How SLED agencies can defend against ransomware
- By Joe Lareau
- Feb 26, 2020
State and local governments across the U.S. are on high alert for ransomware attacks, and for good reason. In 2019, nearly 1,000 government entities suffered a ransomware attack, and security experts believe it will continue to be a problem.
The tenor of these new attacks has shifted, though, as ransomware attackers appear to be teaming up to boost their power. One hacking group, TrickBot, is selling its tools to third parties, with North Korea’s Lazarus Group reportedly buying in. That makes ransomware a business, with government entities serving as popular targets.
Why target government?
Ransomware attacks appear to specifically target state and local government and education (SLED) organizations. Adversaries are well aware that government-associated entities typically don’t have the budget to protect their infrastructure, networks and devices, and ultimately their data. This makes them ideal targets for ransomware that encrypts their data and demands a ransom for its release.
Also, despite the FBI’s advice to never pay these ransom demands, SLED organizations are much more likely to hand over money. Though paying is no guarantee that access to data will be restored, agencies, schools, hospitals and other public entities often don’t have a tech team staffed with top-tier experts who can restore that access, making the chance of quickly recovering from an attack much less likely. By paying, the thinking is, at least they have a small chance of getting their data back.
An escalating problem
It used to be that government entities, like businesses, could simply restore data from backups after a data breach. That eliminated the exorbitant cost of trying to remove the malware or pay the bad actors to regain access to the data. But cybercriminals have gotten much more sophisticated in recent years, and now they’re leveraging those backups as well.
According to Kaspersky Labs’ Q3 2019 report, malware has now begun attacking network-attached storage devices like backup drives and servers. Although regular backup is still important, SLED organizations must be understand that this alone isn’t a sufficient strategy for preparing for a potential ransomware attack. It’s important they can quickly respond to mitigate damage when malware does make it past the firewall.
How ransomware works
All the concern over ransomware attacks is merited. Ransomware usually makes its way into networks via a user within the organization, typically through a malicious link in an email, a phishing scheme or malvertising, which inserts the code into legitimate online ads. The employee clicks on the innocent-looking link, which then downloads the malicious program into the network, encrypting files on local and network shares, then displaying the demand for ransom. The entire process, known as the ransomware attack chain, happens very quickly.
What is perhaps the most alarming aspect of the exponential growth of ransomware attacks is that SLED organizations often have devices and servers integrated with systems in other agencies, departments and buildings, which broadens the reach of each malicious file. The large numbers of employees makes it less likely they’ve all had the same training on avoiding malware, especially since some agencies don’t have adequate resources for training.
Protecting the network
SLED agencies can reduce the risks of an attack, even before the next budget cycle. Here are some protections to put in place.
- Educate employees. Create a security plan that includes educating end users on best practices for using email and online resources. Agencies that don’t have the resources for in-person employee training should consider setting up a required version that workers take at their desks.
- Set cybersecurity policies. SLED agencies should have a written cybersecurity policy that emphasizes that equipment is to be used for work purposes only. Although this will not guarantee employees won’t engage in irresponsible behaviors, signing a document may have them thinking twice before doing so.
- Conduct regular backups. Files should be backed up on a daily basis and a copy of a recent backup stored at an offsite location.
With the right plan in place, SLED agencies can be better prepared to prevent data breaches and ransomware attacks. A security and incident management solution that uses artificial intelligence to immediately identify signs of a ransomware attack can also help keep the network and data safe. When combined with education and regular backups, AI-based solutions can help agencies defend against cyber attackers and expensive ransomware.
Joe Lareau is a senior security engineer, federal, at Exabeam.