Mitigating the Risk of Ransomware Attacks in the Public Sector

Ransomware attacks were on the rise around the world in 2019. In the U.S. alone, more than 620 government entities, public institutions, healthcare service providers, school districts, colleges and universities had their data held hostage. These relentless attacks have interrupted everyday life in U.S. cities by massively disrupting municipal operations, emergency and medical services, and educational institutions.

Why governmental agencies and public institutions are a primary target

Attackers target public institutions for several key reasons. First, they are more likely to pay up. After all, the goal of a ransomware attack is to disrupt operations badly enough and long enough that the organization will pay the ransom. According to Coveware, a typical ransomware incident lasts for 9.6 days — an eternity for any governmental organization and public institution under the constant pressure of public scrutiny because so many people depend on its services. For example, DCH Health Systems, a network of Alabama hospitals, paid an undisclosed sum to attackers after encryption of critical files forced staff to use paper copies instead of digital records and turn away new patients. Similarly, more than 50  educational organizations experienced ransomware attacks last year, forcing some of them to delay the beginning of the academic year for thousands of students and their families;  one district paid $88,000 for the decryption key after negotiating the payout down from $176,000.

Second, many governmental agencies and public institutions lack the resources to protect against cyber attacks in general and ransomware in particular. Many of them, especially smaller organizations, use managed service providers (MSPs) to help with IT operations, which often requires granting the MSPs elevated privileges. This provides an additional entry point for attackers, who target the MSP and distribute their ransomware to many of its clients at once. For instance, a single threat actor attacked 23 Texas government organizations using this attack path.

Of course, some municipalities refuse to pay ransom, which is the strategy recommended by many law enforcement agencies. Baltimore, for instance, declined to pay over $75.000 in bitcoin to an attacker and instead decided to recover the data from backups. Even so, the financial damage can be significant. Baltimore estimates the cost of the malware attack at $18 million, which includes not just remediation but hardening of the environment against future attacks.

How government and public institutions are responding to ransomware attacks

Legislation. The U.S. Senate passed the DHS Cyber Hunt and Incident Response Teams Act, which authorizes the Department of Homeland Security to send teams to help private and public entities battle ransomware attacks.

Cybersecurity insurance. In November 2019, the city of Baltimore approved the purchase of $20 million in cyber liability insurance to cover any additional disruptions to the city’s networks in 2020. Cyber liability insurance will typically pay the ransom and other extortion-related expenses, as well as recovery costs for restoring or replacing programs and data.

Mandatory training. After a coordinated attack on 23 Texas government organizations, the state announced it would require annual cybersecurity training for government employees. Dozens of other states are requiring security awareness programs as well. By teaching cybersecurity best practices, these programs aim to install proper habits and procedures for protecting information resources.

Strategies for mitigating the risk of ransomware

There is no reason to believe that any organization can block all ransomware attacks. But there are ways to minimize the damage of ransomware infections. For example, when ransomware hit Louisiana state government systems in November 2019, the state was able to quickly detect the attack and neutralize it before it caused serious damage — because back in December 2017, the state had established procedures for dealing with cyber attacks and the agencies were prepared.

The following measures can help you limit the impact of a ransomware attack:

  • Take regular, comprehensive backups and keep them secure. Good backups are probably the best answer to the question, “How do I recover from a ransomware attack?” Regularly back up all critical information, and keep the backups isolated from your network.
  • Use network segmentation and intrusion prevention technologies. Segment your network to block ransomware from spreading. Use network access controls, firewalls, virtual local area networks (VLANs) and other techniques for intrusion prevention.
  • Properly configure your web filter, firewall and antivirus software to block access to malicious websites and scan all files that are downloaded.
  • Properly configure access to shared folders. If you use shared network folders, create a separate network share for each user. Since malware spreads using its victim’s access rights, make sure that access is restricted to the fewest users and systems possible. Otherwise, the infection of one computer can lead to the encryption of all documents in all folders on the network.
  • Enforce least privilege access. More broadly, limit the damage ransomware can do by minimizing privileges based on each user’s job requirements and performing periodic assessments to ensure adherence to the principle of least privilege.
  • Monitor user behavior. To spot ransomware in a timely manner, audit activity around data and set up alerts on abnormal spikes in file activity, which are indicative of ransomware in progress.
  • Conduct regular employee awareness training. People are the weakest link in your security, and their mistakes can cost the organization a fortune. Therefore, invest in raising security awareness through comprehensive training tailored to the specific groups of users accessing your network.
  • Increase attention to supply chain security. Third-party risk management should get more attention. The recent attacks on Texas cities through MSPs are the first sign of this new threat vector, but it will become increasingly popular as public agencies increase cloud adoption as mandated by the Federal Cloud Computing Strategy. Take a risk-based approach to evaluating partners and vendors, and pay close attention to how providers treat high-value assets.

Conclusion

A final tip: Don’t pay ransom. Paying ransom helps make these attacks a viable “business model” for the perpetrators. Moreover, according to Symantec, only 47% of organizations that pay the ransom actually get their files back. By establishing healthy habits, you can mitigate the risk of ransomware causing serious damage and recover without engaging with the attackers.