5 ways to stay ahead of government-targeted ransomware
- By Dan Schiappa
- Sep 23, 2021
It is no surprise that governments around the world are among the most highly targeted and impacted victims of ransomware. Last year’s SolarWinds data breach in the U.S. was a reminder of the ability of cyberattacks to penetrate public-sector agencies and unleash damage across a federal agencies.
According to new independent research from Sophos, over the past year, 40% of central governments and non-departmental public bodies across the globe were attacked by ransomware. This put central governments and NDPBs fourth in a ranking of industries most afflicted by ransomware, surpassed only by retail, education and business/professional services. Considering that federal governments employ trained IT staff, the fact that four in 10 were unable to stop a ransomware attack speaks to the ability of cyber attackers to penetrate even the best defenses. More than one-third (34%) of local governments also reported experiencing a ransomware attack over the past year – curious, considering that local government agencies would presumably have a fewer resources to defend their systems.
Extortion-style ransomware disproportionately aimed at central governments
One disturbing trend seen in ransomware over the past year has been the emergence of “extortion-style” attacks. Ransomware typically involves encrypting a victim’s data and then exchanging the decryption key for payment. Lately, extortion-style attacks – where the attacker steals the data rather than encrypting it and threatens to release it (either to the dark web or to the public) in exchange for a ransom payment – have started to pick up steam.
This is especially acute in the government sector. Central governments and NDPBs experience extortion-style ransomware at nearly double the rate of all industries. That said, encryption-based attacks still remain the most dominant strain of ransomware, comprising almost half (49%) of attacks faced by central government and NDPBs.
In ransomware attacks against local governments, 69% of victims saw their data encrypted – a staggering 20 points greater than what central governments had experienced. These numbers point to an interesting split: Ransomware attacks against central governments are slowly moving from encryption-style to extortion-style attacks, while encryption-based attacks against local governments remain extremely high and extortion-based attacks rare (2%). This difference may be because central governments have relatively higher-value data to steal and hold for extortion, and local government agencies, on the other hand, don’t have the kind of national secrets that central governments do, perhaps sparking less interest among attackers.
Why it’s not worth paying the ransom
In the heat of a ransomware attack, it’s easy to see why just paying the ransom to get data back (or prevent public release) can feel like the path of least resistance. That’s what attackers are counting on, after all. But it’s not necessary. The survey reveals that most (61%) central governments and NDPBs hit with ransomware restored their data from backups. Only 26% ended up paying the ransom to get their data back. In total, nearly all (96%) of central government victims ended up with their data restored. These findings speak to both the need to back up data proactively and how unnecessary it is to pay the ransom to get data returned.
The findings may also point to central government’s awareness about data backups that may not be shared by their smaller counterparts. Among local government organizations that were hit by ransomware, there was an even split between those who restored data through backups and those who paid ransoms to get their data back – 42% for both – indicating that smaller agencies perhaps have a greater need to pay ransoms in order to restore their data, as well as a lack of backups to draw from.
Five ways to stay ahead of government-targeted ransomware
Governments are some of the least prepared organizations in the world to recover from a major malware incident like ransomware. Among all industries surveyed on their malware incident recovery planning preparedness, both central and local governments ranked at the bottom of the list. This cannot continue to be the status quo – particularly when so many central and local governments have either been attacked by ransomware already or expect to be attacked in the future.
Staying ahead of the ransomware curve calls for more preparedness. Here are five easy steps that central and local government agencies take now to mitigate the probability of a ransomware attack and improve their chances of recovering from one.
- Assume an attack is coming. Currently 12% of central government organizations and 22% of local government groups do not expect to be attacked by ransomware. Both of these numbers should be zero. The sooner agencies acknowledge the inevitability of an attack, the more urgency there will be to take steps that can reduce both the likelihood of an attack and the scope of damage inflicted by one.
- Implement layered protection across the network. With extortion-style ransomware attacks becoming increasingly prominent, especially among central governments, it’s more important than ever for governments of all sizes to deploy layered protection across as many points of entry as possible.
- Supplement anti-ransomware software with trained human specialists. Anti-ransomware technology can only cover so much. Pairing software with expert human-led threat hunting teams is the best approach for catching the red flags signaling an impending attack that a tech-alone approach might miss.
- Back up agency data. This might seem like a no-brainer, but only 43% of central governments and NDPBs have air-gapped data backups in place. Even more alarming, just 17% of local government agencies have air-gapped backups. Both of these numbers are much too low. Data backups are the surest, easiest way to restore data after a ransomware attack.
- Don’t pay ransoms. Paying the ransom does not guarantee agencies will get their data back. On the contrary, on average, government organizations that pay ransoms only get back 65% of their data. Paying ransoms incentivizes future ransomware attacks and still largely fail to get victims back 100% of their data. Just don’t pay.
Dan Schiappa is the chief product officer at Sophos.