Reviewing the Increase of Ransomware Attacks on State and Local Governments in Recent Years

In today’s cyber landscape, every organization is a target. According to the analysis group Recorded Future[1], from 2013-2018 there were 148 total attacks against state and local governments in the United States. In October of 2019, CNN reported the number of attacks increased an additional 140 through just the first 10 months of the year[2]. This increase in attacks prompted one writer for Government Technology to claim 2019 as ‘The Year Ransomware Targeted State & Local Governments’.[3] Unfortunately for state and local governments, this trend does not appear to be going away any time soon.

Ransomware is a type of malicious software that blocks access to a computer system or data, often by encrypting it.  In order to gain access to their systems and data, an infected entity would be required to pay a ransom.

This ransom is typically provided via an anonymous payment method like bitcoin or another cryptocurrency in order to keep the attacker’s identity secret. Ransomware attackers can obtain access to systems through a variety of avenues. However, the use of phishing emails that entice a user to download an attachment with infected software seems to remain a simple and effective method.

Historically, ransomware attacks seemed to be more largely targeted towards individual users on the internet or against corporations if an attacker was looking for a more significant payday. However, as state and local governments continue to modernize their systems, their risk levels for ransomware and other cybersecurity attacks may increase.

Why are State and Local Governments Being Targeted?

In recent years, attackers have found success against state and local governments where security is not aligned with the evolution of their IT systems. When compared to corporations or other larger governmental entities, these organizations can be seen as ‘easier’ targets.

Record Future, a privately held cybersecurity company that specializes in the collection, processing, analysis, and dissemination of threat intelligence, suggests that even though state and local governments are being affected more recently, it may be due more to opportunistic motive rather than specific targeted attacks against state and local governments.[4]

State and local governments may have the added pressure of criticism from citizens to find a swift solution, which may increase the likelihood to pay the random in the eyes of attackers. While statistics regarding the total number of attacks that end payment is disputed (as it is surmised that governments may be unwilling to report when attacks occur and if they elected to pay the attackers), the reported payouts from entities have proved to be substantial. For instance in 2019:

  1. Riviera Beach, Florida elected to pay a ransomware attacker $600,000 in an attempt to release its systems[5]
  2. Jackson County, Georgia made a payment of $400,000 dollars to the attackers[6]
  3. Baltimore, Maryland, the victim of the largest attack in 2019, paid an estimated ransom upwards of $18.2 million dollars in recovery and mitigation costs to the city after its online payment systems were attacked[7]

Organizations dealing with ransomware attacks are faced with the possibility of being shut down for an unknown period of time. In cases where entities don’t have any other options, the threat of having to implement new systems or to continue operations using pen and paper-like in the case of Garfield County who did so until funds were transferred – has caused hacked governments to concede to attackers. In addition, a recent evolution of these attacks has added the threat that personal or financial data will be sold or posted on the internet if governments do not make payment.

While the number of ransomware attacks is on the rise, the awareness of the attacks has enabled state and local governments to increase their defense capabilities. For governments with adequate backup procedures that are regularly tested and have restoration abilities, ransom situations may be avoided. In addition, the implementation of a robust control framework that includes training employees and additional system safeguards that addresses the risks of cybersecurity attacks can assist governments to be better prepared for such events. These mitigating controls and procedures can then be periodically assessed to help ensure that governments are applying adequate safeguards according to best practice in order prevent the negative impact of a ransomware or another cybersecurity attack.

If mitigating controls are not currently in place, organizations may want to consider a thorough cybersecurity assessment to identify gaps within their current IT control environment. Potential types of IT reviews may include gap assessments, IT audits, and/or a continuation of operations review. Understanding you current IT control environment is critical to understanding your government’s exposure to potential ransomware attacks, having the understanding and resources to implement mitigating techniques that reduce the chances of becoming a victim in a future attack.

For additional details on mitigating IT risk, please contact our risk management team.