Ransomware is an IT topic that just won’t go away. Each week I read about a new attack.
The reasons for the attacks are numerous, but I’ll boil it down to one: ransomware works. Not every time, but enough to cause a lot of headaches. A few weeks ago, I made a few suggestions on how to keep your network safe from ransomware. Of course, keeping the threat off your network and devices is the best case scenario. A mixture of best practices with a skilled IT staff can keep most threats at bay. But you can’t control every access point to the network.
Over the past decade, most ransomware authors wrote their programs to attack consumer’s computers. Authors largely ignored businesses and government entities, but that’s changing. This week, I want to look at a number of new ways ransomware authors are causing major issues at the local government level. I’ll look at why someone might target government offices along and make some recommendations on what you can do to combat the risk.
Recent Attacks Target Government Institutions
Last month the city of Springfield, TN was attacked by a ransomware virus that encrypted all their files. Over a weekend, the city recorder discovered something fishy about files she normally saves to the city’s server. Not only had the virus changed the file formats, but it had attached an email address to each file. The hacker demanded $10,00 to recover the files, but the city had recently installed a new server. IT was able to restore a full backup from this server. It would take another week to work through the attack and regain control of their network. “We had to regain all of our data and now we are taking some measures to get additional backup procedures,” said Springfield City Manager Paul Nutting.
In Sarasota, FL the FBI got involved when the city’s file sharing and storage network was locked by ransomware. It took IT staff 10 hours to restore the files. City Manager, Tom Barwin said, “We didn’t announce it (the attack), because, obviously, we don’t want to encourage that behavior or make it known that at that point we were vulnerable in any way.” Sarasota was lucky that the attack didn’t compromise the personal data of any city employees or residents.
And back in February, the city of Durham, NC was attacked when ransomware took over at least two of their computers. In this case, employees couldn’t access some files, and an investigation by IT lead to the discovery of ransomware. The city had already implemented a robust backup plan which allowed IT to restore a backup of the encrypted files. No ransom was paid.
These three examples illustrate the aggressive tactics ransomware authors are taking to reach government computers. In each of these examples, downtime ranged from about a day to a week, but it could have been a lot worse. Each city had a backup plan which allowed them to retrieve the files the virus had encrypted.
Challenges the Government Faces
Governments, as well as private institutions, face a number of challenges when combating ransomware. Political espionage is nothing new, but I want to point out here that the majority of reported attacks have been for monetary rather than political gain. The challenges governments face today include:
Budget Constraints: Installing a BDR or backup server costs money that many local government don’t have. Sometimes having a full backup solution doesn’t seem like a budget priority until an attack hits home. Implementing a BDR solution makes financial sense when you understand the cost of downtown. Hackers were able to take the Springfield office offline for a week. How much do you think that cost the city in productivity?
Lack of Training: In most ransomware attacks, it’s the front line employees who recognize there’s a problem. But IT might not have the time or resources to train all employees. In some cases, the employees take action that worsens the situation. The sooner employees notify IT, the better chance they have to contain the virus.
Lack of Expert Staff: The authors of ransomware know how to play on fears. Even seasoned IT might be embarassed to admit someone compromised their network. They may decide that paying the ransom will make the issue go away quickly. The problem with this option is that there’s no guarantee the hackers will hold up their side of the bargain. It’s not uncommon for these hackers to take your money and then ask for more when they realize you’ll willing to negotiate.
The BDR is your best friend when dealing with ransomware attacks. As you know, the BDR (backup disaster recovery) is a device that lives in your IT room. It automatically backs up your data and stores it in the cloud. IT can configure the BDR to perform frequent backups in order to minimize downtime. They are also easy to install, configure and maintain. Unlike a server which can be used to perform hundreds of tasks, the BDR does one or two things really well.
I believe that some MSPs assume that, because they are working with city officials, they have a sufficient backup solution in place to handle ransomware intrusions. And while that’s the case for some, many companies have cobbled together “solutions” that could take weeks to implement. The genius behind the BDR is that IT can configure it to bring your company back online as quickly as possible. Often within minutes.
Managed service providers are your best bet, if you are looking to prevent ransomware. They can help take steps to put a BDR in place and protect your business:
- Educate and train employees about good practices in cybersecurity;
- Patch and update your software, especially operating systems;
- Mainain frequent backups (always have several copies) with a reliable backup and recovery solution;
- Test backups often and make sure you can recover your data;
- Store backups on media that is not connected to the network, to stop ransomware from infecting them;
- Properly handle user permissions and passwords to keep security tight;
- Conduct penetration and vulnerability testing on networks every year;
- Replicate backups to the cloud, when uptime and resiliency is needed.
Ransomware will continue to proliferate as long as the authors find people and organization who will pay up. If 2016 is any indication, they shows no signs of slowing. One might expect the number of attacks to increase during an election year. I don’t have the numbers to definitively prove that’s been the case, although we know Russian hackers recently gained access to the DNC computers. In that case, the hackers were after information they could use to embarrass the party.
Embarrassment also certainly leads to governments and municipalities keeping ransomware attacks under wraps. Especially in those cases where they decided to pay the ransom. Doing so will most likely invite more attacks. Your best bet is to follow best practices for keeping your networks secure and having a BDR in place. Just in case.