‘WannaCry’ ransomware attack raises alarm bells for cities, states
This article originally appeared on Stateline, an initiative of the Pew Charitable Trusts.
The massive cyberattack that has infected computers in at least 150 countries this past week hasn’t had a major impact on the federal government. But it has struck at least one county and several universities and prompted some state and local agencies to scramble to beef up their protections against the virus.
In the Chicago area, the virus showed up on computers in some Cook County government offices. MIT and several other universities reported that some of their computers also had been compromised. In Connecticut, the state court system briefly shut down some of its computers to update anti-virus software. And in Michigan, state officials quickly began installing extra protection on servers, work stations and public kiosks.
State IT officials say they often don’t have enough money to effectively fight sophisticated cyber threats. And the scale of this one has made them even more concerned.
“This is a big wake-up call because it is cyber disruption,” said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). “States and local government need to address this because it’s a serious threat. We have urged states to take action immediately.”
Cybercriminals launched the fast-moving virus, dubbed “WannaCry,” last Friday. So far, it has infected more than 300,000 machines in countries from Russia to Brazil. Its victims have included Britain’s National Health Service, universities in China and Germany’s train system.
The attackers used “ransomware,” malicious software that hijacks computer systems, encrypts data and locks machines, holding them hostage until victims pay a ransom or restore the data on their own. Hackers demanded $300 to $600 in payments in bitcoin, digital currency that is transferred all over the internet, which makes payments difficult to trace.
WannaCry spread across computers that run on Microsoft’s Windows operating systems. While Microsoft issued a patch, or security update, in March to protect against the virus, many systems that used older versions the company no longer supported remained vulnerable. Microsoft released special patches for the older versions after the cyberattack.
Cybersecurity experts say they’re not sure why more computer systems in the U.S. haven’t been infected. But they caution that state and local governments still could be affected.
“We’ve been getting a lot of emails from them wanting to know what they should do,” said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center, a federally funded group that tracks cybersecurity issues for states and local governments. “Our advice is to apply patches and keep your antivirus software up to date. Who knows what will happen?”
A growing threat
Hackers using ransomware increasingly have been attacking local governments, hospitals and police departments across the U.S. City and county governments, along with local school districts, have seen an “exponential rise” in threats in the last two years, said Srini Subramanian, a state cybersecurity specialist at the consulting firm Deloitte & Touche LLP. Victims have ranged from small police departments in Maine to a large hospital in Los Angeles.
Even if government officials decide to pay hundreds or thousands of dollars in ransom, their computer networks and communications are often crippled for a day or more by the viruses. And if they don’t pay, it can sometimes take days or even weeks to get their systems back up and running. In the meantime, public services for residents, schoolchildren and even hospital patients may be affected.
While federal officials say the WannaCry ransomware attack apparently has only raised about $70,000 in ransom and the infection rate has been lower in the U.S. than in many other parts of the world, they caution that the crisis may not be over, as the malware morphs into other forms that could threaten more networks.
Some state and local officials say they aren’t taking any chances.
In Connecticut, the judicial branch this week performed “preventive maintenance” on its computer system at courthouses statewide, said spokeswoman Rhonda Stearley-Hebert. She said some parts of the system had to be shut down briefly, including at New Haven Superior Court, where cases were delayed for two hours Monday as staffers installed a software update.
In Auburn, Mass.,, Information Technology Director Mike Marino said his office installed anti-ransomware software this week on every computer on the network, including those at the municipal building, senior center, library and fire stations.
Auburn’s school department was hit by a ransomware attack about a year and a half ago, and Marino said he doesn’t want town offices to go through that kind of situation. “Just the work required to get things back up and running is so time intensive,” he said. “Plus, any files that aren’t able to be backed up are just lost.”
Michigan took emergency steps to upgrade its network with the latest patch as soon as officials learned of the global cyberattack, said Rajiv Das, the state’s chief security officer. As of Thursday, all the work was completed other than at some employees’ desktops and kiosks used by the public.
“Right now, we are watching very carefully. This is definitely not the end,” Das said. “If you ask me, I’m worried. That’s why my team is on guard.”
In Cook County, WannaCry was discovered on “a small number of systems,” according to spokesman Frank Shuftan. He said as of Thursday, almost everything had been restored and staffers were making additional security improvements, but he would not give any more details, citing security reasons.
For IT chiefs at the state and local government level, the failure to protect computers is often a matter of dollars or indifference, said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.
“Some agencies may have the funding to do updates; some may not. Some may be interested in doing it; some may not,” he said. “In many cases, it’s very decentralized. So it’s more like herding cats.”
While cybersecurity has become the top priority for state IT officials, funding is often inadequate, according to a 2016 survey of top IT security officers from 48 states by NASCIO and Deloitte. The report found that in most states, spending on cybersecurity was only a fraction of the overall IT budget, ranging from zero to 2 percent.
And while most elected and appointed state officials said they are very or extremely confident that IT security officials are well prepared for cyber threats, the report found that only about a quarter of the security officials responsible for dealing with the threats were very or extremely confident that adequate measures are in place to protect the data.
NASCIO’s Robinson said a global, organized cyber threat like WannaCry shows how important it is for those measures to be in place.
“I don’t think it’s over. There’s the chance they will regroup and do another targeted attack,” he said. “States need to patch their operating systems when the patches are released. They need to work to strengthen their firewalls and back up their computers. They need to be ready.”
Jenni Bergal is a staff writer with Stateline.