Some state and local officials have said they’re getting better at responding to ransomware incidents, as the list of victims gets longer seemingly every week. But people in the government cybersecurity community are also increasingly resigned to the fact that being attacked with extortion malware isn’t so much a possibility as an inevitability.
During a CyberTalks panel Friday, New Jersey Chief Information Security Officer Michael Geraghty said the statewide fusion center he runs has detected at least 40 ransomware incidents across state, local and private-sector entities in 2020 alone.
What’s changed, though, he told CyberScoop’s Sean Lyngaas, is that governments, after being walloped for the last several years, are trying to be better prepared by crafting detailed response and recovery plans and building partnerships with public- and private-sector partners.
“Having an incident response plan is really important,” he said. “But making sure you have those connections and networks. There’s lots of assets we can bring to the fight in terms of remediating. Then there’s the law enforcement and hopefully prosecution later on.”
Rachel McEneny, the commissioner of administrative services for Albany, New York, spoke from experience in recounting a March 2019 attack that took down multiple city services, including vital records and municipal payroll systems. She recalled racing to mount a response.
“I received a call at 5 a.m. on a Saturday from my IT director,” she said. “As soon as I hung up the phone, your mind starts wondering if this is going to affect traffic signals, 911, you really do pop out of bed. This is no different than any type of disaster like hurricanes.”
McEneny said Albany official were able to shut down IT systems “within hours,” though city workers had to spend several days completing tasks with pens and paper instead of their office computers. And while most affected systems were restored within the first few days, digital records for birth and death certificates were offline for months, she said.
McEneny also praised her city’s public response to the incident, saying residents of New York’s capital were informed of the matter within the first few hours, though at the time, Albany leaders were criticized for being a bit sparse with details.
But Kevin Youngquist, the vice president for public sector at the data-management firm Veritas, said that for cities and states, ransomware is just a matter of time.
“There is no magic pill you can take to protect you,” he said. “It’s not a matter of if but when you’re hit with ransomware. Being realistic that there’s no technology that’s 100% foolproof. The stigma is gone. It’s not ‘You’re not running the IT shop correctly,’ it’s, ‘What’s your plan B when it does happen?'”
Still, accepting that inevitability had few silver linings for Geraghty, who predicted the ransomware problem will only continue to get worse, especially as malicious actors shift their tactics from simply locking up government data to stealing it and threatening to publish it.
“I’m not optimistic,” Geraghty said. “Ransomware has become so profitable for the bad actors. Now they’re taking their profits and dumping into research and development so they can continue to evolve their tradecraft and attacks.”