Coordinated Ransomware Attacks Hit Resource-Constrained Municipalities
August 20, 2019
A financially motivated ransomware gang hit 23 local governments in Texas in a coordinated attack. Ransomware is a type of malicious software, often delivered via email or drive-by web downloads, that locks up an organization’s systems until a ransom is paid or files are recovered by other means such as backup restoration. This most recent Texas offensive follows attacks in New York, Louisiana, Maryland, and Florida that resulted in significant financial losses, decreased productivity, and downtime of services to citizens.
Why Municipal Governments are Targeted
Local governments are prime targets due to their decentralized organizational structures, relatively small IT and security teams compared to commercial organizations, and a responsibility to maintain uptime for local services like licensing, zoning, and permitting. Digital transformation and eGovernment initiatives, along with always-on devices, has also expanded the available attack surface for hackers to exploit. Traditional anti-virus tools are insufficient to protect against today’s coordinated and morphing cybersecurity attacks. Many local governments are under the impression that they need to invest heavily in software, staff, and go it alone. Managed security service providers have changed the security landscape by providing SOC-as-a-Service via a co-managed SIEM (Security Information and Event Management) platform with integrated EDR (Endpoint Detection and Response) driven by a 24/7 SOC (Security Operations Center).
How Municipal Attacks Take Hold
While specific tactics, techniques, and procedures (TTPs) are still unfolding, common elements believed present across these statewide cybersecurity attacks include:
- Ransomware attacks commonly use phishing emails to lure unsuspecting employees into acting
- Ransomware frequently spreads rapidly to connected systems, rendering them unusable
- The 23 ransomware attacks in Texas are coordinated and the work of a single threat actor, according to state officials
- Anti-virus and anti-malware tools alone do not detect and remediate advanced attacks like ransomware and Zero-day threats
Texas prepared for possible large-scale cybersecurity incidents with statewide cybersecurity resources such as the Department of Emergency Management and the implementation of a four-step protocol. State and local agencies within Texas are also assisting with the cyber response that is one step below the highest level of alert or “emergency.” Response and recovery are currently the top priorities for these smaller towns, according to the Texas Department of Information Resources (DIR).
"SOC-as-a-Service (SOCaaS) allows any organization, even small cities, to employ powerful ransomware protection without additional staff or expensive capital outlay."
- Aaron Branson, Vice President, Netsurion
Defend Against Municipal Government Attacks
There are several steps that local, county, and state governments can take to block against ransomware attacks. Sophisticated threats necessitate advanced threat detection and remediation. Ransomware best practices include:
- Patch systems, servers, and applications regularly to close security gaps that hackers can exploit.
- Backup computers and important files and store them on a separate device or network.
- Use caution with unknown emails, attachments, website addresses, and web links that could target your employees, citizens, and civic leaders.
- Stay informed and vigilant regarding threats to the municipal and federal government.
- Enable comprehensive 24/7 monitoring and alerting for full network visibility on suspicious behavior and to reduce the damage of attacks.
Local, county, and state governments protect sensitive systems and data and augment existing IT teams with managed services such as SIEM, EDR, and a 24/7 SOC. Local governments in Texas and across the U.S. who thus far have escaped attack can utilize proactive threat detection and response efforts to enhance their security toolkit. Our SOC-as-a-Service (SOCaaS) has caught many such attacks on government agencies to keep them out of the headlines and away from ransomware payments. Read case examples from government and enterprise organizations to learn about EventTracker in action.