To pay or not to pay? That is the question many public-sector organizations must grapple with when faced with a complex ransomware attack – even while the COVID-19 pandemic rages on around them.
Ransomware attacks to municipal, local, and state government agencies are on the rise. Places as prominent as Los Angeles County and Atlanta and as small as Lake City, Fla. have all found themselves at the mercy of relentless attackers seeking extortion fees in exchange for mission-critical data.
In 2016, there were a reported 46 ransomware attacks perpetrated against public sector agencies. In 2018, the total came to 53 attacks. Then last year, there was a big spike to more than 140 cities and counties across the U.S. being hit with ransomware attacks. There are also likely more that have not been publicized, due to the embarrassing nature of falling prey to such crimes.
There’s no evidence of things slowing down in 2020 – even as a ransomware tactic called “double extortion” has been rapidly adopted since the beginning of the year by various cybercriminals behind the Clop, DoppelPaymer, Maze and Sodinokibi ransomware families.
Why Do Attackers Like the Public Sector?
Unlike state-sponsored attacks, the recent spate of attacks in the public sector don’t seem to be bent on stealing intellectual property. The goal is financial, but still ends up having a huge impact on the operations of the target, potentially harming important services such as police and fire departments. Ransomware attacks also incur massive clean-up fees, a cost that is in part passed on to taxpayers.
But why have public-sector organizations become an attractive target?
Sadly but true, governments often do not allocate enough spending on security projects, making them easier targets for attackers: “Public sector organizations are a soft target,” said Bill Siegel of Coveware. “They’re underfunded and using hardware and software that should have long been replaced.”
To illustrate this point, a recent study found that one out of three local government CIOs report using outdated technology, making them more vulnerable to cyberattacks.
Public-sector organizations also must meet additional requirements that their corporate counterparts don’t face. For example, agencies have additional requirements about public disclosure when a cyber-event occurs. With this public disclosure comes heightened media attention, headlines and copycat attacks.
And in a worrisome trend, attackers are demanding higher payments to release the hostage data, and often, they time their attacks to hit at the most sensitive moments. For example, a spate of ransomware attacks on schools last year in Louisiana was timed perfectly to occur in mid-August, just before the beginning of the school year. In March, Albany, New York State’s capital, admitted it had been hit with ransomware on a quiet Saturday morning, with few IT people on hand to deal with the situation.
Paying the Attackers – What is the Right Approach?
Perhaps most significant of all, some victims are opting to pay the ransom fee to have their data restored. In July, the two hacked Florida towns, Lake City and Riviera Beach, paid $460,000 and $600,000, respectively, to attackers. This goes directly against FBI directives that victims shouldn’t pay ransom fees; the FBI notes that paying up simply emboldens attackers and proves to them that their methods work.
This tack by the FBI is fine and well – in theory. But when the operation of your city is on the line – when police officers cannot write out tickets, 911 call-center operators cannot get location data on accident victims, and government services are taken offline for weeks – paying the ransom begins to look like a more practical option. As such, many security consultants say that payment is the fastest, least costly way to get systems back up and running.
But even paying up doesn’t guarantee that cities and states will see their data again. After all, we are dealing with criminals here. There are numerous accounts of victims who have paid ransom fees for various reasons and did not receive the decryption key they were promised to get their files back. And if they did get the key, in many cases, it didn’t work.
This was what happened in 2017’s NotPetya attack. The ransomware-like virus devastated shipping giants, drug companies and others around the world in a matter of days. Some victims opted to pay to get their precious data back – but alas, NotPetya’s creators never intended on returning any data – it was a wiper, demolishing the data it promised to restore. These unfortunate targets wound up paying for data they never got back, along with paying to have their systems restored.
And so, it goes; budgetary concerns compel government organizations to place less importance than they should on security, so they become easier prey for attackers. The amount of money spent dealing with the outcomes of that decision (i.e., remediation, recovery, compensation and ransomware payments themselves) dwarfs the costs of getting set up with a more robust security infrastructure in the first place.
Browser Isolation and Zero Trust
Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure”; this could not be truer in security. Public-sector organizations need to ensure that threats like ransomware cannot get a foothold in their network to begin with. Much of today’s worst ransomware variants enter organizations via spam emails and infected websites.
Fortunately, there are tools that can help. Implementing tools like a remote browser isolation (RBI) software for instance ensures that ransomware and other web-based threats cannot make their way onto endpoints. Using RBI, all website content is rendered by a virtual browser located in a disposable container in the cloud, air-gapped from endpoints.
Meanwhile, the zero-trust concept, summarized as “trust no one, verify everything,” is revolutionizing many IT cybersecurity infrastructures. When considering their employees’ use of the web, public-sector agencies can avoid many cyberthreats if they assume that no site, whether a user browses to it or connects to it via a link in an email, can be trusted as secure. Organizations must simply stop trusting and start verifying, always.
Unfortunately, ransomware is a threat that is continuously evolving and shifting gears. Therefore, it’s imperative that organizations analyze their current security strategy to safeguard against sophisticated threats and attacks. Having to make the hard call between paying up or losing data and having operations disrupted can be avoided by prioritizing some key zero-trust security investments that can keep ransomware out of your system in the first place.
David Canellos is president and CEO of Ericom Software.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.