From local governments to school districts, ransomware attacks are on the rise. So how do these organizations, who often lack the resources to effectively mitigate threats, defend themselves?
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in global ransomware attacks. And according to a recent Emsisoft report, the US alone was hit by an unprecedented number of ransomware attacks in 2019, racking up more than $7.5 billion in costs and affecting:
- 113 state and municipal governments and agencies
- 764 healthcare providers
- 89 universities, colleges, and school districts—impacting operations at up to 1,233 individual schools.
And that’s just the number of reported invasions. Many organizations don't report incidents, hoping to avoid negative news coverage. So, who knows what the actual figures are?
Furthermore, with the current COVID-19 crisis, cyber attacks are on the rise across the board. In fact, the US Health and Human Services Department (HHS) suffered a cyber attack on its computer system in March 2020, during the outbreak. The attack involved overloading the HHS servers with millions of hits over several hours, but wasn’t successful in slowing the agency’s systems significantly.
People familiar with the incident called it “a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor.”
"While paying a ransom to potentially regain access to data is a dismal option, it may be more appealing than absorbing the higher costs of restoring systems and services."
What puts government agencies at risk of ransomware attacks?
The most common form of ransomware attack is through a phishing attempt. An employee receives a seemingly innocent email that contains a malicious link or file. If someone takes the bait and clicks, the ransomware starts to take the organization hostage. Malware can take down an organization’s entire network—infecting systems, encrypting files, and locking out users.
Next, the cybercriminals demand a ransom—often in the form of bitcoin—to restore access to the data. And cybercriminals often get the payout they’re looking for. According to a new Deloitte report, small and local government agencies are paying ransoms at an accelerating pace. The report cites a few reasons why governments are prime targets:
- They often lack the resources and budget to implement robust cybersecurity measures or new hardware.
- Agencies provide public—and often critical—services, many of which are delivered digitally.
- Government organizations tend to have cyber insurance.
- The cost of attempting to recover lost data and rebuild government systems may be significantly more expensive than the ransom itself.
However, cybercriminals don’t always restore access, and/or data can be lost for good. For example, in April 2019 the police department in Stuart, Florida, was hit with a ransomware attack. As a result, crucial case files were lost, forcing US prosecutors to drop 11 narcotics cases against six suspected drug dealers.
And, even if access is restored, there can be lasting effects. DCH Health Systems in Alabama had to stop accepting new patients at its hospitals in Tuscaloosa, Northport, and Fayette for 10 days in October 2019. Hospital officials didn’t say how much they paid to hackers to restore access after the Ryuk ransomware locked system files.
Four patients have since launched a class-action lawsuit against DCH, arguing that they were unable to access their health information and that hackers could have gained access to their medical records, which violates the Health Insurance Portability and Accountability Act (HIPAA).
But it's not as black and white as simply not paying the ransom. In May 2019, the Baltimore City government was crippled for over a month by RobbinHood ransomware that affected everything from airports and hospitals to ATMs.
The city decided not to pay the Bitcoin ransom of $76,000, stating they refused to reward criminal behavior and were following the advice of the Secret Service and the FBI. The cost of lost or deferred revenue, remediation, and new hardware was estimated to be $18 million.
Government agencies often lack the resources to implement robust cybersecurity measures or new hardware, making them prime targets.
5 ways to help prevent ransomware attacks
As more and more government services are delivered digitally, hackers will continue to increase their efforts to capitalize on system vulnerabilities. While there’s no way to prevent every incident, you can minimize your risk by:
- Establishing a culture of cybersecurity throughout your organization. This includes regular employee training, effective communication workflows, and leading from the top down.
- Having strong cybersecurity controls in place around things like user access, password management, and device security.
- Using software like CyberBond to intelligently prioritize and resolve uncovered vulnerabilities. CyberBond consolidates findings from all of your vulnerability tools to help you prioritize remediation and gain better insights from all relevant risk data.
- Using the right risk management framework. A good framework will help protect the organization without slowing growth. The NIST Cybersecurity Framework is commonly used because it simplifies security in a language that everyone can relate to: capabilities before, during, and after an attack.
- Developing a system architecture where the most critical data is compartmentalized. The earlier Deloitte report we referenced recommends this to make it more difficult for hackers to encrypt enough critical information to demand a ransom. From adapting physical systems to preventing staff from playing games on critical hardware, this can be a very effective defense.
Government agencies don’t face an easy decision when they’re under fire. While paying a ransom to potentially regain access to data is a dismal option, it may be more appealing than absorbing the higher costs of restoring systems and services.
As with most cybersecurity threats, human error is at the core of ransomware attacks. By focusing not only on the right processes, but also on effective training and education programs, you can reduce the odds your organization will be seen as an easy mark.
CISOs in the boardroom
In this eBook, you’ll discover:
- The top six challenges facing CISOs today.
- What’s defining our current cyber-risk landscape.
- Strategies to win more budget and capacity for your cybersecurity function.
- Common questions to anticipate from the board (and how to respond to them).