by Christa Miller
Ransomware has captured a large share of mainstream media coverage in recent months, due in no small part to attacks that have crippled small local and county governments in the United States. One coordinated attack in particular affected 23 Texas communities in July, and a new interactive map from StateScoop shows all attacks since 2013, updating with new ones as they occur.
In fact, Recorded Future’s Allan Liska reported in May that “State and local governments were among the first organizations to be hit with ransomware.” His research confirmed that ransomware attacks are on the rise, affecting 48 states and the District of Columbia. CBS News’ Irina Ivanova reported that of the 70 reported ransomware attacks in the first half of 2019, more than 50 targeted cities.
Research from Barracuda, meanwhile, reported that nearly half of the 55 attacked municipalities they studied had populations of fewer than 50,000 residents, while close to a quarter had fewer than 15,000 residents. “Smaller towns are often more vulnerable because they lack the technology or resources to protect against ransomware attacks,” the blog stated.
Liska’s report additionally found that smaller governments “tend to be more targets of opportunity” than deliberate targets. “Even groups like the teams behind Ryuk and SamSam appear to stumble into these targets,” he wrote. “However, once these groups do realize they are in a state or local government target, they take advantage of the fact by targeting the most sensitive or valuable data to encrypt.”
Moreover, wrote Liska, the “outsized media coverage” devoted to ransomware’s effect on governments “likely creates a perception among attackers that these are potentially profitable targets” in spite of a lower than typical likelihood of a payout.
How ransomware infects and spreads through networks
The most common attack vectors, according to security firm Palo Alto Networks, are emails that contain malicious links or attachments, or malicious or compromised websites that users browse to. Zuly Gonzalez, co-founder and CEO of Light Point Security, says both browser vulnerabilities and user actions can result in browser-based ransomware infections.
“The important thing for folks to know is that many times simply visiting a website is enough. No need to download anything,” she says. “Even typically safe, legitimate websites, like news sites, can infect your computer. And any website that displays ads poses a risk to the user, because ads can serve malware or redirect users to malicious websites that will deliver the malware/ransomware.”
That doesn’t mean other vulnerabilities can’t come into play. In Allentown, Pennsylvania, according to the New York Times, a city employee took his work laptop with him, missed critical updates, and then clicked on a phishing email before returning to the office. There, the malware — not ransomware — was free to spread throughout the network.
In Baltimore, meanwhile, “a city information technology team troubleshooting a separate communications issue with the server inadvertently changed a firewall and left a port… open for about 24 hours, and hackers who were likely running automated scans of networks looking for such vulnerabilities found it and gained access [to the city’s 911 dispatch system],” wrote Kevin Rector for the Baltimore Sun.
The impact of ransomware on small communities
Baltimore’s downed 911 system was only one example of ransomware’s impact. In Orange County, North Carolina, more than 100 computers at the library, the tax department, the planning board, the county register of deeds, and the sheriff’s department were affected. Certain transactions couldn’t be processed, and deputies couldn’t access criminal records — a potential officer safety issue.
In Rockland, Illinois, ransomware that hit the school district took out its phones, website, and student information systems. The district was able to use its Facebook page to communicate with the community, but the attack disrupted the first weeks of school.
Ransomware’s impact can be much broader, however. At Forbes, Chloe Demrovsky wrote: “Because governments manage sensitive information and critical infrastructure, outages could have national security implications, damage the local economy, and harm the general public more broadly.”
A considerable concern, Demrovsky continued, is data integrity of the “tremendous amount of sensitive data” about citizens that governments collect and have access to. “Cyber criminals may have tampered with the information, kept a copy for future use, or could repeat their ask in some way,” she wrote, adding:
“If that data and the accompanying data practices are made public, how will the public react and will trust in institutions crumble further? Even if it doesn’t become public information, what might the hackers do with it or who might be interested in purchasing it?”
Conventional wisdom focuses on prevention. Indeed, the Rockland school district was looking at funding a number of measures including IT upgrades, mandated security awareness training from KnowBe4, and security software renewals.
These measures are among the ransomware defenses listed by the National Credit Union Administration:
- Educate all staff on ransomware’s risks and how to use email and the web safely.
- Create regular backups of critical systems and data.
