Update: New Findings in Ransomware Attacks on State and Local Government

October 8, 2019 • Allan Liska

In early May, Recorded Future published a report about ransomware attacks affecting state and local government. Before discussing data updates to that report, I want to express my gratitude for the support and discussion that this blog post has generated. The number of ways that other organizations have found to use and build upon our initial data set is truly astounding and we appreciate the fact that our research has proven to be valuable to so many.

The initial report and analysis contained incidents reported through the end of April 2019, and it documented 169 ransomware attacks against municipalities. Through the end of September 2019, that number has skyrocketed to 230 attacks. There have now been 81 attacks in 2019, which blows away the updated 55 attacks from 2018.

There have also been a couple of significant changes in attack methodologies during the year. The first is the attack in Texas, which affected 22 municipalities. We recorded that as a single attack, even though 22 towns and cities were impacted. What makes this attack unique is that it is the first ransomware attack against state and local government where the attacker used a managed service provider (MSP) as the entry point. The attack, which deployed the Sodinokibi (REvil) ransomware, is consistent with other attacks by that group that have relied on MSPs as their entry points.

The other significant change we have noted this year is the focus on school districts as targets. There have been 29 attacks on public school systems this year. The overall number is actually much higher, but we are only tracking attacks on schools that are part of public school systems. Of particular interest was a rash of 15 attacks against school districts in the August and September time frame. These attacks appear to have been targeted to disrupt school districts as their school years were starting. The idea was that these school systems would be more motivated to pay the ransom, and several school districts did opt to do so. Others, however, delayed the start of school to finish restoring systems.

With almost three months left in a year that has already taken a heavy toll on IT and security teams from municipalities around the country, we expect to continue seeing an evolution in tactics and even more ransomware attacks.

Learn more about how ransomware attacks are impacting the healthcare industry.