You’ve noticed it, right? Ransomware attacks on state and local governments are up.
Industry research points out that more than 100 U.S. municipalities were hit with ransomware attacks in 2019, double the number reported just one year earlier. In fact, ransomware attackers recently targeted and hit 23 different cities at the same time in a sophisticated, highly orchestrated attack.
And this is hardly a U.S.-based phenomenon. Local municipalities all around the globe are being targeted and held as digital hostages. In the last year alone, it happened in geographies as dispersed as Johannesburg, South Africa; Ontario, Canada; Victoria, Australia; and numerous cities across Europe and Asia. Many other high-profile attacks have victimized major U.S. cities such as Baltimore and Atlanta, as well as small towns. And it’s not just the public sector; universities, nongovernmental organizations and commercial enterprises all have been targets of ransomware.
By now, we’ve all learned what ransomware can, and often does, do to municipalities when their data is encrypted until ransoms are paid:
- Property tax payments are halted.
- Voter registrations are locked.
- Law enforcement departments can’t access criminal records.
- Municipal hospitals can’t call up patient files.
- Court systems have to temporarily shut down.
Any municipality can be a victim. And when your town, city, county, state, province, territory or other non-federal municipality is affected, it’s more than a frustration. For instance, lives can be at stake when hackers lock up data used for law enforcement, computer-controlled traffic grids, public health centers and water purification systems. That’s why some municipalities ignore the recommendations of federal and local law enforcement professionals to not pay the ransom, however seemingly trivial the demand may be.
Our adversaries are very smart, determined and opportunistic. They know that our municipalities may lack the financial resources to invest in personnel, technology and processes to spot, prevent and quickly remediate the impact of ransomware attacks.
State and local governments, just like their private-sector colleagues, must create a blueprint to identify, defend against and mitigate the impact of ransomware attacks. That blueprint has to be developed in tight collaboration of elected and appointed officials, departmental employees and IT/cybersecurity teams. You may even want to pull in some tech-savvy community leaders and business executives to provide additional perspective.
This plan must address three major areas: strategy, prevention, and response/mitigation. Municipalities that put in the work to create the plan, deploy it on a comprehensive basis and develop metrics to measure its effectiveness stand the greatest chance against ransomware attacks.
Here are some specific steps to consider in each area:
- Assemble and empower an internal computer security incident response team (CSIRT). More than likely, you’ll populate this team with both in-house professionals and an outside incident response vendor with demonstrated experience in dealing with ransomware, especially in the public sector.
- Review your municipality’s cyber insurance coverage for ransomware issues.
- Plan and schedule consistent vulnerability assessment and mitigation processes.
- Build a comprehensive plan for business continuity, and conduct tabletop exercises for your municipal officials and your CSIRT.
- Patch known vulnerabilities, and do your homework on new, emerging weaknesses being exploited by cyberthieves.
- Ensure your backup solutions are up to date, tested and have properly identified priorities in restoring data.
- Evaluate, purchase, test and deploy anti-ransomware solutions.
- Establish tools and procedures for active threat intelligence gathering.
- Review, edit and limit privileged user accounts.
- Actively monitor remote connections.
- Contact local and federal law enforcement. Engage them in your strategies and prevention plans, get their suggestions and use them as resources on emerging threats.
- Contain the impact of potential ransomware attacks by isolating systems when they are compromised.
- Determine (a) where the attack entered your systems, (b) what the digital variant looks and acts like, and (c) eradicate the variant from your systems.
- While many of these are technical functions that are likely to be the responsibility of your in-house security and IT teams, as well as any third-party vendors, municipal leaders must understand what is being done and why, so they can make the proper communications to the community.
To Pay or Not to Pay
In deciding whether to pay a hacker’s demands, keep in mind that this is a business risk decision that must be soberly debated among elected officials, leaders and technical professionals.
None of us is naïve enough to think that political issues don’t weigh heavily on this decision-making process. But understand this: Once hackers have successfully locked you out of your systems and the ransom has been paid, you have opened the distinct possibility of getting attacked again. The adversary is great at intelligence sharing, especially when it comes to viable (paying) targets.
This is where your strategy, prevention and response/mitigation plans make a difference. Don’t let political issues (including the desire to not make municipal leaders look like they are being victimized by hackers) override smart practices and the welfare of your community.
Since we are all citizens of different municipalities, there is a chance that ransomware may affect all of us in some way or another, even if we are not employed by a municipality. We may not necessarily feel the brunt of the attack in a direct or immediate way, but it may impact us or our communities.
Act now, and you’ll do more than keep your libraries open, allow your police force to do their jobs and ensure that employees get paid. You’ll avoid being tomorrow’s headline.
MK Palmore is Field Chief Security Officer for the Americas at Palo Alto Networks.