- Maintain up-to-date firewalls and anti-malware systems and protections.
- Use web- and email-protection systems and software.
- Limit the ability of users or IT systems to write onto servers or other systems.
- Have a robust patch management program.
- Remove any device suspected of being infected from your systems.
Education can be tricky when the landscape itself keeps changing. For example, says Gonzalez, “[T]here’s no way to know if a website will result in a ransomware infection.” Organizations can implement a browser isolation solution, which “completely isolat[es] all web content off of the user’s computer, thus preventing malware from ever reaching the user’s computer in the first place.”
Browser security, together with email security and good patching practices, are just a few ways Gonzalez says even with a limited budget, a small organization can improve its security. The key, she says, is starting small, relying on resources like the CIS Security Controls as manageable starting point. “It isn’t necessary to implement everything all at once,” she adds.
Whether taxpayers prefer their hard-earned dollars to go towards security measures rather than complying with ransom demands is an open question. ProPublica’s analysis of the attack on Baltimore noted that the city spent $5 million in recovery costs relative to the $76 thousand ransom originally demanded.
Still, sensitivity to taxpayers can mean IT systems running on what the New York Times called “motley collections of vintage software,” whose 18-month refresh cycles can make it challenging to implement good patching practices.
The high cost of hiring cybersecurity professionals is another factor. But this, Gonzalez says, is fixable by hiring young talent. “There are a lot of young, hungry folks looking for entry-level positions,” she explains. “They’re not as experienced as a CISSP, but they are also not as expensive. There’s obviously a tradeoff there, but at least it gives [small entities] a ‘fighting chance.’”
Another way to solve the talent problem is to automate security functions through technology. Even so, says Gonzalez, many security solutions are built for large-scale enterprise environments with dedicated IT and security staff to run them. That can make them overly complicated for smaller entities running on tight budgets. When those entities believe they aren’t targets to begin with, they can tend to underspend on security.
In turn, she says, their hesitation can signal to vendors that security isn’t a priority. Compounding this: the amount a vendor needs to sell to be profitable, versus the amount of time and resources it spends on tech support when a smaller organization doesn’t have in-house IT staff.
Gonzalez acknowledges that vendors can do a better job of “strik[ing] the right balance between delivering a solution that is easy to use and works out of the box and is full-featured and flexible enough to satisfy complex networks and allow for unique enterprise customizations.” In addition, vendors can work harder to educate small organizations about the risks of both targeted and opportunistic attacks.
Are managed services a good answer?
Many small entities rely on third-party managed service providers (MSPs) to host their IT systems because they assume the MSP is creating appropriate backups, patching, and maintaining the systems. However, this can create another layer of vulnerability. Often, MSPs themselves have become targets.
Gonzalez says relying on an MSP is still better than nothing at all. However, she cautions that broad IT expertise isn’t the same as security or incident response expertise. Few MSPs are willing to offer these specialized services, and frequently, their clients don’t understand the difference. In trusting MSPs to prevent incidents, their clients may not recognize the need for consistent security and incident response services.
Gonzalez thus advises government and small-business leadership to ask “lots of questions” about how long an MSP has handled security, if it has similarly sized clients, the steps they take to safeguard organizations — including their own — and their response plans and scope. Sometimes online reviews might be available.
MSPs may be unable to provide adequate answers. “But from a positive side,” Gonzalez says, “[this] gives DFIR pros an opportunity if they can find the right MSPs to partner with.” Managed security services providers (MSSPs) are another option. They are, however, still a third party, and they may not offer the broad IT support their clients need.
Gonzalez’s opinion: in-house is still best. This isn’t always possible, she acknowledges, but “being able to control your own infrastructure and data reduces your risk [of] loss due to third-party partners.”
Then again, she adds, “Having full control over your data (and limiting the number of 3rd party suppliers you work with) doesn’t do you any good if you are in over your head and leave your network exposed for hackers to get in.”
Responding to a ransomware attack
Most security professionals recognize that incidents of all kinds are a matter of “not if, but when.” In an April 2018 interview with Marketplace, Sophos’ Chester Wisniewski, a principal research scientist, stressed the need for a good disaster recovery plan. “I think organizations have largely focused too much on prevention, which is impossible to do perfectly, and not enough of their resources on being prepared for the bad thing when it happens,” he said.
