At least nine local governments across Texas have been identified as victims in last Friday’s widespread ransomware incident that targeted impacted nearly two dozen cities and counties across the state. Meanwhile, the apparently coordinated attack continues to attract the attention of cybersecurity professionals — including a top federal official — as a clear sign that ransomware is maturing.
“It’s only getting worse,” Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said Thursday during a speech at Auburn University. “The actors are shifting their business models and going to more coordinated attacks like Texas.”
On Thursday, the cities of Kaufman and Wilmer; Grayson and Lubbock counties; and the police departments in the cities of Bonham, Graham and Vernon joined the list of known victims in the attack, which was first reported last Friday. Previously, the cities of Keene and Borger had put out statements saying they had systems like utility payments and vital records requests knocked offline by the ransomware.
Other than Lubbock County, which has a population of about 305,000, most of the other known victims are small towns with fewer than 15,000 residents and few in-house IT resources. Lubbock was able to martial a quick response, Curtis Parrish, the county judge, told a local television station.
“Our IT department was right on top of it,” he said. “They were able to get that virus isolated, contained, and dealt with in a very quick manner so it did not affect any other computers or any other computer systems here in Lubbock County.”
But the smaller targets have been less fortunate, like Wilmer, a Dallas suburb of about 3,700 that is trying to restore files at its police department, public works department and public library, where clerks have resorted to signing out books on pen and paper.
Reported attack vector questioned
There is also no apparent pattern to how the 22 communities hit by the ransomware, spread across hundreds of miles, ended up in their predicament. Some reports have linked the ransomware attack not to direct delivery to the municipalities themselves, but rather through a managed service provider used by the victims, as the mayor of Keene told NPR on Tuesday.
The Texas Department of Information Resources, which is leading the state-government’s response to the ransomware attack along with a host of other agencies, declined to comment on whether the incident could have begun with an IT vendor, citing the federal government’s involvement in the investigation.
But some cybersecurity researchers are reluctant to concur that the attack began with a managed service provider.
“We have not confirmed that an MSP was the infection vector, and we are not aware that the infection vector has been confirmed by any security organization, including the Texas Department of Information Resources,” said Chris Hinkley, a senior researcher with the cloud security provider Armor. “It is a possibility that the 22 government entities hit by the ransomware could have shared the same MSP for a service. However, it is also plausible that the threat actors behind this attack spear phished a list of curated targets — all of them working on behalf of Texas local government organizations. And if that was the case, it is likely that other small government organizations within Texas were also targeted, outside of the 22 victim entities, but did not fall victim to the attack.”
Texas officials have also declined to name the malware used in the attack. Sources have suggested a variety of possibilities, including Sodinokibi, a successor to the lucrative GandCrab virus, and Ryuk, which was used in several recent high-profile attacks against targets in Florida, Georgia and California.
Whatever the culprit, the Texas attack has caught the attention of many who already pay considerable attention to ransomware, which is becoming a more aggressive threat to state and local governments. There have been 67 publicly disclosed attacks against U.S. municipalities since January, though Armor says it has identified as many as 135, including the 22 in Texas.
Research from Check Point Software Technologies also suggests that ransomware attacks are becoming more sophisticated thanks to hackers choosing specific targets rather than mass-distributing their viruses to thousands of potential victims in hopes one of them opens a malicious link or file. These types of attacks tend to play out in phases, beginning with the injection of a generic malware that later triggers the installation of a ransomware that encrypts the infected systems.
The upshot is a kind of cyberattack that can be more specifically designed and potentially rake in bigger payments, according to Check Point.
“In short, there’s been a paradigm shift with ransomware business models,” its research says. “The key change is marked by an evolving business model oriented around multiple players and stages. Hence, we are now in the era of what we call ’boutique’ ransomware attacks.”
On Wednesday, CISA, which recently cosigned a memo to state and local governments urging them to improve their cybersecurity, made ransomware the subject of its first “CISA Insights” document, a one-page list recommendations for preventing and reporting an attack, including basic and oft-repeated steps like regularly installing security patches, keeping offline backups of critical IT systems, and not paying the ransom.
But Krebs, the CISA director, also said Thursday that governments still need to overhaul how they respond to cyberattacks that compromise public services or critical infrastructure, saying it should work more similarly to how federal and state authorities interact after a natural disaster, which is governed by a 1988 law called the Stafford Act, which encourages state and local governments to develop comprehensive plans for intergovernmental coordination in an emergency.
“We think about responding to hurricanes,” he said. “There is decades of doctrine establishing how states work with the federal government. On the cybersecurity side, there’s not a lot of doctrine and even less experience.”
When it comes to the Texas ransomware, Krebs went on to say that CISA’s role is be more advisory than investigatory, pointing to the state’s robust response that includes its Department of Information Resources, National Guard and Texas A&M University, plus other federal agencies like the FBI. None of the 22 victims there have paid the ransom, and several have reported restoration of services.
Krebs also praised Louisiana’s response to a series of ransomware infections at school districts that prompted Gov. John Bel Edwards to declare a statewide emergency. Strong, coordinated responses like that, Krebs said, can help CISA create the guidance it sends out about future attacks.
“Work with me to share information share findings so we can understand what’s happening, develop mitigations, develop recommendations and get out ahead of the next threat,” he said.