US state and local governments told to ‘immediately’ strengthen ransomware defenses

The US Department of Homeland Security’s cyber security unit has warned state and local governments to shore up defenses after a spate of ransomware attacks enormous extortion demands. 

The new DHS alert warns state and local governments that preventative measures, such as backups, patching and an incident response plan, are the best defenses against ransomware. 

The alert is part of a joint announcement by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), the National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO). 

Ransomware attacks on cities and agencies across the US have spiked in recent months, resulting in several cities high six-figure sums to their attackers after calculating the cost of non-functioning city IT infrastructure. The city of Atlanta, for example, ended up paying $2.6 million to recover from a SamSam ransomware infection when the attackers had asked for just $50,000 worth of bitcoins.      

The city of Riviera Beach, Florida paid attackers using Ryuk ransomware around $600,000 worth of bitcoins in May. It’s one of several examples that led to a resolution at the U.S. Conference of Mayors (UCSM) in July for mayors not to pay ransomware attackers. 

The joint warning comes just days after the Georgia Department of Public Safety was hit by a widespread ransomware attack. The department is responsible for the Georgia State Patrol, Georgia Capitol Police and the Motor Carrier Compliance Division. 

Security firm Recorded Future compiled a list of ransomware attacks on state and local government agencies in a report in May, covering 2016 to the first four months of 2019. It found that attacks on these organizations are on the rise. In 2016 there were 46 attacks on these targets, which dipped to 38 in 2017, but then rose to 53 in 2018. In the first four months of 2019 there were 21 known attacks. 

Despite huge ransom demands, the company found that only 17.1 percent of state and local government ransomware victims paid the ransom. 

Telstra, for its 2019 Security Report, surveyed 320 Australian execs and found that just over half admitted to paying ransomware attackers and that 77 percent of Australian businesses that did pay got their data back. The proportion that reported having ever paid a ransomware attacker was consistent with APAC and Europe. 

CERT Australia recommends against victims paying the ransom.  

DHS’s joint alert advises governments to “Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline”, as well as ensure they can be restored. 

After an attack, admins should restore a “stronger system” than the one that was infected and make sure it’s full patched. 

Secondly, governments should also train employees to recognize phishing attacks and suspicious links, as well as inform them how to report incidents to IT staff quickly, using out-of-band communications. 

The third key piece of advice is for organizations to have a clear incident response plan, and ensuring organizations know how to request assistance from external cyber first responders, such as state agencies, CISA and the MS-ISAC, when an attack occurs. 

CISA separately has also outlined additional steps organizations should take to defend against ransomware. 

"The recent ransomware attacks targeting systems across the country are the latest in a string of attacks affecting State and local government partners. The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries. Prevention is the most effective defense against ransomware," the alert reads.