On August 16, a coordinated ransomware attack was launched on 22 city, county and police department offices in Texas, seizing and disabling systems and encrypting data. The collective ransom demanded by what state authorities have described as a “single threat actor” is $2.5 million.
While larger municipalities, like Lubbock County, were able to quickly identify and isolate the threat to minimize damage and downtime, smaller entities did not fare as well. Three days after the attack the 13,000 residents of Bolger were still unable to access birth or death certificates or pay utility bills.
The attack shut down the entire municipal network—including the police and water departments—of Wilmer, a small town in North Texas. Wilmer’s mayor told local reporters it would likely take weeks to resume normal operations. Police departments in three other Texas cities were also reportedly disabled by the attack.
“The costs of a ransomware attack fall squarely on the victim of the attack (rather than on a third party),” said Nathan Rose, Senior Underwriter and Business Development Specialist, Burns & Wilcox Canada, Vancouver, British Columbia. “From a municipality’s perspective, this cost is the ability to keep their infrastructure running. For that reason alone, Cyber and Privacy Insurance should be at the forefront of its response considerations.”
Texas Governor Greg Abbott ordered a Level 2 Escalated Response of the state’s emergency-response system on August 16, deploying cybersecurity experts from numerous state and federal agencies to assess and address the damage.
According to at least one leading expert, had this ransomware attack targeted smaller states or those without Texas’ robust emergency infrastructure and cyber incident response system, the damage could have been far more extensive and recovery far more difficult.
“If leaders of an organization do not properly prepare for a ransomware attack, it can leave them vulnerable and exposed,” said David Derigiotis, Certified Information Privacy Professional, Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “They can suffer from severe, long-term economic damages if they do not have Cyber and Privacy Insurance and other safeguards in place.”
Sharp increase in attacks on public sector
Municipalities are attractive ransomware targets for cybercriminals because their systems are often critical to infrastructure and normal operations. Many often lack the expertise or resources to implement a robust, state-of-the-art cybersecurity system or response network.
Allan Liska, a cyber intelligence analyst with the cybersecurity firm Recorded Future, compiled a report that indicates a significant increase in the number of ransomware attacks on U.S. state and local governments. So far there have been 62 such attacks in 2019, an almost 17 percent increase over last year’s total.
According to cybersecurity vendor Malwarebytes, between June 2018 and June of this year 53 percent of all ransomware attacks worldwide were made against U.S. targets, while 10 percent were against Canadian targets. Malwarebytes also reported a whopping 365 percent increase in ransomware attacks against businesses between Q2 2018 and Q2 2019.
Despite two high-profile ransomware attacks against Canadian universities in 2016, cybersecurity firm McAfee reported that only 15 percent of students took extra steps to protect their academic data online. According to the same report, cyberattacks against the education sector increased 50 percent between Q1 2018 and Q1 2019.
Phishing is popular with cybercriminals
Phishing, in which cybercriminals send emails containing malware-infected attachments or links to websites that download malware onto a user’s hard drive and then network, is how most targeted ransomware attacks are launched on an organization.
The more sophisticated hackers will do recognizance work on social media to target the right people at an organization with carefully crafted phishing emails, increasing their odds of success and reducing their odds of being caught by a spam filter, explained Chris Burrows, Senior Vice President of Security Solutions at CBI, a Detroit-based cybersecurity firm.
“The top three targets (for phishing) are employees with access to financial operations, decision makers and employees with admin rights (that allow them to install software).”
While agencies remain tight-lipped about the source of this month’s attack, ransomware attacks against three local governments in Florida were launched in June by unsuspecting employees who opened phishing emails and downloaded ransomware programs.
To pay or not to pay?
Opinions vary regarding whether victims should pay ransom. Some point out that it is a difficult but necessary business decision to pay ransom and limit downtime. Others, including experts at the U.S. Federal Bureau of Investigation (FBI), claim the practice encourages further ransomware attacks and places too much faith in cybercriminals to uphold their promises.
Nevertheless, many cash-strapped municipalities feel they have no choice but to try to recover as much as possible as quickly as possible.
On June 24 the city council of Lake City, Florida voted unanimously to pay a $10,000 deductible to its insurance carrier, which then paid a ransom of 42 Bitcoin worth $460,000 to the hacker responsible for attacking city systems with ransomware. A few weeks earlier, the city council of Riviera Beach, Florida voted unanimously to have its insurance carrier pay a ransom of almost $600,000 in Bitcoin.
