Ransomware attacks on both national and local authorities are on the rise, according to a recent report by Recorded Future. During the first quarter of 2019, there have been 21 reported attacks on Government agencies in the US – a number that is likely to rise as not all ransomware attacks are reported immediately.
Only yesterday, Texas suffered a ransomware attack which affected 22 cities and towns. As opposed to targeting each of the municipalities independently, the attacker was said to have initiated the attack by compromising a single IT contractor. There are not yet any reports suggesting that the ransom ($2.5m) has been paid.
Are US Authorities Being Targeted?
While there has been reports of hackers impersonating alerts by the Department of Homeland Security (DHS) in order to trick employees into installing the ransomware program, many of the attacks mentioned in the above report were more opportunistic than targeted.
That said, given the amount of valuable data Government entities hold, and the amount of disruption ransomware attacks can cause, it would not be unexpected for them to be a prime target.
How Are US Authorities Reacting to the Attacks?
Government entities typically refuse to the pay the ransom, which is a good thing as this may discourage the cybercriminals from trying again. 7.1% of entities who were the victim of a ransomware attack paid the ransom – compared to 45% of organizations across other industry verticals. It could be argued that the private sector is more likely to pay the ransom due to fears of going out of business – a problem that doesn’t really apply to Governments.
How can Governments Protect Themselves Against Ransomware?
Ransomware attacks are typically delivered via two methods. The first is through spam and is usually packaged in the form of an email attachment. The second method relies on exploit kits which are designed to identify security vulnerabilities on the victims’ device. Cybercriminals will seek to compromise a legitimate website – as to redirect the visitors to a site where the exploit kit is installed. If a vulnerability is identified, the ransomware program is automatically installed on the victims’ device.
Most ransomware attacks are designed to exploit Windows vulnerabilities. However, for most Government entities, switching to a different operating system is not an option. Not only that but it won’t actually fix the problem in the long term.
Over time, hackers will develop types of malware that will exploit vulnerabilities in a wider variety of platforms. Instead, they will need to focus on making sure that all software is patched and up to date. They will need a robust backup solution, and backups will need to be tested periodically. Given that some strains of ransomware are able to locate and encrypt backups, it might be an idea to use a cloud-based Disaster Recovery service to be extra safe.
Naturally, it is a good idea to use firewalls, antivirus solutions, and email filters/scanners from trusted vendors. However, AI and machine-learning can also be useful for identifying normal patterns of behavior and respond to events that deviate from this pattern.
Automated Data Security Platform, like LepideAuditor, utilize machine learning to help spot anomalies in activity that could be indicative of a ransomware attack. Such solutions can be used to detect and respond to events that match a pre-defined threshold condition, which can be useful when detecting ransomware in progress. For example, many ransomware attacks encrypt file names by changing the extension. Solutions can tell you if X number of files are encrypted within a given timeframe, and a custom script can be automatically executed which might disable a user account, adjust the firewall settings, or simply shut down the affected server.
We need to bear in mind that algorithms are only as good as the humans that design them. Government agencies will still need to ensure that all staff members are sufficiently trained to quickly identify and report on anything that is indicative of a ransomware attack.