As the plague of ransomware continues to roil digital payments and other industries, it turns out state and local governments are proving to be particularly vulnerable.
In fact, ransomware attacks on school systems, police departments, city administrative offices, and other governmental agencies are rising fast. Last year, state and local entities reported 163 attacks costing more than $1.8 million in ransoms paid, according to a report released this week by the consulting firm Deloitte & Touche LLP. That number of attacks was up 150% over the number tracked in 2018, the firm says. The total cost of recovering from these incidents amounted to “tens of millions of dollars,” says the report.
Indeed, attacks on public-sector units accounted for fully 10.4% of all ransomware cases tracked in the fourth quarter of last year, according to Coveware Inc., a Westport, Conn.-based cybersecurity firm.
In a number of cases, principled refusal to pay has turned out to be the more expensive option. The city of Baltimore, for example, last year refused to pay $76,000 demanded by cyber criminals who had locked up its systems, but then faced $18 million in recovery costs and foregone revenues.
In a typical ransomware attack, perpetrators don’t steal data. Instead, they use encryption software to scramble the data and then demand payment for the encryption key. Now, in a new twist, perpetrators are starting to pull the locked data into their own systems and threatening to release it publicly if they aren’t paid, according to a report Coveware released in January. Typically, the criminals demand payment in Bitcoin.
But why are attacks on the public sector increasing? Deloitte cites several reasons. For one thing, government entities usually perform routine but vital functions whose interruption could bring inconvenience, if not harm, to ordinary citizens. That makes these entities more vulnerable and raises the likelihood that they’ll pay up, the report says.
Another issue lies in what Deloitte calls an expanding “attack surface.” Every police car and classroom is likely to have a computer in it, says the report, adding that system-linked traffic cameras, ambulances, trash haulers, parking meters, and libraries add to the range of vulnerable attack points.
But perhaps the biggest issue is that strained budgets mean much technology used by local governments is outdated, leaving them without the patches and other protections usually found in private-sector systems. “For state and local governments operating with older, legacy systems, keeping those systems up to date can be a daunting battle,” says the Deloitte report, entitled “Ransoming Government
To this mix, the report adds the rising importance of cyber insurance policies, which can make governments more likely to pay ransoms because the payouts cover all or much of the demand. In the second quarter last year, governments that paid ransoms shelled out 10 times more than what was paid by private-sector victims, says Deloitte. “Cyber insurance, poor defense, and criticality of government services are creating a positive feedback loop where attackers are asking for and getting more money more often,” according to the report.
To fight the trend toward more attacks and higher ransoms, Deloitte recommends governments take steps to isolate critical data in ways that wall off the information from other areas of the system that might come under attack. It also advises steps such as making security patches a priority and running simulations, or “war games,” to prepare staff for attacks.