22 Texas towns infected in latest wave of Government ransomware attacks
The infection was widespread, well-coordinated and appeared to originate from a single source. And while details are still emerging, it’s a troubling sign that government ransomware attacks could continue to disrupt U.S. cities in the months ahead.
Let’s look at how the attack compares to similar ones over the past few years and what government agencies can do to protect themselves.
Who messed with Texas?
Officials have been tight-lipped about the attack on Texas municipalities, concealing even the names of the affected towns.
However, some of the local governments have since confirmed they were among the victims, including the towns of Keene, Borger, and Wilmer, Texas.
It’s also unclear who the attackers were. The state has confirmed that “one single threat actor” is responsible, but we don’t yet know who or whether that means an individual, a cybercrime group or a nation state.
In Wilmer, Texas, some governmental services were restored within a few days, but had to be performed manually. With computer systems offline, police had to write tickets by hand. At the local library, books were checked out with pen and paper, rather than barcode readers.
Did they pay the ransom?
Ransomware operates like a form of extortion. Hackers break into computer systems, often via phishing emails that appear harmless but contain malware.
The malware locks access to important data until a ransom is paid to the hackers. However, paying the ransom only perpetuates the crime, and it also doesn’t guarantee that hackers will unlock the data.
In an interview with NPR, the mayor of Keene, Texas, confirmed that the hackers had demanded $2.5 million collectively, though it was unclear if any of the towns were considering paying up.
Typically, in government ransomware attacks, about 17% of state and local agencies pay the ransom to get their data back, according to figures reported by the New York Times.
This isn’t a first for Texas – and won’t be the last
Texas municipalities are no stranger to ransomware.
In May, the city of Laredo took weeks to fully restore email and other online services after a ransomware attack. The city managed to avoid paying the ransom, though it meant a painfully slow recovery.
In April, the city of Amarillo had it even worse. The infection all but destroyed the records-management software used by the Potter County Sheriff’s Office, including warrants, inmate records and police reports. 18 months’ worth of files were completely lost and had to be recreated with paper and pencil – a painstaking process that the city completed only a few weeks ago.
A bad sign of things to come
What makes the latest attack unique is how coordinated it was.
While ransomware attacks have become commonplace, few are targeted. Hackers typically blast out their malicious code by email in masse, knowing that only a fraction will result in successful infections.
For an attack to occur simultaneously at multiple organizations, it requires a more sophisticated level of coordination. Either the organizations need to be connected by a shared electronic system, or the malware takes advantage of a system vulnerability at each location (and hackers time the infection to drop at all sites simultaneously).
The infamous WannaCry and NotPetya attacks of 2017 exploited Windows vulnerabilities to infect hundreds of thousands of computers worldwide – but the victims didn’t appear to be targeted for specific reasons.
The Texas ransomware attack appeared to be a coordinated hit against small-government in Texas. And the latest reports indeed suggest that the malware compromised a single communications system shared by multiple Texas localities. This means the hackers only needed to target one system to cause widespread damage.
One cybersecurity expert said it was “absolutely the largest coordinated attack [on cities]” in history, and that “it may be the first time that we’ve seen a coordinated attack.”
365% increase in attacks this year
It’s getting worse.
In early 2018, many experts believed attackers were moving away from ransomware to pursue other lucrative cybercrime, like cryptojacking. But since then, infections have exploded.
Cybersecurity firm Malwarebytes says ransomware attacks on governments and businesses have increased a whopping 365% from Q2 2018 to Q2 2019, and that these numbers have been on “an almost constant increase.”
What is going on here?
No municipality is immune from a ransomware attack, but some are more vulnerable than others.
More than 40 government organizations have been attacked in 2019 alone, according to the New York Times. High-profile attacks have hit major cities like Albany and Baltimore, which faced nearly $18 million in recovery costs.
Smaller towns have been just as vulnerable. Lake City, Florida, paid a $460,000 ransom to restore its data. Officials in Jackson County, Georgia, shelled out $400,000 to its attackers. In March, attackers struck Orange County, North Carolina, for the third time in six years!
