Texas Says 22 Local Government Agencies Hit by RansomwareVictims Receive $2.5 Million Ransom Demand; 'Single Threat Actor' Suspected
Ransomware attackers continue to focus on local government entities as well as smaller businesses. While it's not clear how many crypto-locking malware attack attempts succeed, the lure of a payday appears to be driving a steady stream of criminals to continue such campaigns.
Recent victims have included a number of local government entities in Texas, who have collectively received a $2.5 million ransom demand. The state initially warned that 23 organizations had fallen victim to the Friday morning attack (see Texas Pummeled by Coordinated Ransomware Attack).
On Tuesday, officials revised the victim count down slightly, to 22 affected entities. The Texas Department of Information Resources is leading the incident response effort, assisted by the U.S. Department of Homeland Security, the FBI's cyber division and others.
All 22 affected government agencies or organizations are working with DIR to assess the damage and restore systems.
"More than 25 percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual," DIR says, adding that the state government's systems and networks were not affected by the ransomware outbreak.
Ransom Demand: $2.5 Million
State officials have so far declined to comment on the type of ransomware used by attackers, whether any ransom note has been received, or name the victims.
"Evidence continues to point to a single threat actor. Investigations into the origin of this attack are ongoing," DIR says in a statement. "Because this is an ongoing federal investigation, we cannot provide additional details about the attack."
But on Wednesday, Gary Heinrich, the mayor of one of the affected municipalities - Keene, Texas, with a population of 6,100 - told NPR that attackers collectively demanded a ransom worth $2.5 million to restore all crypto-locked systems across the 22 municipalities. He said the city outsources its IT operations. "They got into our software provider, the guys who run our IT systems," Heinrich told NPR. "A lot of folks in Texas use providers to do that, because we don't have a staff big enough to have IT in house."
On Facebook, the city said it couldn't reveal many details due to the ongoing investigation. But it said that the city cannot handle credit card payments or utility disconnections, although it noted that all emergency services were working as normal and "our drinking water is safe."
Also hit by the attack was the city of Borger, which has a population of about 13,000. In a statement released Monday, officials said that "vital statistics (birth and death certificates) remains offline, and the city is unable to take utility or other payments." It also noted: "Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off."
In addition, it says that Borger "continues to provide basic and emergency services" - namely "police, fire, 911, animal control, water, wastewater and solid waste collection."
Steps to Recovery
To help affected entities recover, DIR notes that it has used the state government's purchasing power to negotiate competitive discounts with IT product and service providers, including for "seat management services," referring to externally managed PCs or workstations.
Estimated Ransomware Costs - Texas 2019
"The management services contracts can help you rebuild your networks or systems to ensure your systems are up to date and able to function in today's technology environment," DIR says. "In addition, to assist public entities in their recovery efforts, DIR has negotiated the addition of network components to the Dell Bulk Purchase Initiative, including servers, other networking hardware, and network virtualization products."
Ransomware attacks can be lucrative for attackers when victims pay. Baltimore received a ransom note demanding $100,000 in bitcoins to decrypt 10,000 ransomware-infected PCs, but it refused to pay the ransom. Some organizations receive even larger demands and end up paying (see Georgia County Pays $400,000 to Ransomware Attackers).
Two Iranians indicted by the U.S. Justice Department last year were charged with earning more than $6 million from victims of their SamSam ransomware. Some 200 victims, including cities and hospitals, paid off the attackers, while others - including Atlanta - did not.
Long Tail of Attacks
Security experts say attackers have long demonstrated that they're not averse to targeting small businesses and smaller government agencies and entities, especially after having already tried their hand at bigger targets.
"Local government systems have become the 'reunion' tours of most forms of malware: First the attackers go after the larger more lucrative targets, who then start to address the vulnerabilities," says John Pescatore, director of research for the SANS Institute, in a recent SANS newsletter. "Then we usually see waves of the same attacks succeeding at smaller firms and then state and local agencies."
Pescatore says smaller firms and government agencies' continued susceptibility to the latest types of online attacks highlights that they have "staffing, funding and governance obstacles that are not being overcome," and also that leaders are failing "to take advantage of advanced knowledge that those high-profile attacks of last year are going to hit them this year."
Call to Action
A coalition of government agencies is calling on state, local, territorial and tribal government organizations to get their act together, noting that prevention remains "the most effective defense against ransomware."
In a joint statement released last month, the U.S. Cybersecurity and Infrastructure Security Agency, the Multi-State Information Sharing and Analysis Center - MS-ISAC - as well as the National Governors Association and the National Association of State Chief Information Officers recommend government agencies follow three essential steps to better combat ransomware.
These steps include backing up all essential systems immediately, and then on an ongoing, daily basis, as well as regularly refreshing employee training on how to recognize the top ransomware infection vectors, including phishing attacks and suspicious links, as well as giving them out-of-band ways to contact IT staff.
In addition, they called on all government agencies to regularly review and update their cyber incident response plans. "Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed," they say. "Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS-ISAC, in the event of an attack."
In the wake of the attacks against Texas government agencies, the state's DIR has also issued these six recommendations to help all organizations better defend themselves against ransomware:
- Update: Keep software patches and anti-virus tools up to date.
- Protect: Create strong unique passwords that are changed regularly.
- Authenticate: Enable multifactor authentication, especially for remote logins.
- Refresh: Modernize legacy systems and ensure software is as current as possible.
- Restrict: Restrict the granting of administrative access.
- Back up: Perform regular, automated backups and keep the backups segregated in a disconnected environment, lest they be crypto-locked too.