The FBI has warned local governments to expect that ransomware attacks on agencies will have “significant repercussions” by “straining” financial and operational resources and disrupting a multitude of services.
In a newly issued Private Industry Notification (PIN), the federal law enforcement arm said previous ransomware instances levied on local government agencies had impacted public and health services, emergency and safety operations, and compromised personal data.
The severity and frequency of and damage from attacks are not likely to ebb, the FBI said. "In the next year, local U.S. government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety, and resulting in significant financial liabilities," the law enforcement agency said.
With the cybersecurity community’s attention drawn largely to the war in Ukraine and the resulting threats of global cyber warfare, the FBI’s missive serves as a reminder to the public/private sector and to managed security service providers of ransomware’s potential for destruction.
In compiling information for the PIN, the FBI appeared to rely heavily on a 2021 study conducted in the U.K. on the state of ransomware in 30 countries. Here’s some top line data from that report:
- Mitigating a ransomware attack on a local government often included financial liabilities related to operational downtime, people time, device costs, network costs, lost opportunity, and, in some cases, paid ransoms.
- Local governments were the least able to prevent encryption and recover from backups, and had the second highest rate of paying the ransom compared to other critical infrastructure sectors.
- Underfunded public sector organizations’ understaffed and outdated systems often put them in the position to pay ransoms simply to get the data back.
The report also provides some details on four ransomware attacks dating to January, 2021, spaced roughly four months apart, that hit the local government sector:
- In January 2022, a U.S. county took computer systems offline, closed public offices, and ran emergency response operations after a ransomware attack impacted local government operations, disabled services and resulted in safety concerns.
- In September 2021, cyber actors infected a U.S. county network with ransomware, resulting in the closure of the county courthouse and the theft of a substantial amount of county data.
- In May 2021, cyber actors infected local U.S. county government systems with PayOrGrief ransomware, making some servers inaccessible and limiting operations. The attack disabled online services and the hackers claimed to have exfiltrated volumes of data.
- In January 2021, cyber actors infected local U.S. county government systems with ransomware that compromised jail and courthouse computers in addition to election, assessment, financial, zoning, law enforcement, jail management, dispatch, and other files.
"Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities, and other services overseen by local governments, making them attractive targets for cyber criminals," the alert said.
The FBI has compiled a list of recommended best practices to fend off ransomware’s capabilities:
- Proactively initiate contingency planning for operational continuity in the event of a ransomware attack and systems are inaccessible.
- Regularly check for software updates and end of life notifications, and prioritize patching known exploited vulnerabilities.
- Consider upgrading hardware and software, as necessary, to take advantage of vendor-provided virtualization and security capabilities.
- Implement a user training program and phishing exercises to raise awareness among users.
- Require strong, unique passwords for all accounts with password logins.
- Require multi-factor authentication (MFA) for as many services as possible.
- Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration to safeguard continuity of operations and minimize downtime.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- Limit access to resources over internal networks, especially by restricting remote desktop protocol (RDP) and using virtual desktop infrastructure.
- Protect cloud storage by backing up to multiple locations, requiring MFA for access and encrypting data in the cloud.
- If using Linux, use a Linux security module for defense in depth.
To limit an adversary’s ability to learn an organization’s enterprise environment and to move laterally, take the following actions:
- Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities.
- Implement time-based access for privileged accounts. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe.
- Disable unneeded command-line utilities. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Enforcing credential protection by restricting where accounts and credentials can be used and by using local device credential protection features reduces opportunities for threat actors to collect credentials.
- Deploying mutual Transport Layer Security can prevent eavesdropping on communications.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool.
- Organizations should document approved solutions for remote management and maintenance. If an unapproved solution is installed on a workstation, the organization should investigate it immediately.
- Ensure that telemetry from cloud environments, including network telemetry and application telemetry, is retained and visible to the security team.
