Tied up and held for ransom

 

Connecting state and local government leaders

Government agencies, particularly state and local ones, are under attack by hackers who are using a combination of malware, phishing and social engineering to wring money from their public-sector victims.

Just as real-world criminals might kidnap the scion of a wealthy family or a high-level business executive to hold for ransom, their digital counterparts have quickly discovered a profitable if nefarious money-making endeavor with even less risk: ransoming government information.

MORE INFO

Ransomware moves to the big time

Criminals are getting better at what they do and upping the ante by attacking larger agencies and demanding more money. Read more.

Ransomware schemes are really a type of malware, which in this case encrypts legitimate users’ documents and restricts their access to their files or system. The ransomware typically is delivered to agencies through a phishing email, which contains malicious code in the form of a link or an attachment that delivers the malware itself. Locked out from their files or their network, legitimate users will often pay the "ransom" of several hundred or even few thousand dollars, usually in untraceable virtual currency such as bitcoins, to have the cybercriminals unencrypt their files or return their access.

And while ransomware exploits have been on the rise with all manner of private- and public-sector victims, government agencies may be finding themselves directly in hackers’ crosshairs. “I think that ransomware is a growing problem for everybody, but certainly state and local governments,” Mark Weatherford, senior vice president for vArmour, and former deputy undersecretary for cybersecurity at the Department of Homeland Security, said. “These crimes don’t know any bounds with respect to victims, and the pickings are easy with local governments.”

Why would hackers target state and local government?

Larger government agencies, like larger private-sector businesses, have the resources to invest in the technologies, the training and the safeguards to mitigate and minimize the risk of these attacks, Weatherford pointed out. Meanwhile, smaller agencies (like small and mid-sized businesses) often don’t have the money and the staff to avoid or combat these exploits, he said. “When I say the pickings are easy,” Weatherford added, “I mean that most small government organizations struggle with the resources to do IT and handle security well.”

Indeed, incidents of ransomware extortion, originally a problem in Russia, began springing up in Europe and the United States about five years ago. While dozens of ransomware variants have been known to exist in the wild, many are based off the same destructive malware -- like CryptoLocker, Locky, Samas and CryptorBit -- that have been tweaked over time.

Last year, U.S. businesses and agencies alone reportedly paid more than $24 million in ransoms across almost 2,500 cases, according to statistics from the Internet Crime Complaint Center. The National Cybersecurity and Communications Integration Center, part of the Department of Homeland Security, received 321 ransomware-related activity reports affecting 29 federal agencies between June 2015 and April 2016. And those are just the incidents that have been reported. It is believed that if the ransom is low enough, and the assets are valued by the agency (and there are no recent backups), many smaller organizations might just pay the hackers to be done with it -- which in turn makes this kind of crime all the more appealing for hackers looking for profitable, low-risk scores.

“These are sophisticated attacks, but they’re going for quantity over quality,” Weatherford said. “They can make a lot of money, and the risk to them is very low.” Additionally,  because the data is typically not stolen, just encrypted, by the hackers, the crime of theft has not actually been committed, he said. “It really depends on your compliance requirement, whether you are mandated to report [these incidents]. So in many cases, it’s easier to pay the ransom than to make a big stink,” Weatherford said. “This is not a security decision. It’s a business decision.”

Indeed, ransomware is becoming more pervasive in agencies that are moving operations and citizen services online. “All of our work is being done online and is expected to be ever more online,” Kristine Trierweiler, assistant town administrator for the Town of Medfield, Mass., said. “Our end users are not as versed in security as they could be. The phishing schemes have become very sophisticated, fooling even those that are proficient in online trends.”

One Monday morning in early February, Medfield employees found “several of the computers in the building had a pop-up message on the screen saying that we had been hacked, that this entity had control of all of our data and that we needed to contact them to discuss the ransom,” Trierweiler said. After confirming the legitimacy of the threat, Trierweiler said the town called in its virus protection firm to see if it could unencrypt or retrieve  the town’s information. The backup system had been infected as well.

When the town employees realized there was no way to override the ransomware, Medfield reached out to other municipal and state agencies that had also been hit by ransomware for advice “We were given the same message by all of them....‘If you want your data back you will pay the ransom,’” Trierweiler said. The town government paid about $300 in bitcoins within 48 hours, and the information was ultimately released.

Similar incidents have taken place in Greenland, N.H., which lost eight years’ worth of data to a CryptoLocker assault; and Ilion, N.Y., which made at least two ransom payments of $300 and $500 last year. The police department in the Chicago suburb of Midlothian Village paid $500 in bitcoins to free its files from hackers. In 2015, the Multi-State Information Sharing and Analysis Center (MS-ISAC), a nonprofit that works with DHS to prevent track and address cyberattacks, provided digital forensic assistance on 45 ransomware cases involving government machines.

Government agencies have been increasingly “bombarded” with ransomware since October 2014, according to Brian Calkin, vice president of operations for MS-ISAC. “I don’t know that government agencies are being ‘targeted’ as much as it’s opportunistic,” Calkin said. “Unfortunately, a lot of government agencies are not exercising best practices…and not patching their systems.” More ransomware incidents are hitting local government, rather than larger state governments, Calkin said, as “general security hygiene is lacking.”

Basic security, day in and day out

But other than greater awareness and education for employees, what can government agencies do to mitigate the risk and the impact of such attacks, especially when they’re working on a shoestring budget?

Industry experts say much of the solution boils down to managing the security basics, day-in and day-out, without fail. “Users are always, always, always, always going to be the weakest link,” Weatherford said. Beyond employee education, making regular back-ups of key files and keeping them off-line is a top priority, he added. Also, he counsels government agencies not to allow unmanaged or unsecured wireless access to systems.

In the months since their ransomware incident, the Town of Medfield has made changes to avoid falling prey to another attack. Access to USB drives have been restricted, all applications that give remote access to vendors have been stopped at the firewall, and they must request access with documentation. Patches and security updates are made daily, and all the town government’s applications have been moved to a cloud environment, with no shared folders on the network and no mapped drives, according to Trierweiler. 

Calkin recommended that government agencies monitor state and local agency networks, keeping in contact with counterparts in the region directly or through groups like MS-ISAC, as well as staying abreast of reports from security and technology service providers about potential threats. In many cases, Calkin said, if an agency gets wind of a ransomware attack as it’s happening, the encryption of files can be stopped midstream, and the attack can be thwarted.

For those agencies that can afford to go the extra mile, Microsoft’s Office 365 offers “detonation chambers,” also known as dynamic execution environments, which allow organizations to open email attachments, execute untrusted or suspicious applications, and click on URLs in the safety of an isolated environment or virtualized sandbox so they can determine whether the associated attachments or applications contain malicious code.

Simple policies such as proper patch management to keep software updated can help prevent exploit-kit-based attacks, according to Bryan Lee, threat intelligence analyst with Unit 42 at Palo Alto Networks. “Microsoft provides quite a few different group policy options for such things as globally disabling macro documents or even [preventing] unknown executables from launching,” Lee said. “Blocking executable attachments in emails or even web downloads can further reduce the attack surface for an enterprise and prevent attacks from even occurring.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.