A seemingly open-ended spate of ransomware attacks against state and local governments prompted the release on Monday of a joint statement from four government technology organizations urging officials to take “immediate action” to make sure their jurisdictions are not the next victim.
“The recent ransomware attacks targeting systems across the country are the latest in a string of attacks affecting State and local government partners,” reads the statement, which was issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the National Association of State Chief Information Officers, the National Governors Association and the Multi-State Information Sharing and Analysis Center. “The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries.”
There have been nearly 200 publicly acknowledged ransomware attacks against state and local governments since late 2013, and the frequency of incidents does not appear to be slowing down.
CISA Director Christopher Krebs told an NGA conference in May that while 2018 was a “successful year” for ransomware perpetrators, he expected to see more attempts this year, especially by copycat hackers looking to replicate the success of the SamSam ransomware, which collected nearly $6 million from more than 200 U.S.-based victims — including several local governments — over a three-year period.
While the SamSam virus has largely disappeared since the U.S. Justice Department filed criminal charges last November against two Iranian men, other forms of ransomware have stepped into the void. One virus that has thrived in recent months is Ryuk, which has encrypted and disabled government computer systems across the country, collecting six-figure payments from several of its victims. Earlier this month, La Porte County, Indiana, became the latest target to pay up when it wired $130,000 to the Ryuk hackers in exchange for a decryption key.
The joint statement released Monday makes three basic recommendations to government organizations: backing up critical computer systems and configurations daily on a separate device; expanding training for employees to recognize cyberthreats like phishing emails and suspicious links, which are the most common delivery methods for a ransomware attack; and revising incident response plans that treat cyberattacks more like disasters.
“Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed,” the statement reads.
The NGA published a memo this month urging its members to draft robust cyberattack response plans that account for continuity of government and adequate staffing in a disaster situation. The memo cited Colorado’s decision to issue a statewide emergency declaration over a February 2018 ransomware attack, a precedent that was followed by Louisiana last week when Gov. John Bel Edwards declared an emergency following a string of ransomware infections at local school districts.
The cost of not defending a government organization against ransomware attacks can be more costly than any hacker’s demand, as Baltimore is in the process of learning following its encounter with the malware known as RobbinHood. Baltimore’s IT department did not have a formalized disaster response plan before the May 7 attack, and the city’s CIO admitted last week that it could take nine months to draft one. Meanwhile, city officials project it will cost $18 million to rebuild and replace compromised computers and networks and account for lost revenue following an attack that initially demanded $77,000.
Ransomware has also caught the attention of the U.S. Conference of Mayors, which passed a resolution this month calling on cities to refuse to pay their hackers’ demands.