Tied up and held for ransom

Just as real-world criminals might kidnap the scion of a wealthy family or a high-level business executive to hold for ransom, their digital counterparts have quickly discovered a profitable if nefarious money-making endeavor with even less risk: ransoming government information.

Ransomware schemes are really a type of malware, which in this case encrypts legitimate users’ documents and restricts their access to their files or system. The ransomware typically is delivered to agencies through a phishing email, which contains malicious code in the form of a link or an attachment that delivers the malware itself. Locked out from their files or their network, legitimate users will often pay the "ransom" of several hundred or even few thousand dollars, usually in untraceable virtual currency such as bitcoins, to have the cybercriminals unencrypt their files or return their access.

And while ransomware exploits have been on the rise with all manner of private- and public-sector victims, government agencies may be finding themselves directly in hackers’ crosshairs. “I think that ransomware is a growing problem for everybody, but certainly state and local governments,” Mark Weatherford, senior vice president for vArmour, and former deputy undersecretary for cybersecurity at the Department of Homeland Security, said. “These crimes don’t know any bounds with respect to victims, and the pickings are easy with local governments.”

Why would hackers target state and local government?

Larger government agencies, like larger private-sector businesses, have the resources to invest in the technologies, the training and the safeguards to mitigate and minimize the risk of these attacks, Weatherford pointed out. Meanwhile, smaller agencies (like small and mid-sized businesses) often don’t have the money and the staff to avoid or combat these exploits, he said. “When I say the pickings are easy,” Weatherford added, “I mean that most small government organizations struggle with the resources to do IT and handle security well.”

Indeed, incidents of ransomware extortion, originally a problem in Russia, began springing up in Europe and the United States about five years ago. While dozens of ransomware variants have been known to exist in the wild, many are based off the same destructive malware -- like CryptoLocker, Locky, Samas and CryptorBit -- that have been tweaked over time.

Last year, U.S. businesses and agencies alone reportedly paid more than $24 million in ransoms across almost 2,500 cases, according to statistics from the Internet Crime Complaint Center. The National Cybersecurity and Communications Integration Center, part of the Department of Homeland Security, received 321 ransomware-related activity reports affecting 29 federal agencies between June 2015 and April 2016. And those are just the incidents that have been reported. It is believed that if the ransom is low enough, and the assets are valued by the agency (and there are no recent backups), many smaller organizations might just pay the hackers to be done with it -- which in turn makes this kind of crime all the more appealing for hackers looking for profitable, low-risk scores.

“These are sophisticated attacks, but they’re going for quantity over quality,” Weatherford said. “They can make a lot of money, and the risk to them is very low.” Additionally,  because the data is typically not stolen, just encrypted, by the hackers, the crime of theft has not actually been committed, he said. “It really depends on your compliance requirement, whether you are mandated to report [these incidents]. So in many cases, it’s easier to pay the ransom than to make a big stink,” Weatherford said. “This is not a security decision. It’s a business decision.”

Indeed, ransomware is becoming more pervasive in agencies that are moving operations and citizen services online. “All of our work is being done online and is expected to be ever more online,” Kristine Trierweiler, assistant town administrator for the Town of Medfield, Mass., said. “Our end users are not as versed in security as they could be. The phishing schemes have become very sophisticated, fooling even those that are proficient in online trends.”

One Monday morning in early February, Medfield employees found “several of the computers in the building had a pop-up message on the screen saying that we had been hacked, that this entity had control of all of our data and that we needed to contact them to discuss the ransom,” Trierweiler said. After confirming the legitimacy of the threat, Trierweiler said the town called in its virus protection firm to see if it could unencrypt or retrieve  the town’s information. The backup system had been infected as well.

When the town employees realized there was no way to override the ransomware, Medfield reached out to other municipal and state agencies that had also been hit by ransomware for advice “We were given the same message by all of them....‘If you want your data back you will pay the ransom,’” Trierweiler said. The town government paid about $300 in bitcoins within 48 hours, and the information was ultimately released.

Similar incidents have taken place in Greenland, N.H., which lost eight years’ worth of data to a CryptoLocker assault; and Ilion, N.Y., which made at least two ransom payments of $300 and $500 last year. The police department in the Chicago suburb of Midlothian Village paid $500 in bitcoins to free its files from hackers. In 2015, the Multi-State Information Sharing and Analysis Center (MS-ISAC), a nonprofit that works with DHS to prevent track and address cyberattacks, provided digital forensic assistance on 45 ransomware cases involving government machines.

Government agencies have been increasingly “bombarded” with ransomware since October 2014, according to Brian Calkin, vice president of operations for MS-ISAC. “I don’t know that government agencies are being ‘targeted’ as much as it’s opportunistic,” Calkin said. “Unfortunately, a lot of government agencies are not exercising best practices…and not patching their systems.” More ransomware incidents are hitting local government, rather than larger state governments, Calkin said, as “general security hygiene is lacking.”

Basic security, day in and day out

But other than greater awareness and education for employees, what can government agencies do to mitigate the risk and the impact of such attacks, especially when they’re working on a shoestring budget?

Industry experts say much of the solution boils down to managing the security basics, day-in and day-out, without fail. “Users are always, always, always, always going to be the weakest link,” Weatherford said. Beyond employee education, making regular back-ups of key files and keeping them off-line is a top priority, he added. Also, he counsels government agencies not to allow unmanaged or unsecured wireless access to systems.

In the months since their ransomware incident, the Town of Medfield has made changes to avoid falling prey to another attack. Access to USB drives have been restricted, all applications that give remote access to vendors have been stopped at the firewall, and they must request access with documentation. Patches and security updates are made daily, and all the town government’s applications have been moved to a cloud environment, with no shared folders on the network and no mapped drives, according to Trierweiler. 

Calkin recommended that government agencies monitor state and local agency networks, keeping in contact with counterparts in the region directly or through groups like MS-ISAC, as well as staying abreast of reports from security and technology service providers about potential threats. In many cases, Calkin said, if an agency gets wind of a ransomware attack as it’s happening, the encryption of files can be stopped midstream, and the attack can be thwarted.

For those agencies that can afford to go the extra mile, Microsoft’s Office 365 offers “detonation chambers,” also known as dynamic execution environments, which allow organizations to open email attachments, execute untrusted or suspicious applications, and click on URLs in the safety of an isolated environment or virtualized sandbox so they can determine whether the associated attachments or applications contain malicious code.

Simple policies such as proper patch management to keep software updated can help prevent exploit-kit-based attacks, according to Bryan Lee, threat intelligence analyst with Unit 42 at Palo Alto Networks. “Microsoft provides quite a few different group policy options for such things as globally disabling macro documents or even [preventing] unknown executables from launching,” Lee said. “Blocking executable attachments in emails or even web downloads can further reduce the attack surface for an enterprise and prevent attacks from even occurring.”