The IT systems of the City of Durham and Durham County in North Carolina have been shuttered since a successful ransomware attack struck the municipalities on the evening of March 6. Although details are still sketchy, the North Carolina Bureau of Investigation indicated the attackers used Russian-made malware known as Ryuk.
Durham joins a growing list of local governments grappling with the latest security scourge sweeping the country: ransomware attacks against poorly fortified local government systems that are ill-prepared to recover from these assaults. Municipal governments like Durham are attractive targets for ransomware attackers as more governments are being held hostage more frequently and for more money, according to a new report released today by Deloitte’s Center for Government Insights that examines trends in ransomware attacks on state and local governments.
According to the report, in 2019 governments reported 163 ransomware attacks, a nearly 150% increase from 2018, with more than $1.8 million in ransoms paid and tens of millions of dollars spent on recovery costs. Tight budgets, a growing attack surface and inadequate cybersecurity talent are the top reasons that cities struggle with the attacks, the report said.
Why municipalities are favored ransomware targets
The wider attack surface is emerging as cities deploy more computers and connect their networks to a wider array of services, from traffic light systems to ambulances to garbage trucks, according to Deloitte. At the same time, tight fiscal budgets constrain cities modernization efforts, including the adoption of new cybersecurity tools. Finally, local governments struggle to attract the cybersecurity talent they need, the report says. A biannual NASCIO/Deloitte cybersecurity survey found a lack of budget to be the top concern of state-level CISOs every year since 2010, the report notes.
“Local and state governments have consistently not invested in cyber because they don't have the funding,” Srini Subramanian, principal, Deloitte & Touche and cyber state and higher education sector leader, tells CSO. “The second is the proliferation of services that they need to offer to their citizens in an online and internet based medium. Third is that the state and locals really don't have a chance to keep up bringing cyber talent.”
Cyber insurance ransom payments might increase ransomware risk
Another factor driving the rise in the number of municipal ransomware attacks is the growing prevalence of cybersecurity insurance among state and local governments. “We believe that part of the problem, the reason why there is so much more payment of ransom [by local governments] is potentially because of the cyber insurance. The cyber insurers figure that paying ransom is probably the quick way for the services to come back online and possibly a more cost-effective way of dealing with an attack,” Subramanian says, giving attackers a greater financial incentive to hit cities.
The costs of refusing to pay the ransom are typically high even if, as the report notes, refusing to pay the attackers is the “more principled” option. The city of Baltimore refused to pay ransomware attackers the $76,000 they demanded after a ransomware attack in May 2019. That decision ended up costing the city an estimated $18.2 million in restoration costs and lost revenues.
Insurers, too, are pushing policies on municipalities because as a product cybersecurity insurance is currently quite profitable. For every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims, making cyber insurance nearly twice as profitable as other types of insurance, the Deloitte report states.
Recommendations for ransomware protection
Subramanian believes local governments will stop paying ransom because they will get wise to the need for maintaining robust backups and backups that are either offsite or air-gapped away from the main municipal networks. “So if they can have a solid and a robust backup and restore mechanics and they have confidence in it, then most of the local government are going to come back and say, ‘well, you know what, we're not going to pay the ransom and we are going to restore from our backups.’”
Success is possible if local governments focus on backup and restoration resiliency following ransomware attacks, the Deloitte report suggests. “Training and resources—and a bit of luck—can thwart hackers who have been hobbling US cities and counties.”
The Deloitte report offers this advice to municipalities worried about ransomware attacks:
- Keep critical data compartmentalized so it’s harder for ransomware to encrypt.
- Disable extraneous services on connected devices.
- Put policies in place that prohibit checking personal email or playing games on critical hardware.
- Develop air-gapped backups.
- Train all employees to be more cybersecurity aware.
- Use war-gaming exercises to simulate ransomware attacks.
- Patch and update systems and software in a timely manner.
- Communicate and collaborate with peer organizations to share information and learn from each other’s successes and failures.
One last piece of advice is to not assume that if you get hit by ransomware once that it won’t happen again. A trend that the Deloitte researchers expect to emerge is that municipalities that got hit once with ransomware are likely to see their attackers make a return visit. “Even if they are successful in recovering operations after being ransomed, it’s only a matter of time before they're going to be hit again,” Subramanian says.
“We are still in early stages of this life cycle that we haven't seen the same municipal governments get hit multiple times yet,” he says. That’s why Deloitte is pushing its clients to develop confidence in their ability to survive another ransomware attack. “We are telling them to focus on that resilience in the immediate term, which involves the ability to backup and restore and keep the backup secure from ransomware type attacks.”