Arming agencies for ransomware attacks in an election year
- By Stephen Moore
- Nov 13, 2019
In the past few months, we have seen just how imperative it is to stop ransomware attacks. Ransomware has the power to rob state and local governments of thousands -- or hundreds of thousands -- of budget dollars and grind productivity to a halt. Recovery can cost tens of millions, as Atlanta and Baltimore discovered.
Just two months ago, a coordinated attack hit 22 local Texas governments simultaneously, forcing many municipalities to rely on backup systems. Fortunately, none of the demanded $2.5 million ransom was paid, but that does not mean the event was without consequence. Cities and their elected officials have learned that failing to protect networks housing taxpayer data risks losing the trust of constituents.
While ransomware attacks can happen at any time, an election year is an opportune time for adversaries to conduct attacks -- on voter registration systems, for example. In an attempt to prevent a ransomware attack affecting upcoming elections, the Department of Homeland Security recently announced a program to provide state election officials with guidance and support, as well as pen testing and vulnerability scanning of their voting systems. The rollout of this program, and future programs, serves as a major step in helping local governments protect their networks ahead of the 2020 elections and beyond.
Why ransomware is so lethal
Every form of ransomware shares a common strategy: It locks a network or encrypts files and demands victims pay to regain control. Ransomware is difficult to protect against. It updates at least once every 24 hours -- commodity security controls haven’t and won’t keep up and, typically, the encryption used is impossible to break. Plus, most adversaries request the ransom to be paid in Bitcoin, a nearly untraceable form of payment, making it difficult to determine the source of the attack. Antivirus and firewall software are not enough of a defense against ransomware, and for many organizations, their only line of defense (recovery) is having proper off network backups.
Ransomware can hit any organization, but government agencies, and especially municipalities, are particularly vulnerable because they often lack full time security staff and the rigor that found at a state level. Bigger picture, adversaries also recognize that government cannot afford to shut down, especially during a contentious election season, and that a fallback to manual processes would be unacceptable. With so much at stake, it would be a difficult choice whether or not to pay the ransom.
One of the first steps to preventing a ransomware attack is understanding how it works. Ransomware generally follows the same six stages with each deployment:
- Distribution - The most common way adversaries gain access is through phishing attacks; however, some attackers leverage remote desktops or exploit system vulnerabilities.
- Infection - Once in, the software launches an executable that installs malicious code known a as a dropper.
- Persistence - The ransomware then embeds itself into the system, often running as a service supported by Windows, which keeps it mostly hidden, even after the system has been rebooted.
- Internal distribution - During this phase, the ransomware spreads by searching the infected device and all connected systems for files to encrypt, conducting network scanning and often using approved administration tools such as WMI and PsExec.
- Encryption - Each valuable file the ransomware finds will be encrypted. Even more damaging is the encryption of mapped network drives and folders.
- Payday - During the payday stage, the ransom note is presented to the victim. Unfortunately, an unprepared organization will likely not recognize it has fallen victim to a ransomware attack until this final stage, after which it must take action to repair the damage and regain control of the system.
DHS' Cybersecurity and Infrastructure Agency recommends agencies and organizations apply the following best practices:
- Ensure only known users have access to sensitive files and restrict user permissions to install and run software applications. Restricting these privileges may prevent malware from running on a network or limit its ability to spread.
- Assemble a preapproved list of applications that are permitted to run on the agency's network.
- Enlist a strong spam filter to help prevent phishing emails from reaching end users.
- Scan all incoming emails from users outside of the network.
Like most malware, the best way to avoid becoming the target of a ransomware attack is to be proactive, and this starts by taking organizational ownership of the primary delivery mechanism – email. Additionally, agencies cannot just rely on only guidance shared via government advisories; they must take additional steps to increase their chances of detecting and disrupting motivated adversaries.
These attacks are simple in delivery, yet difficult to prevent -- especially since infections are usually disguised as innocuous attachments or email links. Agencies can educate staff, but training isn’t enough, and there’s no guarantee that a human won’t make a mistake and set off the chain of events described above. For every person who is punished for failing a phishing test, a flawed business process that hides malware inside email must also be scrutinized and ultimately eradicated. Lastly, agencies should eliminate the execution of files from within temp browser and mail directories, specifically files downloaded from the internet.
I applaud DHS for putting these recommendations in place and encouraging government agencies to stay vigilant for ransomware attacks in this election year. These tips are just as important for private-sector organizations too, and my colleagues and I look forward to supporting this effort by continuing to educate and protect both our private sector and government agency customers.
Stephen Moore is vice president and chief security strategist of Exabeam Inc.