizations of municipal and county governments and also volunteers in the private sector that will help them defend those environments," he said. "Leverage the environment around you and don't think that you need to do it yourself."

Next Steps

Local government ransomware attacks and how MSPs can help

Dig Deeper on Threats and vulnerabilities