Over the last 12 months, we have seen a large number of cities in the USA become the victim of sophisticated ransomware attacks, including New York, Washington, Atlanta, Maryland and more.
Baltimore, the most recent victim in this wave of ransomware attacks, experienced their second attack in the last 12 months. Thousands of computers in Baltimore’s city government were completely frozen on the 7th May 2019 after criminals got their hands on them. The attackers demanded 13 Bitcoin, which at the time equated to approximately $114,000, to unlock all of the computers. Authorities refused to pay this ransom.
The disruption that ransomware can do to city governments and residents is drastic. Locals in Baltimore were unable to pay their bills, parking tickets and taxes. Many were unable to send or receive emails.
The most annoying thing? It could easily have been avoided by simply patching Windows machines to fix a flaw in EternalBlue (a known hacking vulnerability) that was released two years prior to the breach.
Why Are Governments at Risk?
There is no one industry or vertical that is safe from ransomware attacks. If you are targeted, then it is likely the attacker will find a way in. Governments, however, appear to be slightly more at risk due to their importance within the local community. Government bodies have critical services that they must offer to their residents, and downtime can seriously affect their ability to do that. Another possible reason that governments appear to be targeted more often is because they lack the fundamental resources to secure their data and infrastructure.
How Do Ransomware Attacks Start?
The vast majority of ransomware attacks initiate through phishing emails that rely on the carelessness of users. Hackers know that if they send enough emails that look legitimate, they will eventually get a user to click on a malicious link or open a compromised attachment.
It’s tempting to assume that most people know how to spot and ignore phishing emails, but research presented at Black Hat USA back in 2016 suggests the opposite. Despite a widely acknowledged increase in cybersecurity awareness, a staggering 45% of participants clicked on the malicious link. Despite this, only 20% of people admitted to clicking the link when questioned about it.
What does this tell us? It tells us that trust is not a security strategy. We cannot trust our users to notice and ignore a phishing email. There must be something else we can do.
How Governments Can Defend Against Ransomware
The vast majority of ransomware attacks occur due to privilege misuse or abuse. One simple solution could be to remove local admin rights from endpoints likely to be targeted. By effectively managing permissions and using a Data Security Platform to get visibility into the changes being made to data and infrastructure, you can likely detect and prevent ransomware attacks before they cause real damage.
Many Data Security Platforms enable you to perform threshold alerting, which can alert when a large number of changes occurs over a short period of time (a common occurrence with some forms of ransomware). Such solutions can then execute an automated script upon receipt of these alerts that can shut down a computer or server.