Local governments: Don’t pay ransoms to hackers

A new report from the Deloitte Center for Government Insights surveyed ransomware attacks on local governments throughout 2019 and lays out a few tips for those faced with the tough decision of whether to pay ransoms or not. 

Ransomware attacks on local governments hit an all time high in 2019, with the study finding 163 reported attacks on cities as big as Baltimore and towns as small as Lake City, FL. Cities and towns that ceded to hacker demands spent nearly $2 million in ransom and those that refused spent tens of millions, with Baltimore suffering $18 million in lost revenue and recovery costs.

“State and local governments should live and plan with the reality that their critical systems and data will be attacked,” said Srini Subramanian, cyber state and higher education sector leader for Deloitte & Touche LLP. 

Another report from Emisoft found that at least 966 government agencies, educational establishments and healthcare providers in the U.S. were hit by ransomware attacks in 2019 at a potential cost of more than $7 billion, crippling critical emergency systems with dangerous efficiency. The Emisoft figures include 113 state and municipal governments and agencies, 764 healthcare providers, 89 universities, colleges and school districts.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

The Deloitte Center for Government Insights report found that there was a 150% increase in reported ransomware attacks compared to 2018, which included high-profile attacks on major cities like Baltimore and Atlanta. These kinds of attacks, which have been happening since 1989, now specifically target local governments that cannot afford to have data compromised to the point of governance paralysis.

“Even with cyberinsurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber health checks and revisit resilience strategies,” Subramanian said. “The effort more than pays off. Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust.”

One of the key solutions cited in the report is the need for air-gapped system backups, which are described as isolated computers or systems without any connections to the internet or external links. Even tape backups can help keep critical business information away from hackers using ransomware. 

“The air gap decreases the likelihood that ransomware can infiltrate the backup, and in the event it does enter, the design of the vault prevents the ransomware from executing its payload. Similarly, tape back-ups can help restore data without the risk of reintroducing ransomware. Regardless of method, data backups inaccessible by ransomware attacks are another way organizations can avoid falling prey to criminals who hope to hold their information hostage,” the report added.

As noted in the Deloitte report and many other news stories, cities are now faced with the tough decision of whether to pay a ransom or not, and a burgeoning insurance industry for these kinds of attacks has tacitly incentivized even more attacks. Lake City, FL paid hackers a $460,000 ransom in June 2019 but most of it was covered by cyberinsurance, which only cost the local government $10,000.

Cyberinsurance has become a wildly lucrative industry, and the report found that for every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyberinsurance nearly twice as profitable as other types of insurance.

“However, this profitability may be largely due to the uncertainty related to the cyberinsurance no-win situation in which insurers find themselves: When attacked, no organization wants to be helpless, but those that use cyberinsurance policies to cover ransom payments may unintentionally be fueling the increase in ransomware attacks. In such situations, governments often face a dilemma: Paying ransoms that can likely fuel more attacks and other illicit activities, or dealing with the considerable cost of losing data necessary to provide public goods and services,” the report said. 

“The cost of a police department unable to serve and protect the community or a school district unable to educate the community’s children escalates quickly. As a result, governments often see paying the ransoms as the only logical solution. After all, not paying the ransom and having to recoup lost data and systems can often be significantly more expensive than the ransom.”

Local governments are now hamstrung by the need to incorporate technology into every aspect of the services they provide due to the woeful lack of cybersecurity talent needed to protect millions of endpoints. 

More than three million cybersecurity jobs are expected to remain unfilled by 2021 according to the Deloitte report, and their researchers added that the majority of states spend about 2% of their IT budget on cybersecurity while half of all states do not have cybersecurity budgets separated from IT budgets. 

The study notes that now, “every squad car has a computer and each classroom likely has a few.” There are connected traffic cameras, ambulances, trash trucks, parking meters and libraries that are all connected to state and local government networks.

Right before Atlanta was hit with a ransomware attack in 2018, the city identified more than 2,000 vulnerabilities that could be abused by cybercriminals, and the attack cost the city $17 million in recovery costs. 

