Ransomware routed by fast-acting, info-sharing Texans
Thanks to federal, state and local government coordination, security teams were able to get 23 Texas municipalities hit with ransomware in 2019 back in business in eight days.
Streamlining communication between federal, state and local agencies can help departments prepare for and respond to ransomware attacks, Texas State Chief Information Security Officer Nancy Rainosek said.
Speaking during NextGov’s Feb. 10 CyberDefenders webinar, she discussed the August 2019 coordinated ransomware attack that targeted more than 40 Texas municipalities and impacted 23 local governments, interrupting their ability to process licenses and certificates, collect payments for services or conduct payroll activities.
Attackers collectively demanded $2.5 million in ransom payments, but no Texas entities paid the ransom, Rainosek said. A swift response from Gov. Greg Abbott and the Texas Department of Information Resources (DIR) allowed officials to declare the event as a cybersecurity disaster, the first of such events deemed a statewide disaster.
“This enabled us to join our Texas Division of Emergency Management, Department of Public Safety and Texas Military Department in responding and helping these 23 local entities,” Rainosek said. “We were able to then send our teams out into the field and had all these folks back to recovery and operational within eight days.”
While it was a significant and successful response, she said they knew the incident might not have been fully resolved. After the agencies had recovered, authorities decided to leave end-point detection software on the computers for another 30 days, in case malware had been deeply embedded in the machines, she said.
The security teams got some help from "a computer out there that was not turned off but was simply unplugged from the nternet,” leaving its active memory intact, Rainosek said. This gave them an opportunity to identify the perpetrator. Investigators eventually traced the Texas Sodinokibi/REvil ransomware attack to a single threat actor, who was indicted in November 2021.
For Texas, it was less expensive to determine how the attack was conducted and find a solution than pay the ransom, Rainosek said. Texas DIR’s close relationships with the local FBI field offices were instrumental in mitigating the Sodinokibi/REvil incident, she said.
The Texas DIR partners with many federal and local governments on cyber threat information sharing, but the complexities involved in exchanging security data sometimes makes that collaboration difficult, Rainosek said.
Texas receives monthly reports about outdated software, but she said these reports are often delayed due to an exhaustive review and assessment process. If this threat information were more accessible, governments would be able to act upon vulnerabilities quicker, she said, echoing Texas DIR Executive Director Amanda Crawford’s 2020 testimony before the Senate Committee on Homeland Security and Governmental Affairs on state and local cybersecurity following the ransomware attack.
During the SolarWinds attack and the 2021 Microsoft Exchange Server data breach, "the FBI was sending us information about various governmental entities that were most at risk, so that has been a good thing,” she said. “It enables us to reach out and talk to those folks and inform them that they may be at risk based on something the federal government has seen before.”
NEXT STORY: Selfies now optional for ID.me verification