Threat from the dark: ransoming local governments

Introduction

Over the years ransomware has been a particularly harmful issue for the cybersecurity world. It infects and prevents access to thousands of devices and files, and requires users to pay a ransom if they want to regain access to their important information.

However, the basic principles of ransomware remain the same: hackers gain access to a computer system, and once they enter, they use malware to lock the data behind complex encryption; in order to regain access to this data, the victim must pay ransoms ranging from a few hundred dollars to millions of dollars. With the rapid growth of connected devices and digital systems, government services from public security to education are increasingly managed through digital solutions.

The threat posed by ransomware and cyber attacks has not been ignored by government employees. The latest survey conducted by Harris Poll on behalf of IBM found that 73% of government employees are worried about the imminent threat of ransomware in cities across the United States. In addition, nearly 50% of people expect that attacks in the community will increase in 2021, and 66% of all employees who are worried about cyber attacks may sabotage the 2020 election.

However, governments may find themselves vulnerable because they try to keep pace with the development of cybersecurity, usually on an increasingly outdated system. Fragile networks, critical citizen services and paid ransoms will form a positive feedback loop, and successful ransomware attacks will encourage more and more attacks to demand more money. In this case, governments often face a dilemma: to pay ransoms that may exacerbate attacks and other illegal activities, or to bear the huge cost of losing data needed to provide public goods and services.

Unfortunately, there is no panacea for ransomware. Prevention requires hard work building new tools, new policies, and new methods of network security. In view of the recent incidents and the fact that the threat is still actively developing, new viruses have been established and targeted at different industries, we decided the ransomware landscape in U.S state bodies deserves a closer look.

1. Why is ransomware so dangerous for governments?

On the morning of May 12, 2017, within a day, WannaCry ransomware spread all over the world, infecting more than 230,000 computer systems in 150 countries and regions, causing financial losses of approximately $4 billion. This was the most violent self-propagating malware since 2003, when the Slammer worm infected most of the victims within an hour. WannaCry also caused widespread service interruptions by the National Health Service in the UK. As hospitals and clinics were forced to offline, approximately 20,000 appointments were cancelled. According to Lloyd’s of London, such major global cyberattack can cause an average from $4.6 billion to $53 billion in economic losses, which is comparable to catastrophic natural disasters such as the U.S. Superstorm Sandy in 2012.

Ransomware is a type of malware or malicious software that prevents you from accessing computer files, systems or networks, and requires you to pay a ransom in return. Ransomware attacks can cause costly operational disruptions and loss of critical information and data. One can unknowingly download ransomware by opening phishing email attachments, clicking ads, clicking links, or even visiting websites with embedded malware. After the code is loaded on the computer, it will lock access to the computer itself or the data and files stored in it. The more threatening version can encrypt local drives, connected drives and even files and folders on network computers. In most cases, you do not know that your computer is infected. Usually, one will find it when the data cannot be accessed or when the computer shows a message informing about the attack and demanding a ransom.

Due to relatively low barriers to entry, ease of use and anonymity of payouts, the number of ransomware attacks is strongly increasing all around the world. In 2017 Cybersecurity Ventures predicted the 15-fold increase in just 2 years from $325 million to $5 billion in 2017. Today estimations climbed much higher and reached the 57-fold higher number of global ransomware damage costs of $20 billion by 2021.

According to the security bulletin issued by a cybersecurity company Kaspersky Lab in December 2016, enterprises were attacked by ransomware every 40 seconds globally, with the frequency of attacks increasing from every two minutes in early 2016. By the Cybersecurity Ventures estimations, by the end of 2019, ransomware attacks were carried out on enterprises every 14 seconds, and by 2021 ransomware attacks will be carried out on enterprises every 11 seconds.

According to the 2020 SonicWall Cyber Threat Report, the only type of malware that spreaded more in 2020 than any month in 2019 was ransomware. By the middle of 2019, the global number of ransomware attacks had grown by 15%, while in 2020 it has grown by 20%. In the United States the amount of ransomware attacks increased by 109%, where it rose to 80 million attacks.

In 2020 SonicWall also mentions the rising attention to the so-called «soft goals», namely local governments, public administration agencies, educational organizations and even hospitals. Because of their small size and generally tight budgets, they often lack the level of security of large companies. And more importantly, the work of such organizations is not only vital to the company itself, but also to the functioning of our society, while these attacks destroyed websites, emails, payroll, telephone services and dispatch services.

According to the Emsisoft Malware Lab report, in 2019, the United States suffered an unprecedented and ruthless ransomware attack that affected at least 966 government agencies, educational institutions and healthcare providers, with a potential cost of more than $7.5 billion. Affected organizations included 113 state and city governments and agencies, 764 healthcare providers, and 89 universities, colleges and school districts.

This study analyzed the publicly available information on ransomware attacks on U.S. state bodies in 2020 and identified the most exposed regions of the country.

2. Map of U.S. ransomware attacks

Since the beginning of 2020, U.S. state bodies at various levels have been attacked by ransomware at least 93 times in 68% of states. However, it is noteworthy that exactly 29% of all attacks fell on both the Democratic and Republican states (within the segmentation framework suggested by the United States Electoral College).

Nevertheless, during clusterization of ransomware attacks, it was found that 42% of attacks occurred in the battleground states* of the upcoming U.S. presidential elections. In-depth analysis has shown that the majority of ransomware attacks (38%) targeted local authorities and city governments. And by the industrial segregation, 18% of ransomware attacks paralysed the work of local school districts.

3. Patterns of ransomware attacks on the U.S. state bodies

The study clearly revealed that different states and counties differ greatly in the volume of successful ransomware attacks. In 2020 government authorities of Texas were the most exposed to ransomware attacks (13% of all attacks). Florida, California, North Carolina and Illinois are also among the leaders in the number of ransomware attacks (5% of attacks each).

The beginning of 2020 was the most active period in terms of the number of ransomware attacks on the U.S. state bodies. More than half (55%) of all ransomware attacks occurred in the first quarter of 2020, and most often U.S. state bodies were attacked in January (24%), February (23%). Moreover, one of the most devastating attacks occurred in January.

However, in the midst of the pandemic, a surge in the activity of ransomware attacks were detected. May became the third month since the beginning of the year with a total of 13% of ransomware attacks on U.S state bodies.

The general distribution of attacks by the organizational level of the target has also demonstrated the vulnerability of local authorities and city governments. More than half of the attacks (54%) occurred at the city level, while almost a third (28%) at the county level, and 18% of the attacks affected the entire state. The tragedy of the situation lies in the fact that local authorities have the least amount of resources both to prevent attacks and eliminate the destructive consequences of cyberattacks. This state of affairs creates fertile ground for the emergence of the most dramatic cases.

4. Ransomware mitigation advice and best practices

Ransomware can damage individuals or organizations. Anyone who has stored important data on a computer or network can be threatened, including government or law enforcement agencies, medical systems or other critical infrastructure entities. Recovery can be a difficult process, it may require the services of a reputable data recovery expert, and some victims have to pay to recover their files. However, there is no guarantee that individuals will restore their files after paying the ransom.

According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center, safety measures against the threat of ransomware are the following:

• Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
• Never click on links or open attachments in unsolicited emails.
• Backup data on a regular basis. Keep it on a separate device and store it offline.
• Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
• Use application allow listing to allow only approved programs to run on a network.
• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.

For more information see “Ransomware Security Publication” by the National Cybersecurity and Communications Integration Center and “Ransomware Guide” by the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center.