Over the weekend, news broke that a host of local government departments in the US state of Texas are fighting a severe ransomware attack.
The attack, which began on 16 August, has seen at least 23 government agencies taken offline, the majority of which are, according to the Texas Department of Information Resources (DIR), “smaller local governments”.
The DIR has said that responders are working with the impacted departments, although it has not provided a timeframe for when the issue will be resolved.
A few years ago, this would have been highly unusual, but in 2019 ransomware attacks on city departments and other local governments have become increasingly commonplace.
Government ransomware attacks are on the rise
Texas is by no means the first to be hit by a government-targeted ransomware attack, and is highly unlikely to be the last.
In June the town of Lake City, Florida, was forced to pay $500,000 in bitcoin to regain access to its computer systems after a ransomware attack left the local government crippled for two weeks.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
In July a similar attack hit the Georgia court system, while in May the city of Baltimore, Maryland, was brought to an operational standstill by another ransomware attack.
In some cases, the costs have been particularly severe. In 2018 the city of Atlanta, Georgia, was hit by a massive cyberattack using the SamSam ransomware, which destroyed access to a host of software vital to the city’s operation, including the loss of a significant amount of criminal evidence. Costs to recover from the incident climbed dramatically, ultimately topping $10m.
Targeting cities: Why the Texas ransomware attack isn’t unusual
For hackers, cities are the golden goose of targets. They generally have ageing digital infrastructure, resulting in weaker security than many enterprises, and often provide attackers with greater rewards than similarly sized companies.
“Attacking local governments poses great potential for hackers. In addition to the regular ‘hacker’s benefits’ of gaining access to customer data, an attacker who penetrates a city’s system may get access to sensitive residents information,” explained Liron Barak, CEO at BitDam.
“Depending on the IT structure of the targeted local government, hackers can have an impact on multiple systems, beyond just customer information databases. From an attacker’s perspective, the potential in hacking a city is much higher than the potential in hacking a commercial organisation.”
The layout and activities of local governments also increases their risk of attack.
“Local governments tend to communicate with a wide variety of businesses and individuals, with many of them being one time contacts. This makes them more vulnerable to attacks, as their employees don’t know most of the contacts with whom they communicate in person,” added Barak.
“Moreover, when it comes to cities in the US, many of them are comprised of multiple departments and units, using various technological platforms, policies, and processes. This structure may make it more difficult for the security team to protect each and every endpoint.”
What’s more, the implications of not paying the hackers are often significant, crippling city operations and causing outrage, frustration and at times serious suffering for city residents, who are likely to remember the incident when they next go to the polls.
How much can cities take?
Ransomware attacks on cities have become particularly fashionable among hackers, with each attack seemingly escalating practices.
“Different forms of cybercrime go in and out of fashion according to how effective they are at any given moment. Recently, ransomware targeting smaller local government entities has proven to be a profitable endeavour, hence the rise in this type of attacks,” said Corin Imai, senior security advisor at DomainTools.
Notably, the amounts cities are being demanded to pay are also increasing. While the 2018 Atlanta attack saw the city held hostage for $51,000, more recent incidents have seen hackers ask for hundreds of thousands of dollars.
“The amounts they have been demanding has been getting higher, and there has been more specific targeting of victims,” said Javvad Malik, security awareness advocate at KnowBe4.
“This co-ordinated attack against Texas may be as a result of seeing how cities or city departments are potentially willing to pay a ransom.”
With such potential for devastation, there is likely to be a critical point where cities simply cannot pay, and so make the attack method unprofitable for hackers. However, with the cost of not paying historically being so high for local governments, there is likely to be considerable further room for ransoms to climb.
For local governments, then, the focus needs to be on improving security.
“Cities should be more aware of the risk, train their employees and constantly update their systems with security updates and patches,” said Barak.
“They should also get familiar with the latest development in cybersecurity to ensure they are not lagging behind in this cat and mouse race of cyberattacks vs cybersecurity solutions.”
Most importantly, cities need to focus on the risk their employees pose if they are not effectively trained.
“Preventing ransomware is vitally important. With many infections spreading through phishing, training users to be able to spot and report suspected attempts is the first line of defence before technical controls,” said Malik.
“Local governments and SMEs, regardless of their size, should realise that they are still potential targets and should therefore move cybersecurity at the forefront of their agenda,” added Imai.
“Sometimes, even just ensuring that employees are prepared to recognise the signs of a phishing email can be what makes the difference between having to pay a ransom and a diverted security incident.”