Three Lessons that All Organizations Can Learn from Recent Ransomware Attacks on Municipalities

Written by Justin Headley CISSP, CISA on July 2, 2019

Warren Averett Ransomware Image

We continue to hear about new data breaches and cyber attacks almost daily as attackers constantly search for new ways to bypass the security controls that organizations have in place. As of late, ransomware attacks on municipalities in the United States are increasingly making news headlines.

What is Ransomware?

Ransomware is a type of malware that, once installed on a machine, first encrypts or locks all of a victim’s data and then attempts to spread quickly to other machines on the network. If a victim whishes to recover locked or encrypted data, attackers demand a ransom payment—often in the form of a digital currency, such as BitCoin. If the data is not already infected by the ransomware, the preferable method to recover data is through back-up files.

Click here to learn more about ransomware and to connect with a Warren Averett advisor who can help you protect your business.

Why Learn from Attacks on Municipalities?

While municipalities are often targets, we can all learn lessons that are applicable to any business. Many of the recent ransomware headlines have showcased ransomware’s impact on municipalities, but no business or organization is completely immune. Municipalities are often particularly attractive targets for attackers, as many cities are dealing with decreased revenues and are forced to negate or decrease funding for non-essential expenses (e.g., information security).

In ransomware attacks, one might think that a municipality’s most logical response (or any organization’s most logical response) would be to pay the ransom; a $100,000 ransom seems better than a reputational hit and expenses that continue to grow past $20 million. However, if the decision to pay the ransom is paid, no guarantees are made that the data will be unlocked. In ransomware attacks, the data often remains locked by the hacker—even after the ransom is paid. Additionally, local governments likely face a maze of red tape and a mountain of reputational harm if it’s discovered that tax dollars were used to pay cyber criminals.

Here are just a few recent examples of attacks and how the municipalities responded.

Ransomware and the City of Atlanta

In 2018, the City of Atlanta battled a ransomware attack that infected nearly 4,000 computers, and attackers demanded a $51,000 ransom to unlock system files. The group of attackers, self-identifying as “SamSam,” were usually known to unlock the victim’s data if the ransom was paid. However, instead of paying the ransom, city employees were able to slowly restore the network and city functions over many months, but the cost to the city was estimated at $18 million.

Ransomware and the City of Baltimore

In early 2019, the City of Baltimore dealt with a ransomware attack in which attackers took advantage of a stolen cyber weapon that was initially developed by the United States National Security Agency (NSA) years ago from a vulnerability discovered in Microsoft Windows’s operating system. After the cyber weapon was publicly released on the internet, a patch was promptly released by Microsoft to remediate the flaw; however, the patch was never applied to the City of Baltimore’s systems.

The ransomware attack on the City of Baltimore is estimated to have infected approximately 10,000 machines, and the attackers demanded $100,000 in payment. Basic city services have grinded to a halt as city employees and contractors have worked in an attempt to restore the network. In addition, even a month after the attack, only a portion of city employees have regained access to email accounts. The costs from lost revenue and remediation have been estimated at about $20 million dollars already.

Ransomware and Cities in Florida

More recently, two Florida cities were also hit with ransomware from a phishing email which encrypted and halted many city services. In both cases, the cities (with the help of cyber insurance) opted to pay the ransom in the amounts of $460,000 and $600,000, against the advice of the FBI.

What Can be Learned from these Ransomware Attacks?

Attackers don’t just target municipal governments with ransomware. All businesses are potentially at risk. In fact, the precautions that organizations can take to protect themselves from ransomware attacks are largely the same across industries and for individuals.

Below are three takeaways and lessons that we have learned from these recent ransomware attacks on municipalities that we can utilize to protect ourselves and our organizations:

1. Patch and Update Software and Applications

In many cases of ransomware, attackers are taking advantage of vulnerabilities discovered in software and applications (as in the case of the City of Baltimore). That’s why it’s critical that vendor-released patches that are rated as critical or high are implemented almost immediately. Lower-rated patches (medium, low or informational) are also important for system security; however, these should first be reviewed for applicability and tested on a small group of machines before distributing to your entire environment. Some organizations utilize third-party patching software to help manage, prioritize and push patches to all systems based on applicability and criticality, but this process can also be done manually.

2. Provide Security Awareness Training

Another common method of attack is through social engineering or phishing emails. The basis of an email phishing attack is that a message appears to come from a legitimate company, person or financial institution. When a victim assumes a ransomware email is credible, the attacker tricks a victim into clicking on a link or giving up valuable information. In the case of ransomware, when the user acts by clicking on a link, the ransomware is introduced onto the machine.

The world’s best security tools and software can still be circumvented by an employee unintentionally introducing ransomware or malware into an organization by clicking on content within a phishing email. To protect ourselves, we must educate, train and raise the security awareness of our employees in regard to these types of attacks. Security-awareness training should not be a one-time event. Training and awareness should be provided by an organization and required for employees to complete at least annually. Proper training will help employees to have a skepticism about unusual emails and to think before clicking.

In addition to security awareness training, social engineering testing is another practical method of training your employees to identify phishing emails. Most social engineering tools send simulated phishing emails to your users and provide training opportunities if links are clicked on.

3. Back Up Your Data

In the event that ransomware infects and encrypts company data, the last line of defense and restoration is through the backups of your information. Some aggressive types of ransomware even look to encrypt the backups of your data, which makes it even more important to regularly back up important data. Backups of data should be performed at least daily and need to be stored off-site, whether physically (in a separate facility) or digitally (in a cloud environment). IT personnel should also be receiving alerts or actively monitoring back-up systems to ensure back-up jobs are completed successfully. Periodically, data from those backups should also be restored to make sure that information can be recovered in the event of a data loss.

How should I Move Forward in Protecting My Organization against Ransomware Attacks?

As attackers continue to search for new ways to exploit organizations’ systems and information, we must remain vigilant in ensuring we have performed our due diligence in order to protect our businesses and ourselves. Software patching, training and backups, in addition to a foundation of strong technology controls, will enhance our ability to help prevent and detect these attacks.

Ransomware attacks are truly unfortunate events in the life of any organization, and such attacks can devastate a business or municipality, so it’s important to learn lessons where we can and use the knowledge we gain to safeguard our data.

Don’t navigate cybersecurity alone. Click here to see the answers to frequently-asked questions about cybersecurity and to connect with a Warren Averett advisor who can help you navigate it for your own business.

New call-to-action

Back to Resources