What Should Municipalities Know about Ransomware? [Three Takeaways from the City of Florence Ransomware Attack]

Written by Justin Headley CISSP, CISA on July 1, 2020

Warren Averett Ransomware Image

We continue to hear about data breaches and new cyber attacks almost daily as attackers constantly search for new ways to bypass the security controls organizations have in place. Lately, ransomware attacks on municipal governments have made news headlines across the country.

What is Ransomware?

Ransomware is a type of malware that, once installed on a machine, first encrypts or locks all of your data then attempts to spread quickly to other machines on the network. The only method to unlock the data is to pay the attacker the demanded ransom.

There are many different variants of ransomware which have spread world-wide and target businesses and personal devices alike.

Why Should Municipalities be Aware of Ransomware?

Attackers do not only specifically target municipal governments with ransomware, but they do face significant risk when it comes to ransomware attacks.

According to Kaspersky, in 2019 alone, at least 174 municipal institutions suffered ransomware attacks, representing a 60% year-over-year increase.

From those attacks, cyber criminals demanded an average ransom payment in the amount of $1 million dollars and, in some cases, requested ransom amounts up to $5.3 million dollars. Additionally, these amounts do not include the millions of dollars in restoration costs, downtime in essential city services as well as the public relations nightmare suffered.

Recently, the City of Florence, Alabama suffered a ransomware attack that shut down its email system and supposedly extracted sensitive information and financial records of the City’s citizens. Hackers were able to gain access to the City of Florence’s network by imitating a DHL-themed shipping email, which the City’s IT manager unfortunately fell for.

Because an organization’s IT personnel typically have elevated access to the network, once the IT manager’s account was compromised, hackers were able to move freely about the City’s network. Attackers demanded 39 bitcoin (approximately $378,000) to restore the data and system.

Using the compromised account and information stolen from the City’s network, the hackers were able to also compromise two other neighboring cities in the North Alabama region.

How Should Organizations Respond if a Ransomware Attack Occurs?

In ransomware attacks, one might think the most logical response would be to pay the ransom; a $300,000 ransom may appear as a better option versus a reputational hit and millions of dollars in recoverability expenses.

However, if the decision to pay the ransom is made, no guarantees are made that the data will be unlocked. Additionally, local governments likely face a mountain of red tape and reputational harm if it’s discovered that tax dollars were used to pay cyber criminals.

As with the City of Florence, the group of attackers, identified as “DoppelPaymer” were usually known to ensure the data was unlocked if the ransom was paid, but they typically demanded very large payments due to the sensitive nature of the data stolen. Yet, in some ransomware attacks, the data often remains locked even after the ransom is paid.

What Should Organizations Learn from the Ransomware Attack on the City of Florence?

Below are three of the greatest lessons that organizations can learn that can protect individuals and organizations from ransomware attacks:

1. Patch and Update of Software and Applications

In many cases of ransomware, attackers are taking advantage of vulnerabilities discovered in software and applications. Therefore, it is critically important that vendor-released patches that are rated as Critical or High are implemented almost immediately.

Lower rated patches (Medium, Low or Informational) are also important for system security, but these should first be reviewed for applicability and tested on a small group of machines before distributing to your entire environment.

Vendors often vary on how and when patches are released for their applications. Regardless, monitoring and review of these schedules is crucial. Some organizations utilize third-party patching software to help manage, prioritize and push patches to all of your systems based on applicability and criticality, but this process can also be performed manually.

2. Provide Employees with Security Awareness Training

A common method of ransomware attack is through social engineering or phishing emails. The basis of an email phishing attack is a message that appears to come from a legitimate company, person or financial institution that attempts to trick you into clicking on a link or to give up valuable information. In the case of ransomware, when the user acts by clicking on a link, the ransomware is introduced onto the machine.

The world’s best security tools and software can oftentimes be circumvented by an employee unintentionally introducing ransomware or malware in an organization by clicking on content within a phishing email. To protect our ourselves, we must educate, train and raise the security awareness of our employees against these types of attacks.

Security awareness training should not be a one-time event. Training and awareness should be provided and required at least annually. Training will help employees to have a skepticism about unusual emails and to think before they click.

In addition to security awareness training, social engineering testing—sending phishing emails to your users and providing training opportunities if links are clicked on—is another practical method of training your employees to identify phishing emails.

3. Ensure Proper Backups of Data

In the event ransomware infects and encrypts your organization’s data, the last line of defense and restoration is through the backups of your information. Some aggressive types of ransomware also look to encrypt the backups of your data, so it’s crucial to ensure there is a good working copy of your data.

Backups of data should be performed at least daily and need to be stored off-site physically (in a separate facility) or digitally in a cloud environment. IT personnel should also be receiving alerts or actively monitoring backup systems to ensure backup jobs are completed successfully. Periodically, data from those backups should also be restored to ensure that information could be recovered in the event of a data loss.

Learn More about Ransomware and How to Protect Your Organization

As attackers continue to search for new ways to exploit our systems and information, we must remain vigilant in ensuring we have performed our due diligence to help prevent and detect these attacks.

To learn more about ransomware, how your organization can educate your employees or what measure you can put in place to protect yourself, contact your Warren Averett Advisor or ask a member of our team to reach out to you.

Obtaining an SOC Report - Download the Guide!

Back to Resources