State and Local Governments Are Being Held Hostage: What Can Be Done?

Allan Liska

We looked at available public reporting on ransomware attacks against state and local governments. We went as far back as 2013, which is the first that we could find, and sifted through our platform, local news reporting, national news reporting, et cetera, to catalog ransomware events. We filtered for language because oftentimes, the attacks weren’t reported as ransomware, but as a malware attack. We were able to catalog 170 attacks from the end of 2013 through April of this year.

What we found was a growing problem, one that mirrors the overall problem of ransomware. So we saw a big uptick in attacks — a regular uptick from 2013 to 2016, then a dip in 2017, and then it really kicked into high gear in 2018. 2019 seems to be accelerating. This mirrors the overall trends that we’ve seen in ransomware activity. There has been a shift in tactics across all ransomware campaigns, but that led to a dip in 2017 as actors were retooling their ransomware, figuring out new tactics, and gaining access.

We don’t see these as targeted attacks in a specific way — in other words, not necessarily attackers that are looking to go after state and local governments, at least not initially. There has been some more chatter in some of the underground markets and what we colloquially call the “dark web” about going after state and local governments for ransomware attacks, but initially, it just happened to be that they were targets of opportunity; that if an attacker landed in a state and local government, they would then proceed to expand their presence. Unfortunately, when these attacks were successful, they got news coverage. Even though overall state and local governments are actually less likely to pay ransom than other sectors, they get a lot of attention from news coverage.

We see this time and time again. The bad guys love to read about themselves in the paper. So even if they’re not getting paid on the ransom, they love that news, and other bad guys see that and there’s an immediacy effect of, “Oh, I see state and local governments in the news a lot, so state and local governments must be a great place to attack,” which now means there is more underground forum discussion about going after state and local governments. It becomes a self-fulfilling prophecy.

Between January and April of this year, we have seen about 20 ransomware attacks against state and local governments. Since then, we’ve already seen at least another 11 or 12. And those are just the public ones. The total number is probably significantly higher than what’s been reported because a lot of these attacks don’t make it into the press. They get cleared away and systems restored without anybody knowing about it. Even then, we’re definitely seeing an acceleration in attacks for this year.

But only about 17% of state and local government entities that were hit by ransomware definitely paid the ransom. That is a much lower number than other sectors. Based on other research that we’ve seen, about 35% of all ransomware victims pay the ransom, so that’s less than half of what we would normally expect in terms of ransom payments.

We don’t see anything unique in terms of the strains of malware that are hitting state and local governments. The attacks reflect, overall, the types of ransomware variants that are being widely used. What we have seen, which is unfortunate, is that as ransomware actors have changed tactics, those tactics unfortunately happen to mirror the exposed systems that state and local governments have. For example, in 2016, the primary method of delivery for ransomware was phishing. Now, a lot of organizations have put in really good protections against these types of phishing attacks.

So instead, threat actors have pivoted to using remote access — a remote desktop protocol in particular seems to be a sought-after target for these threat actors. We’re seeing them scanning millions of IP addresses to hunt down open remote desktop protocol servers to gain access.

Unfortunately, that aligns with the way many state and local governments manage their internal networks. With funding often being as tight as it is, a full-on VPN isn’t necessarily an option to gain access to the network, so an exposed remote desktop protocol (RDP) server tends to be the way a lot of remote management is done in these networks. So unfortunately, that vulnerability exposure profile matches pretty much exactly what the threat actors are now using as their method of gaining access. That leaves state and local governments particularly, and almost uniquely, exposed compared to other industries for these kinds of attacks.

We’ve also noticed that inside these governments is minimal network segmentation. We’ll see an attack that hits the accounting department, but from there, the attacker has access to the court system, the fire department, the police department, and so on, and they’re able to spread across the entire city. Again, that risk profile fits well with the way the threat actors are moving because with gaining access through remote desktop protocol or other remote systems, they’re not usually able to spread through the network, and they want to infect as many systems as possible.

These combinations unfortunately have made state and local governments an easier target for more modern ransomware campaigns. That, and the media attention that these attacks have drawn, have made a target that’s now sought after.