State and Local Governments Are Prime Ransomware Targets: Here's What They Can Do

Making sure security teams have adequate resources to invest in frameworks like zero trust and are nuanced in the latest attack methods and vectors will help ensure systems are adequately monitored to thwart potential threats.

Dark Reading Staff, Dark Reading

June 21, 2021

6 Min Read
Dark Reading logo in a gray background | Dark Reading

Government agencies are some of the most sought-after targets for hackers. The public nature of the hacks, the significant impact to the communities they support, and the plethora of rich information that can be leveraged makes these entities particularly appealing for malicious actors leveraging ransomware. Plus, cybercriminals are aware that these organizations often lack proper cybersecurity investments to thwart ransomware attacks and have the means to pay the ransom if a state of emergency is declared.

New data indicates that from 2018 to 2020, 246 ransomware attacks on US government organizations took place, impacting an estimated 173 million people and costing roughly $52.88 billion in damages. This past year alone has particularly sounded alarm bells as attacks increased 62% from 2019 to 2020.

Government entities need to acutely understand why they are compelling ransomware targets for hackers and take immediate action to properly prepare by limiting privileged access, creating backups, preparing a response plan, and prioritizing cyber investments and trainings.

Government Organizations Are Squarely in Hackers' Sights
While enterprises are often advised not to pay ransoms or give into hackers' demands, every incident is unique depending upon the nature of the attack, the organization being targeted, and the information that is affected. If the ransomware attack targets critical technology, attackers have the power to completely halt revenue-generating operations. Ironically, ransomware gangs have also developed a certain level of trust with their victims by holding true to their promise of releasing encryption and not disclosing sensitive files to the public once the ransom is paid — thus ensuring a steady stream of targets willing to pay if they have no other choice.

The City of Tulsa, Okla., was hit by a ransomware attack that affected the city government's network, shut down official websites, and caused delays in network services. Subsequently, the Wi-Fi in government buildings was brought down and residents were unable to pay their utility bills.

If an incident is destructive and damaging enough, it may require officials to declare a state of emergency, which allows access to additional resources and funds from the federal government. As ransomware payments are slowly beginning to creep up, hackers may see more vulnerable targets as low-hanging fruit that provide access to more resources should an attack be damaging enough. An increasingly lucrative ransomware attack strategy is moving beyond a single user or company and deploying an attack that affects the entire supply chain of a particular industry. Recently, this ripple effect has proven to be devastating to the companies involved and communities affected.

Fortunately for Tulsa, the city has a strong disaster recovery plan that allowed officials to restore the bulk of the data, keep government-run facilities operational, and protected taxpayer dollars from hackers demanding a ransom. 

Learning From the Past
In 2019, a cyberattack on Louisiana state government servers devastated the Department of Motor Vehicles, Department of Transportation and Development, and the Department of Revenue. While Louisiana decided not to pay the ransom, it still cost the state north of $2 million to recover. Similar incidents occurred in Atlanta and Baltimore in recent years that caused millions of dollars in damages to restore and repair operations after ransoms were not paid. Consequently, 68% of organizations that fell victim to ransomware have paid the ransom in 2020.

As ransomware attacks continue to rise at an astounding rate, hackers are seeing it as a lucrative and effective method for extorting organizations with minimal to no repercussions. Enterprises are also seeing how devastating the aftermath of an attack is, particularly from past examples of local and state governing bodies not paying demands and then suffering additional consequences as a result.

Allocating the Right Resources
According to Deloitte's 2021 NASCIO Cybersecurity Study, which surveys insights from all 50 states' respective state chief information officers, 44% of states spend less than 5% of IT budget on cybersecurity and a majority claim that a lack of budget is the top barrier to overcome for cybersecurity defense.

The fact is that states and local agencies are not allocating proper resources to a bubbling threat. With ransomware payouts exponentially increasing along with more organizations opting to pay ransoms, a plan of action must be taken to properly shore up defenses, develop a proactive security platform, and diligently monitor network vulnerabilities and potential gaps.

Preparing for the Worst-Case Scenario
First and foremost, key decision-makers need to have a disaster recovery plan that includes adopting cyber insurance and incorporating off-site backups to ensure they can effectively recover from a ransomware attack and restore sensitive information and critical business systems. Positioning backups off-site, separated from the primary network, can help ensure the backups aren't compromised during an attack.

IT leaders also need to develop and maintain a cybersecurity program that provides holistic, real-time observability into the system's infrastructure to stay apprised of abnormalities while ensuring that data is secure. Additionally, IT leaders need to ensure the company is following a strict IT hygiene strategy that includes routinely patching systems and applications.

Leveraging a Zero-Trust Framework
The more privileged access a user has, the more damage a ransomware attacker can inflict on an organization By restricting privileged access to select users with imperative business needs, you compartmentalize a potential attack and limit its potential impact to critical business functions. Adopting a zero-trust framework with least privileged controls, where only limited users are granted access and even those granted access are considered threat actors, is another way agencies can establish airtight controls.

These kinds of attacks are now a matter of if, not when. Making sure security teams have adequate resources and are nuanced in the latest attack methods and vectors will help ensure systems are adequately monitored to thwart potential threats.

Several high-profile ransomware hacks have put a new spotlight on ransomware and heightened security concerns for all organizations. Local governments must realize that the swelling number of incidents paired with costlier and more frequent payouts will make them a larger target for threat actors. 

The ability to tap into federal resources in the instance of a shutdown will also be an attractive angle for hackers to leverage and may increase the severity of the attacks. Ultimately, local and state leaders need to limit network access, regularly monitor defense postures, and allocate more funds and dedicated resources into effective security solutions that will properly safeguard sensitive data from impending attacks.

About the Author

James Carder is the CSO and VP of Labs at LogRhythm. James has more than 23 years of experience working in corporate IT security and consulting for the Fortune 500 and US Government. At LogRhythm, he develops and maintains the company’s security governance model and risk strategies, protects the confidentiality, integrity, and availability of information assets, oversees both threat and vulnerability management as well as the security operations center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs threat research, compliance research, and strategic integrations teams.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights