Despite hopes that ransomware would buck a trend and become less pervasive, 2020 has offered no relief as multiple strains of extortion malware have continued to wreak havoc across IT organizations, particularly state and local governments trying to survive through the COVID-19 pandemic, speakers said Tuesday during a cybersecurity conference.
“How bad was the problem last year? Terrible,” Charles Carmakal, the chief technology officer at Mandiant, the incident response arm of the cybersecurity firm FireEye, said in a conversation during the Aspen Institute’s Cyber Summit. “How bad was it this year? Somehow, it managed to get worse.”
Carmakal echoed what many of his industry colleagues have said this year in noting that, increasingly, ransomware actors are no longer interested simply in freezing up victims’ systems in hopes of eliciting payments, but are now more motivated in stealing targets’ sensitive files and threatening to leak them on the open internet.
“The extortion demand has become multifaceted,” he said. “Not only do people pay to get their systems back online, but they’re paying the threat actor not to post their sensitive data online.”
In North Carolina alone, at least 16 local governments and public education organizations have suffered that type of attack so far this year, said Maria Thompson, the state’s chief risk officer. She said that’s a list of victims that includes cities, counties, community colleges and K-12 systems — and that those are only the ones that have publicly disclosed their incidents.
Carmakal also said ransomware actors’ attempts to elicit payoffs through websites that “name and shame” their targets — a tactic first popularized by users of the Maze ransomware, but one that has since been adopted by other groups — has been effective against victims that provide critical services that can’t afford to be offline. It’s worked particularly well in the health sector, which has experienced a wave of ransomware attacks as the COVID-19 pandemic’s worsened.
For public-sector incidents, Thompson said small local governments and school districts are often aware of the usual guidance against paying off a ransomware attacker’s demands. But, she added, state governments can be more proactive in providing assistance.
“When you tell an entity ‘don’t pay,’ there’s a pregnant pause,” she said. “We’re not just saying ‘don’t pay’ and then leaving them to figure out how to recover. We’re saying, ‘Don’t pay and here’s how we’re going to help you.’ ”
Thompson said North Carolina is increasingly promoting its “whole-of-state” approach, in which the resources of the state government — and sometimes private sector — are made available to victims of cybercrimes. That includes National Guard units, as well as “IT strike teams” convened by the North Carolina Local Government Information Systems Association, a membership organization for IT officials around the state.
She noted the passage of a 2019 law that made it easier for the North Carolina Department of Information Technology to coordinate and lead responses to cyberattacks around the state, and said the department is looking into deploying new tools, such as a continuous monitoring service to scan for network intrusions.
“As soon as we hear there’s a ransomware attack, we’ll launch boots on the ground,” she said.