Government

Hackers Targeting Government

Cybercriminals worldwide are aggressively targeting federal, state and local governments with ransomware attacks. Attackers have targeted several states and cities in the United States.

Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems.

In 2019, two-thirds of ransomware attacks in the US targeted state and local governments. Several of those victims have made steep payments to hackers in exchange for decryption keys meant to unlock computers and servers frozen by ransomware attacks. Washington, Pennsylvania — population 13,508 — paid $21,250 after a May attack, while Lake City and Riviera Beach, Florida agreed to pay nearly $1.1 million collectively in June following infections by a malware exploit known as Ryuk.

Meanwhile, just 16 percent of the municipalities targeted had populations of more than 300,000, though that group includes places like Baltimore, where a May attack may eventually cost the city more than $18 million in emergency IT spending and lost revenue.

washington state capitol facade reflecting in pond under white sky

When the Exploit Succeeds

Once the hacker gains access to the target systems, the attacker demands payment of a ransom and will also claim to provide a method to the victim to regain access to their data once the ransom is paid. There is no guarantee that a victim of an attack will recover their data or access to systems. Without adequate disaster recovery and backup plans, many organizations are forced to pay the ransom.

Government Entities Often Pay the Ransom

Small and local governments not only continue to pay ransoms to the criminals behind ransomware, but they have been doing so at an accelerating pace, according to a new report by consulting firm Deloitte.

In 2019, more than 163 ransomware attacks targeted local and county governments, with at least $1.8 million paid to the cybercriminals behind the attacks and tens of millions of dollars in recovery costs, according to data compiled by the Deloitte Center for Government Insight. In 2018, there were only 55 publicly reported attacks and less than $60,000 in ransom. In fact, local governments are seeing an increasing number of attacks at the same time attackers are also demanding higher ransoms — an average of 10 times higher than what they demand from private-sector companies.

Three key factors driving the increase in ransomware targeted to government

Organizations tend to have insurance
Gaps in networks and system security due to lack of budget and expertise
Government needs to maintain time-sensitive critical services

The result is a feedback loop, says Srini Subramanian, state and local government sector leader for Deloitte. “The more they are paying out, the more money criminals are demanding,” he says. “The criminals like targeting governments because they pay. And cyber insurance is paying because it is the fastest way to recovery, and it is likely the most cost-effective way as well.”

Local governments became a favored target of ransomware in 2019. In August, local and county government organizations in Texas were disrupted by destructive attacks all at nearly the same time and with a variety of consequences — some towns lost the ability to accept payments, while others had emergency services disrupted. Major cities, such as Baltimore and Atlanta, suffered attacks as well.

Money and Talent Gaps Combined with High Stakes

Local governments are an easy target because they have tight budgets and lack the ability to attract cybersecurity professionals. Attacks are easier because they have poor backup practices due to the lack of budgets and skills. Local governments need their systems for continuity of operations. When they can’t restore from a backup, the only options are to continue with a nonfunctioning system or to pay the ransom.

The critical nature of many government systems means that failure to recover quickly can result in significant costs. The city of Baltimore, for example, decided not to pay a ransom of $76,000. It was the right moral choice but one with a significant cost, says Deloitte’s Subramanian. Recovering from the incident cost the city more than $18 million.

The private sector has been investing in cybersecurity for a long time and their skills and methods continue to mature. Local governments have not invested as much, so hackers are focusing on this sector because they are easier targets.

Protecting your Organization

Response Time

It is critical that defenders respond within the Breakout Time window, which is measured in hours, so that defenders are able to minimize the cost incurred and damage done by attackers.

An example of a target metric for security teams is the 1-10-60 rule

Detecting threats within one minute
Understanding threats within 10 minutes
Responding within 60 minutes

According to recent research, the average breakout time for all observed intrusions rose from an average of 4 hours 37 minutes in 2018 to 9 hours in 2019. This increase reflects the dramatic rise in observed e-Crime attacks, which tend to have significantly longer breakout times

Antivirus is only a part of the strategy

Many government entities have relied on antivirus tools to help protect against ransomware, without understanding that ransomware is a completely different problem that these tools are not equipped to solve. Most antivirus tools are only checking against known lists of malware. The rapidly changing nature of ransomware means that the newest threats simply change the names of their files to mirror what the tool thinks are acceptable. Then the antivirus software simply allows the attacking file without understanding what has happened.

Stopping the attack before it starts

We have discussed mitigation strategies for how to limit losses and how some organizations have felt compelled to pay ransom once they are hit.

A more effective solution is to adopt technologies that stop an attack at the very beginning, before malware can damage or encrypt systems, and before ransomware can spread through a targeted network.

Zero Day Threats

Many traditional vendors try to build and update tools to prevent any access to systems from bad actors. We believe that while defenses keep improving, hackers will always find new exploits to access devices and networks. This plays out every day as successful attacks are reported in the news media.

It is particularly difficult for traditional vendors to detect Zero Day attacks where the malware uses new or unrecognized methods. Traditional antivirus systems miss these attacks precisely because they are new.

A Different Approach

At Hackerstrike, we are focused on what happens when an attacker gains access to a device or a network. Ransomstrike recognizes and halts anomalous behavior utilizing advanced Machine Learning (ML) as part of our extended detection and response (XDR) solution.

While other vendors look for known malware, Ransomstrike ML-based methods and processes recognize behavioral changes of systems that begin exhibiting anomalous behavior. We then and stop device from damaging infected systems or propagating to other devices over a network. This approach helps reduce the incidence of false positives that plague SRM leaders.

Ransomstrike

Government entities of all sizes need tools that work with but go well beyond the function of traditional antivirus solutions. Hackerstrike is a full-protection platform designed from the ground up to provide real-time detection and protection of all of your systems using A.I.-based continuous learning technology.

By examining metadata obtained from the Operating System, a true ransomware detection and prevention solution can understand, identify and detect ransomware behavior and stop it, even if traditional antivirus tools can’t find the issues.

Applying Ransomstrike to standard defensive metrics

The continuous learning A.I. engine in Ransomstrike is constantly scanning devices and the network for any anomalies that fall outside of normal operating behavior.

When an attack is launched by an employee or contractor clicking on a link in a spear phishing email, Ransomstrike immediately detects the behavior of the malware, alert administrators and takes the appropriate steps based on the device and user under attack. This can include actions such as quarantining the device from network access for example, to prevent the malicious code from replicating to other devices on the network.