Ransomware Advice for Government Agencies
Like other organizations, government agencies at all levels —city, state or federal—face increasing cybersecurity threats. Unfortunately, however, the stakes can be much higher for a government agency, simply because thousands or millions of citizens may rely on an agency to perform a critical function or provide an important service. Ransomware attacks are among the most serious threats that agencies face, because 1) they can disable normal work by blocking access to data, and 2) they result in a difficult decision: whether, or not, to pay the ransom fee. Government agencies can ill afford either option: to be disabled, or to pay the ransom fees, which are often exorbitant and no guarantee that the perpetrator won’t come back for more.
In a typical ransomware attack, cybercriminals infect computers on a network with malware that encrypts each user’s files. The hackers demand payment, usually in the form of Bitcoin, to decrypt the files. Other sources of cyber-ransom demands include the threat of Distributed denial of service (DDoS) attacks, in which a cybercriminal sends a message threatening to take a website or other critical services offline, unless a ransom is paid by a certain deadline.
How common are ransom attacks? They are all too common, and on the increase. According to an October 2019 CNN article, there were 140 ransomware attacks on government agencies or hospitals, as of October, and that number was a steep increase from 2018. Undoubtedly some attacks aren’t reported because agencies don’t want to draw attention that could cause public alarm or encourage other hackers.
“Ransoming government: What state and local governments can do to break free from ransomware attacks” is a new report published by Deloitte’s Center for Government Insights, which cites government agencies as one of the top targets for ransomware. The report offers some guidance about 1) why they are vulnerable to such attacks, 2) how to prevent a ransom attack, and 3) how to respond in the event of a ransom attack.
When faced with a ransom attack, what should agencies do? In general, the US Federal Bureau of Investigation (FBI) ransomware guidance advises against caving-in to a cybercriminal’s demands, for fear that it would encourage more of the same crime, either on the same organization or others. Plus, there is never a guarantee that the hacker will cease the attack, or provide a decryption key, even if the ransom is paid.
However, it may be necessary to pay the cybercriminals in cases where the impact of the attack is clearly more expensive than the ransom. As Deloitte reports, “The costs associated with restoring the system and loss of revenue when systems are down often significantly outweigh the ransom demand. For example, in May 2019, the city of Baltimore was hit with a ransomware attack demanding US$76,000, and it decided not to pay. This decision cost the city at least US$18.2 million in a combination of restoration costs and lost revenues.”
An abbreviated summary of Deloitte recommendations includes:
- “Avoid becoming a target in the first place—partly by developing smarter systems, and partly by having skilled staff to work with these systems.”
- Minimize risk by “improving basic cyber hygiene and using war-gaming to prepare for real-life attacks.”
- Deploy emerging technologies (such as AI)
- Adopt an ecosystem approach to cyber (share incidents with other government agencies to learn from each other’s mistakes and successes, and report attacks to law enforcement).
The advice is good, but the challenges remain massive. For example, hiring skilled cybersecurity staff is easier said than done, in a climate where there is a severe shortage of such workers, and many of them are drawn to work in the private sector where salaries tend to be much higher. It’s possible, but perhaps time-consuming, to follow Deloitte’s other piece of advice, re hardening systems by compartmentalizing networks, and developing air-gapped back-up systems.
In terms of AI technologies, some of them are proving useful at recognizing cyberattacks in their early stages, including those that deliver ransomware. But to ward off DDoS attacks, whether for ransom or any other motive, AI is not yet a proven approach; instead, developing new protections based on a combination of expert human analysis and machine learning is currently delivering the best advances in automatic solutions.
Teaching employees to practice good cyber hygiene is essential, and that perhaps costs the least. An ounce of prevention is worth a pound of cure, so the saying goes. Sharing information among professional peers and law enforcement agencies is a good practice, no one can argue against that. But finding the time or budget to do so may be difficult, given that many government agencies operate with lean IT and cybersecurity staff and budgets.
Overall, the Deloitte report gives good advice to government agencies. There are no “silver bullet” solutions to ransom attacks, but at least agencies can follow some basic advice to reduce their chances of being victims, including deploying automatic, real-time DDoS protection to take the impact of DDoS attacks off the table.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.
Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.