Ransomware in state and local governments is a significant threat to all branches and departments.
In the very best case scenario: A government office is targeted by a successful ransomware attack. Thanks to an excellent allocation of resources, well-orchestrated protocols and employee adherence to the protocols, effects on services and infrastructure related to the attack are minimal, and little financial damages are incurred.
In the very worst case scenario: A government office is targeted by a successful ransomware attack and no one is prepared. There are no protocols or procedures to follow. Resources are stretched too thin, incident response is slow and difficult. Attackers are critically able to hold necessary government infrastructure hostage -- potentially draining departments of taxpayer funds and shutting down vital public services.
Survey data collected by Sophos finds confirmation among 5,600 IT professionals: Ransomware attacks are a matter of when, not if. And organizations that don’t take these attacks seriously are playing with fire. Compared to the private sector, state and local agencies stand to lose considerably more by the simple virtue of their responsibilities as public servants. Weakened trust in civic institutions, loss of personally identifiable citizen data, and shuttering of critical services are just some of the consequences resulting from a successful ransomware attack on the public sector.
Among the state and local IT professionals Sophos surveyed:
- Fifty-eight percent (58%) said their organization was the victim of one or more ransomware attacks in 2021, up from 34% in 2020.
- Eighty-two percent (82%) said the most recent ransomware attack affected operations and core functions.
- Seventy-two percent (72%) said adversaries had succeeded in encrypting data, one of the highest rates observed across all sectors in the study.
- Sixty-three percent (63%) used backups to restore lost or encrypted data, ten percentage points less than the global average (73%).
Challenges to local governments fighting ransomware
Opportunistic adversaries will hunt for and exploit any detectable weaknesses found in their target. State and local government agencies are particularly attractive to attackers due to several known weak areas in government-level cybersecurity:
- Inadequate cybersecurity resources and personnel. As the chief security officer in a Maryland county noted: “Google has 2,000 security engineers…I’ve got four.” Even though more state and local orgs are beginning to prioritize cybersecurity in their budgets, the reality is that they often lack the kind of access to competitive cyber talent and tools that tech giants in the private sector can command.
- Public-facing operations create a larger attack surface. Obtaining a driver’s license, securing a building permit, filing a patent, registering to vote, or acquiring a visa are just some of the many touchpoints where citizens directly interact with a governing body. Unfortunately, each of these exchanges add up to a significantly larger attack surface for bad actors to launch ransomware – whether via phishing attempts on a public-facing app, or just by using public records to socially engineer one’s way into agency IT.
- Attackers can exploit unavailability of government-run services. Ransomware groups understand that many government services are critical to the lives of citizens, especially the vulnerable. They believe they can guarantee themselves a payday by exploiting these dependencies. If the systems that run water and waste treatment don’t function, or 911 services go offline, or health networks get disconnected, human lives can be lost. Ransomware groups frequently leverage this understanding to pressure state organizations to pay up in exchange for restoration of systems that run critical operations.
"In general, we tend to loathe people who prey on the weak or weaker if you will. Ransomware actors going after banks; yes it’s bad, but the banks are well funded. They can take care of themselves. When you’re going after hospitals, when you’re going after school systems – we’ve seen ransomware actors go after food banks. You’re targeting the weak, people who can’t defend themselves."
Allan Liksa, intelligence analyst at Recorded Future
- Lack of consistent reporting and unified response. There is ongoing debate as to whether state and local agencies should pay ransoms to restore timely services or adopt a non-negotiable stance in all matters. In 2022, North Carolina and Florida became the first states to enact legislation forbidding public entities from paying ransoms. Even if other states follow suit, the 2018 ransomware attack on Atlanta shows that non-negotiation can sometimes backfire. Atlanta refused to pay the $50,100 ransom, but spent an estimated $17 million on remediation and recovery in the years that followed. On the other hand, studies show that organizations that do pay the initial ransom are often hit by additional ransomware attempts. There’s no easy answer here, and the lack of any universal reporting mechanism stunts a unified effort to address the problem.
Resources and recommendations for fighting ransomware
While states and localities face challenges ahead, there’s reason to hope as well. The Biden Administration has promised to funnel $1 billion in funding toward state and local cybersecurity programs over the next four years. For the first time ever, states will receive cyber grants to support creation of “critical governance frameworks” for identifying key vulnerabilities, required mitigation tools, and cyber workforce recruitment needs (such as installing qualified CISOs, CIOs, and CTOs).
With financial support on the way, state and local governments have the opportunity to secure against the ransomware threat more seriously by instituting some or all of the measures below.
- Follow ransomware guidance of federal cybersecurity bodies CISA and NIST
- Establish routine data backups for offline storage
- Implement multifactor authentication and zero trust policies
- Establish 24/7 continuous monitoring and endpoint protection with the aid of MDR
- Qualify for and obtain cyber insurance to help cover recovery costs and damages
- Network segmentation to prevent lateral attack movement
- Regularly update and patch systems
- Provide employees training and raise awareness of cyber hygiene
- Increase collaboration and intelligence sharing with state partners
- Thoroughly vet third party dependencies
- Conduct proactive risk assessments (like tabletop exercises)
Additional literature
Interested in specific coverage of ransomware attacks on state and local organizations? We’ve got you covered. Here’s a sampling of our recent reporting on this issue.
- Wisconsin school district attacked by Snatch ransomware group (October 25, 2022)
- Indiana Housing Authority compromised by ransomware attack (October 25, 2022)
- State Bar of Georgia ransomware attack led to data breach (October 11, 2022)
- Los Angeles school district to remain open despite ransomware attack (September 6, 2022)
- Ransomware attack at La. city under investigation (June 7, 2022)