To pay or not to pay

The crucial question for most local governments is whether to pay, and while it may seem like the massive cost differences between thousand-dollar ransom payments and million-dollar recovery efforts is steep, the report suggests local governments hold the fort and refrain from paying cybercriminals. 

The study notes that the federal government also urges local governments never to pay ransoms but a number of towns have ignored this advice, looking at the millions cities are being forced to pay for recovery and opting to shell out the relatively meager $50,000 to $100,000. But ransom payments are rife with concerns beyond incentivizing more attacks.

Some systems are never restored once a ransom is paid, and there is little way for governments to know when a hacker will return a system back to what it once was. The study cites a survey of cybersecurity teams that found that of those officials paid a ransom, less than half were able to regain access to their information. 

The report also found troubling increases in the amount of ransom hackers asked for in the second half of 2019. Ransomware strains like the Russia-made Ryuk malware is now used to target local governments and now demands ransoms 10 times higher than average attacks, according to the study. 

Potential solutions

The study suggests the federal government put incentives in place so that state and local governments do not see paying ransoms as the only solution to their problem. 

The report includes a number of best practices that local governments can deploy in an effort to prepare for attackers and preempt ransomware attacks. 

“To move forward, governments should consider an approach to dealing with ransomware, built on doing three things well: building well, operating well, and responding well. The first step should be to avoid becoming a target in the first place—partly by developing smarter systems, and partly by having skilled staff to work with these systems,” the study said.

“However, how an organization manages its data can mitigate the consequences of any ransomware attack. Developing a system architecture where the most critical data is compartmentalized can make it more difficult for hackers to encrypt enough critical information to create leverage and demand a ransom. This compartmentalization is as much about function as physical connectivity. Disabling extraneous services on connected devices and putting in place policies that prohibit checking email or playing games on critical hardware can be important defensive measures.”

Another key solution is rotating cybersecurity talent across multiple cities and towns within states. The report cites Michigan’s Cyber Civilian Corps as a good example of how certain states can get around the talent gap by creating CISO-as-a-service offerings for local governments to take advantage of. Local governments should also make efforts to provide some amount of training to all staff members about basic cybersecurity awareness and hygiene. Basic things like updates and patches need to become second-nature for any government-connected device.

Every town and city should have an attack plan in place so that governments know exactly what to do in the event of a ransomware attack, particularly on critical services like police and emergency responders. 

The study notes that all local governments should do a full audit of their systems to find vulnerabilities and create corresponding functions in the event that their digital infrastructure was no longer in their control. Simulations and testing should be done to prepare every level of a local government for a ransomware attack. 

“Cyber war-gaming and simulation are valuable tools in preparing staff and ironing out kinks in processes. Rehearse with a realistic scenario so that you’re able to simulate the decisions that you might have to make. You don’t want to be forced to decide under duress. Often, only during such simulations do leaders begin to see the many details that they must master—from the logistics of transferring bitcoin to learning what exactly is covered by a cyber insurance policy,” the report said. 

“Government can use the successes and failures of the war-game to craft a playbook spelling out responsibilities and key tasks in the event of an attack to speed response. Speedy recovery depends on everyone knowing the plan and being able to execute it quickly, and for that, there is no substitute for practice.”

Other emerging cybersecurity tools like artificial intelligence can also be helpful in stopping a variety of attacks including ransomware. Las Vegas has deployed an AI system that helps city officials respond to threats almost immediately and stop attackers before they can get too deep within a system. 

Local governments should also share information with each other about best practices and solutions that may work for them, according to the study, which noted that the federal government currently has no legal requirement for local municipalities to report ransomware attacks. 

Some states, like Texas, are considering passing laws that require towns to report when they’ve been attacked, but the report suggests all levels of government should voluntarily want to report any ransomware attacks so that more can be learned about the best way to respond. 

“Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before,” said Deborah Golden, cyber risk services leader at Deloitte & Touche LLP.

“It also means there is a large surface for cyber criminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless.”

Also see