Google relies on a form of the Incident Command System (ICS), well known among fire and emergency management officials for coordinating response to wildfires, chemical / biological / radiological / nuclear (CBRN) releases, and mass casualty incidents.
Like these kinds of incidents, malware containment is a priority so the infection doesn’t spread. A particularly well-handled example: in Texas, Lubbock County IT staff were credited with rapidly ending the attack by isolating the infected computer from the rest of the network.
It helped, of course, that the initial call was made by a county employee who noticed something wasn’t right, and that the IT staff had the training to know what to do. In addition, CNBC reported, Texas implemented its “Level 2 Escalated Response” — the second highest of the four levels in the state’s alert protocol.
But plenty of other small governments have been caught unawares and even potentially outgunned. Near Chicago, Lake County, Illinois IT staff had to unplug their 64 servers to perform the needed scans.
Matthew Meltzer, a security analyst with Virginia-based vendor and security firm Volexity, concurs that containment involves disconnecting all affected systems from the network. Similarly, clients of a compromised MSP or MSSP would want to disable its access and engage another provider or firm to conduct the investigation, minimizing risk associated with the provider compromise.
At the same time, though, it’s important for first responders to be mindful to preserve evidence. “[This] is a critical step in order to effectively determine the root cause and breadth of an infection,” Meltzer explains.
In fact, containment, he adds, is only truly successful when responders understand the attack vector, because it’s the only way to tell “what kinds of privileges an attacker may have started with, to what systems they may have pivoted… [and] if [the] incident is automated in nature or is being conducted by a human.”
In turn, this helps to determine the infection’s scope — how far it may have spread. Meltzer says, “This determination can quickly take the investigation down drastically different paths.”
Meltzer recommends acquiring memory as soon as possible after the infection, before rebooting the infected machine. Memory could potentially be the only source of evidence in an attack, not only because it could hold key artifacts that couldn’t otherwise be found on the disk, but also because some ransomware variants may encrypt system artifacts such as logs and other disk-based artifacts.
Meltzer said other artifacts ideally would include log and packet data stored centrally for all inbound, outbound, and lateral traffic, as well as key disk artifacts and memory samples of the affected systems immediately after infection.
Achieving that ideal can often, however, be “wishful thinking,” Meltzer adds, “and you have to adjust your methodologies to collect and analyze whatever relevant data that is available.” Overall, he says the key takeaways for under-resourced organizations should be:
- Quickly engage a third party who knows how to initiate a proper incident response.
- Simultaneously begin disconnecting key/critical systems from the local network and internet.
- Do not reboot infected systems and do not attempt to “clean” (delete) anything.
Meeting the long-term challenges
Ultimately, effectively preventing and responding to ransomware attacks may be a matter of careful relationship-building. “[R]esponders can’t change things that occur before they’re called,” says Meltzer. “[I]nstead responders need to provide very clear instructions to affected organizations early in order to maximize data preservation.”
The time to accomplish this isn’t at the outset of an attack, but rather, well in advance. Meltzer says one way to start building a relationship is through a proactive threat assessment, which has several benefits:
- It can identify current risks and establish best practices, which can minimize the chance of future incidents occurring.
- It’s cheaper than a full-blown incident response and any subsequent data recovery or decryption efforts.
- It offers the opportunity for an organization to get to know an incident response firm before a breach takes place.
Meltzer advises a thorough selection process, saying that incident response providers with a history of quality research publications and involvement in the information security community will have a leg up over competitors, including MSPs and MSSPs.
Once a firm is retained, clear and upfront service agreements, retainer policy, and other details help to establish trust between organizations. “[Defining] a standard procedure that first responders can leverage in order to efficiently collect evidence can go a long way to preserve data that the second-tier responders will analyze. It also limits the amount of evidence tampered with or destroyed,” Meltzer says.
Meltzer says one of the most valuable things an incident response firm can do is stay connected with small businesses and local governments in the communities they operate in, encouraging these entities to include cyber security incident response in their business continuity and disaster recovery plans. “It is always better to have a plan in place before something catastrophic occurs,” he says.