Ransomware Attacks for Local Governments and Public Agencies: A Primer

Public Finance Alert
April.03.2018

Background

The recent ransomware attack on the City of Atlanta highlights the fact that the threat of ransomware affects all organizations, regardless of the nature of their industry, business, or operations, and that political subdivisions and quasi-government entities face particular challenges in protecting themselves and responding to attacks. Counties, cities, political subdivisions, and nonprofit corporations have become a favorite target for cybercriminals because they are increasingly leveraging technology to collect, store, and use personal information to deliver services and programs to individuals, and because their networks tend to run on a complicated fabric and interconnectedness of legacy systems that are difficult to protect and defend. As a result, attackers are targeting emergency response systems, disaster response systems, public utilities payment and information systems, police department systems, election and voter information systems, medical information systems, and general operating systems of public entities. A recent International City-County Management Association survey of chief information officers found that about 44 percent of local governments reported experiencing daily cyber-attacks (without regard to type or threat vector), with about one-quarter of local governments reporting attacks at least as often as once an hour. Yet, less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches.

While public entities are often resource limited, there are basic steps that they can take to better lower and manage certain risks from cybersecurity attacks. Below, we review some of the basic attack vectors to which public agencies and sector industries are particularly vulnerable, and some of the best practices that resource-constrained organizations can implement.

 

Ransomware and Other Cyber-Attacks

Ransomware is computer code (malware) that is typically deployed into a network, often when an unsuspecting user clicks on a malicious link or opens a file in a phishing email. Once inside the network, ransomware typically self-proliferates and encrypts data inside the environment, rendering the data inaccessible and essentially, useless. A successful ransomware attack can result in the temporary or permanent loss of sensitive information, serious disruption to operations, financial costs of restoring systems and data, and possible reputational or brand impact to the enterprise.

Generally, the attacker will provide a decryption “key” only after the company pays a ransom (almost always in hard-to-trace Bitcoins). Other forms of ransomware can destroy or delete data, hide data by relocating it within the network, or even ex-filtrate data outside of the company’s environment.

In addition to ransomware, attackers are deploying a fairly standard array of attacks on public entities, in an effort to gain access to their systems and data, or simply to disrupt their operations, including:

  • Denial of Service: Disrupting operations by bombarding the network with commands/requests that overload the system, taking down the network; often accompanied by a ransom demand to stop the attack.
  • Computer Intrusions (Hacking): Gaining unauthorized access to a network and its data, usually by compromising some administrative or technical control.
  • Phishing: Typically an email embedded with malicious code or links that dupes the user into taking some action that compromises data or the security of the network.
  • Spear Phishing: Same as above, except that the email/attack specifically targets an individual (or small subgroup of individuals) with information about them to make the attempt more authentic.
  • Data Breach: The release or disclosure of data potentially to an unauthorized third party; can result from one of the above attacks or improper records disposal, inadvertent email/transmission of data to the incorrect recipient, public accessibility of protected information from a website or similar.

Not Just “Ransomware” Anymore

Historically, ransomware attacks were viewed primarily as a business continuity issue, with the primary post-ransomware workflow focused on getting back online and restarting operations. However, as cyberattackers have become more sophisticated, ransomware has become more than just the end-goal, with some attackers utilizing ransomware to mask or conceal other exploits. In other words, a ransomware attack may just be a sign of something worse, and thus merits a more sophisticated response. In particular, several regulators have articulated concerns that organizations should address in responding to a ransomware event.

Health Information Portability & Accountability Act (HIPAA): For HIPAA regulated entities, the Health and Human Services Office of Civil Rights (HHS OCR) issued guidance warning that the HIPAA Breach Notification Rule is a “fact specific” inquiry, and where Protected Health Information is “encrypted as the result of a ransomware attack, a breach has occurred because the PHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule.”

Federal Trade Commission (FTC): Although the FTC has very little jurisdiction over public entities, it is seen as the leader in data security enforcement, with many other regulators looking to it and its actions as the North Star for enforcement theories and priorities. The FTC recently reinforced the seriousness of ransomware, signaling that preventable ransomware attacks – ones that exploit known vulnerabilities – may violate Section 5 of the FTC Act. As then Chairwoman Edith Ramirez explained: “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

Federal Bureau of Investigation (FBI): The FBI recently urged companies to come forward and report ransomware attacks to law enforcement. Notwithstanding organizations' concerns with reporting ransomware to law enforcement, the FBI is calling on organizations to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. The FBI does not support paying ransom demands.” According to the FBI, some organizations never get a decryption key, even after payment. And, every payment “emboldens the adversary to target other victims for profit,” incentivizing similar conduct by other criminals seeking financial gain.

Moreover, U.S. state breach notification rules are generally triggered by an unauthorized “acquisition” to certain delineated types of unencrypted personal information. Ransomware that only encrypts data inside an environment, but does not allow an attacker to ex-filtrate it (e.g., download, email, transfer), is unlikely to trigger a notification duty under the statutes that define breach as the “unlawful and unauthorized acquisition” of personal data. However, for the small number of states that define a breach as the “unauthorized access” to personal information, ransomware could trigger breach notice if the attack resulted in the viewing of ex-filtrated personal information.

In addition to the direct damage caused by a breach, a cyber-attack in some cases could potentially cause a public entity’s credit rating to be downgraded. While no government yet has been downgraded because of a cyberattack, an S&P Global Ratings analyst has said that a cybersecurity incident could affect a public entity's credit rating. This is not only due to the financial cost of a cyberattack, but also the accompanying loss in taxpayer trust and the ability to raise taxes. The risk increases “particularly for smaller governments with less financial flexibility.”

What to Do?

The ransomware landscape dictates that organizations should consider proactive and reactive measures.

Proactive: On the proactive front, the focus should be on reasonable defenses and training. Among other things, organizations should consider:

  • Cybersecurity awareness training for employees, contractors, local elected officials, including specific training around phishing, incident response, ransomware, and password management and best practices.
  • Improvements to patch and vulnerability management programs, incorporating periodic penetration and vulnerability assessments. Automatic updates to antivirus and anti-malware solutions and conduct regular scans.
  • Managed use of privileged accounts.
  • Disabling macro scripts from office files transmitted over e-mail.
  • Implementing software restriction policies or other controls to prevent programs from executing from common ransomware locations.
  • Enhancing business continuity and disaster recovery programs to account for ransomware attacks, to ensure regular back up of data and systems, and verification of the integrity of those backups.
  • Procuring cybersecurity, network interruption, and related insurance.
  • Re-assessing proactive encryption at-rest strategies to take advantage of notification safe harbors.
  • Incorporating ransomware attacks into incident response planning, with special attention paid to additional forensic analyses, PR/communications work streams and notification considerations into enterprise incident response plans (and/or security team field guides).

Reactive: On the reactive side, the key is not to treat a ransomware event as simply that, but to conduct a reasonable investigation to determine whether other data/information was subject to unauthorized acquisition and/or access. The post-incident response workflows should consider (1) examining the nature and extent of personal information involved, including the sensitivity of the information and likelihood that it will be accessed; (2) whether the personal information was actually viewed, accessed, acquired or ex-filtrated; and (3) the extent to which the risk to the personal information has been mitigated.