Baltimore is facing $18 million in damages to repair the system that was felled by an extensive, city-wide ransomware attack on May 7; city officials opted against paying the more than $75,000 ransom. The attack forced many city departments to use manual workarounds for several weeks and also affected hospitals, vaccine production and airport operations. The $18 million figure does not include the cost of cybersecurity services to shore up Baltimore’s systems for the future.
Close gaps and shore up resources
The mayor of Stratford, Ontario has not disclosed whether the city paid a ransom following an April 14 attack that left municipal employees locked out of their computers; however, he characterized Canadian municipalities as “sitting ducks” for cybercriminals and called for a collaborative approach to cybersecurity.
Burrows, who built the cybersecurity program for Michigan’s Oakland County government prior to his tenure with CBI, says that a collaborative approach to cybersecurity is a wise move for public sector entities. He pointed out that there are numerous state and federal cybersecurity resources available to local governments, as well as regional groups like Michigan Government Management Information Sciences (Mi-GMIS).
“It is important to work together as a team with other cities and townships and learn from them,” Burrows said. “This saves time, provides actual lessons learned and a sounding board—a voice of reason, because it is scary if you do not know which way to turn and (lack) an advisory firm or security vendor.”
Burrows created CySAFE, a cybersecurity assessment tool available for free download by governments and businesses. CBI recently collaborated with Oakland County on the county’s recently-launched G2G Marketplace, where government agencies can find security and other services offered by Oakland County-vetted vendors and partners at discounted rates.
Burrows said that there are steps that every organization—public or private, large or small—should take to improve its cybersecurity, including: implementing a robust software patching system; educating users about how to spot phishing emails; limiting the number of users with admin rights that allow them to download and install programs on their devices; and utilizing strong password protection programs.
Among the most important steps any organization can take, Burrows said, are scanning—or hiring a private company to scan—their networks to identify who is using it and establishing a cybersecurity incident recovery and response plan. “Having a plan in place that you can easily execute is very important, because after a breach you do not want to be Googling ‘how to get a Bitcoin.’”
Rose pointed to value in not only implementing cybersecurity and response plans, but including a Cyber and Privacy Insurance policy as part of those plans. “You could have the best systems in place, the best people working on preventing or recovering from an event, and you could still be bested (by a ransomware attack),” he explained.
However, he said, Cyber and Privacy Insurance policyholders can recover from an attack more quickly, efficiently and with far less disruption to their normal operations. “When you have a Cyber and Privacy Insurance policy—when you have that backstop in place—it provides you with an opportunity to show your (organization) in a positive light.”
Enlist expert help, plan for the inevitable
Burrows says the first step toward cybersecurity for any organization should be to hire or contract with an experienced IT security professional to help build its program. “Most municipalities do not have cyber people,” said Burrows. “They are strapped just running IT and have not built cyber into their (operations).”
Derigiotis recommends consulting an expert insurance broker or agent to create a custom-tailored, comprehensive Cyber and Privacy Insurance policy, with coverage that includes resources to both prepare for and recover from a ransomware attack or other cyber security incidents. He added that coverage can include financial assistance with ransom payments, access to privacy experts, payment for restoring corrupt systems, retrieving lost data, replacement of damaged hardware, and even the IT overtime costs incurred for dealing with a security incident. “(A Cyber and Privacy Insurance) policy gives organizations instant access to all of the resources that they need to mitigate a ransomware attack or malware event,” Derigiotis said.
“Policyholders have (at their disposal) an expert incident response team, access to managed security service providers and legal resources for ensuring all regulatory and compliance obligations can be met. This is especially critical when ransomware touches HIPPA protected information. Do you notify or not notify? The legal team will help with that determination.”
“Cyber and Privacy Insurance should be one layer in a cybersecurity structure,” said Rose. “Invest heavily in expert cybersecurity protection with Cyber and Privacy Insurance serving as a safety net underneath it all.”
Some Cyber and Privacy Insurance policies include coverage for resources such as phishing awareness training, security training and other services to create better educated employees, he explained.
“A knowledgeable employee (who recognizes phishing emails) may be the critical factor in stopping a ransomware attack in its tracks,” said Derigiotis. “Insurance carriers are very incentivized to help strengthen organizations, so we offer these types of resources up front, before anything happens.”
“(Organizations, especially) small cities and businesses, cannot just cross their fingers and hope a ransomware attack or cyber event does not happen to them,” Burrows said. “Inevitably, it is going to happen to them.”