In 2018, the city of Atlanta was hobbled by ransomware for months. The city declined paying the $52,000 ransom, but the recovery would cost far more: a staggering $17 million, according to city estimates.
Small towns, big vulnerabilities
Experts say it was only a matter of time before attackers started targeting small government.
Small-town governments often aren’t aware of the risks of ransomware, and some lack the budget and knowledge to deploy stronger forms of cyber-defense. Employees may not know how to recognize a ransomware-laced email in disguise. Worse yet, many towns are relying on outdated software and unpatched operating systems for their daily operations, making them especially vulnerable.
Why aren’t hackers caught?
Just days after the Texas ransomware attack, the U.S. Department of Homeland Security issued a warning about a “ransomware outbreak,” saying that the threat “has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike.”
As for catching the culprits behind these attacks, that’s a lot trickier.
In some cases, authorities have been successful in identifying the hackers. Last fall, U.S. prosecutors indicted two Iranian men alleged to have been behind the Atlanta ransomware attack and numerous others.
More often, however, culprits go uncaught because their actions are heavily concealed. The malware itself is usually delivered via email through a labyrinthine route of networks, often from thousands of miles away. Even the ransom payments are designed to be untraceable as hackers use anonymous cryptocurrency accounts to collect their money.
How to prevent a ransomware attack
There are numerous ways that governments and businesses prevent a ransomware attack, and some of them are actually pretty simple.
- Keep software and operating systems updated: Unpatched software could leave your systems vulnerable to a wide range of cybersecurity risks. When feasible, set systems to update automatically.
- Implement cybersecurity training: Educate personnel on how to safely use email and Internet, such as how to spot suspicious emails. It’s also important that personnel understand how much is at stake: illustrate how cyberattacks can hurt the company and what role employees play in preventing such breaches.
- Limit user access to file directories and systems: Follow the principle of “least privilege.” Users’ access privileges should be limited to only the files, folders and systems they need to perform their core job duties. This will help to limit the spread of ransomware across a network.
- Use application whitelisting: Whitelisting means that only approved software can run on your network, thus preventing executable ransomware programs from loading.
- Filter email: Use stronger email scanning to weed out threats (such as messages with executable files) before they ever reach inboxes.
- Block malicious IPs: Configure firewalls to restrict access to known malicious IP addresses.
- Use anti-malware/virus software: Not all software will detect the latest ransomware strains, but they can help block access to known malicious sites and also stop suspicious executables from loading.
What to do after an attack
When a ransomware attack happens, government organizations have limited options: 1) pay the ransom, 2) restore a backup, or 3) recreate everything from scratch, if no backup exists.
Paying the ransom is generally inadvisable, and manually recreating data is often impossible. That leaves only one viable option: restoring a backup. This is why it’s critical to have a dependable data-backup system in place.
The foundation of business continuity in government is an advanced BC/DR solution, ideally one that keeps copies of your backups off-site for added protection. Look for systems that enable multiple recovery options, as well as virtualization, so that you can spin up your backup as a virtual machine on devices within seconds (and thus maintain access to your business-critical applications).
Some BC/DR systems also come with built-in ransomware detection. The Datto SIRIS, for example, automatically scans backups for signs of infection, so that administrators can take swift action before the infection spreads.
Finally, make sure your system can take frequent backups, so that data loss is minimal if you need to roll back to an earlier recovery point.
A wake-up call
There has been no shortage of ransomware attacks on government organizations and businesses over the past two years. But unfortunately, many organizations are still unprepared for an attack.
City and state governments need to take this threat seriously. The Texas ransomware attack should serve as a wake-up call that attacks are getting worse and cybercriminals are actively targeting the most vulnerable systems.
Without a multilayered approach to data protection, your organization could be the next victim.
Get more information
For more information on how you can protect your critical data from ransomware and other threats, request a free demo of backup solutions from Datto. Contact our business continuity experts at Invenio IT by calling (646) 395-1170 or by emailing success@invenioIT.com.