Headlines like the one above used to be plots for movie thrillers, but now can be seen in the news nearly every day, if the damage is large enough to warrant reporting.  In fact, most attacks are not publicized[1], victims only communicating with law enforcement and, if they have coverage, their liability carriers.

According to Cisco, the rate of ransomware attacks is increasing 350% annually[2].  Damage from these attacks totaled $325 million in 2015 and is expected to rise to $11.5 billion in 2019[3].  In fact, in July, 2019, Governor John Bel Edwards of Louisiana declared a state of emergency following a series of attacks[4], a threat he described as “ongoing.”  The declaration allowed greater state and Federal resources to be deployed. 

A ransomware attack affecting 22 local government entities here in Texas occurred just last week on August 16th, with Federal and State authorities leading a coordinated law enforcement, assessment and remediation response to the affected entities.

What Is Ransomware?

Hackers will encrypt an organization’s data so it cannot be accessed, then hold the key to decryption for ransom.  Payment is usually demanded in Bitcoin, an electronic currency popular both in popular culture (think of the terms ‘blockchain’ and ‘cryptocurrency’) and criminals for the ability to transfer funds anonymously, secretly, and untraceably.  Worse, of those who pay the ransom, a reported 17% never recover their data[5].

How Does It Happen?

While direct assaults on computer networks do happen, more losses occur through simpler means, such as email with an attachment containing a malicious virus or a link to an outside website.  It may also occur if the user downloads infected material from a compromised website.

Emails can be sent impersonating an address the sender doesn’t own (spoofing) to ask the recipient to provide private information (phishing).  There is no malicious code in most of these emails, merely a sentence or two intended to create a sense of urgency in the reader and cloud judgment when suspicious vigilance should be employed.  The reader is asked to click a link or open an attachment, through which access can be established.  Once the attacker has access, he or she will attempt to take over as much of the system as can be accessed.

What Can Be Done?

Investing in technology and user training are the first steps to take.  Non-technical users can be easily trained to spot the red flags phishing messages typically raise.  House Bill 3834, which became law in June, creates a requirement that local government employees and officials who have access to a computer system take annual cybersecurity training through a program certified by the Department of Information Resources.[6] While this bill is a good start, there is no reason to exclude any email user from training, as any email user can be targeted.  In fact, users with minimal usage can pose the greatest risk due to a lack of “tech savviness.” With an hour’s education from a provider like KnowBe4.com, and a little reinforcement through practical testing, most users will be able to recognize suspicious messages and deal with them appropriately (notifying the IT department and deleting the message is usually best).

However, user training is not the cure.  IT staff should be current on cyber threats and best practices for thwarting them.  These include the use of firewalls, encrypted communication, frequent scanning of networks and file systems with updated anti-virus/anti-malware, frequent backups, intrusion testing, and ensuring all software and firmware is regularly updated or retired if upgrade is not possible.

The Texas Department of Information Resources (DIR) also has several suggestions and best practices related to combating ransomware and other schemes.  In addition, DIR has procured preferential pricing on shared technology services available to all local governments in Texas.

If your local government’s property or liability coverage is provided by TMLIRP, the Pool has a number of resources available should your entity experience a breach or ransomware attack, including cyber liability coverage, trained breach coaches, legal representation, preferential remediation services and coordinated notification and credit monitoring services for affected customers. Most of these baseline services are available within the coverage limits you carry, and trained professional staff are available to walk you through a breach should it occur.

As the threats increase in scope and frequency while becoming harder to detect, knowledge and vigilance must keep pace.  Understanding what your local government will do in the event of a cyber incident is the first step towards successful recovery.

[1] https://statescoop.com/report-ransomware-attacks-against-state-and-local-government-are-on-the-rise/

[2] https://blogs.cisco.com/financialservices/ransomware-lessons-for-the-financial-services-industry

[3] https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/

[4] https://www.cnbc.com/2019/07/26/louisiana-declares-state-of-emergency-after-cybercriminals-attack-school-districts.html

[5] https://www.comparitech.com/antivirus/ransomware-statistics/

[6] http://reports.texasaction.com/bill/86r/hb3834