The majority of ransomware attacks in 2019 targeted state and local governments, according to a report published by NASCIO, making it the biggest cybersecurity story of last year. As evidenced by well-publicized incidents in Baltimore, Atlanta and many other major metropolitan areas, public agencies are particularly vulnerable to ransomware attacks accounting for 230 reported cases in the U.S. by the end of 2019.
As a result, cities and municipalities have paid up to $600,000 in ransom and are entering into multimillion-dollar insurance agreements because of inadequate protection or lack of security awareness among employees. For the state and local governments that have not paid the ransom, they have incurred collective costs estimated at $27.1 million just to restore systems and increase cybersecurity protocols. Even worse, ransomware attacks can cripple entire infrastructures and force government officials to weigh the costs of disaster recovery, downtime and potential damage to their reputation against giving in to the “bad guys” and letting them get away with it.
Should you ever pay up if you get hit with ransomware?
The FBI strongly advises against paying ransoms. But often, companies offering cyber insurance policies encourage their government agency customers to pay up rather than try to get their files back, since the agencies are more likely to resume operations faster and at a lower cost by taking this approach. However, paying ransom does NOT automatically guarantee that agencies will get their data back. Make sure you have answers to the following questions when considering your options.
• How long ago was a data backup performed?
• How will you receive the unencrypting keys?
• Are you sure the backup can be restored?
• Have you tested your backup prior to the attack?
There are so many risks that even paying ransom seems like rolling the dice and hoping for the best—not the most strategic way to make a business-critical decision. While there is no silver bullet to protect your business from ransomware, you can take the following proactive steps to significantly reduce your risk.
How can you protect your agency against ransomware?
1. Employee education. Attackers are getting super creative with their phishing messages. Warnings of password changes, online purchases, cancellations, credit card fraud, bank transaction verifications and many other tactics try to draw government agency personnel into clicking links that will install malware on the network. Employees should be educated and take ownership of their role in mitigating the risk of a ransomware attack.
2. Patch management. Operating systems, firewalls, switches, routers and all other software need to be patched regularly. This is particularly challenging for organizations with low levels of automation for their patching processes and limited availability of resources. Government agencies should seek to safeguard against attacks by fully patching all software and operating systems with necessary security updates, because hackers can easily exploit these vulnerabilities. Ensure antivirus, firewall and other perimeter protection tools are always operational and up to date.
3. Limit admin rights. Remove local admin privileges to contain and block attacks. For example, you can implement a combination of least-privilege and application control policies on endpoints and servers to prevent malware from spreading from an initial infection point.
4. RDP access protection. Expose remote desktop protocol (RDP) to the internet only when absolutely necessary—and when doing so, avoid setting the passwords to default and make the codes difficult to crack. Be sure to enable multi-factor authentication. If someone attempts unauthorized access, they won’t be able to move laterally within the environment.
5. Regular backups. Ensuring systems are regularly backed up is one of the easiest and most essential defenses against ransomware. If you’re attacked, you can restore your network relatively quickly without giving in to the demands of cyber criminals. Make sure you test your backup. Backing up data does not guarantee you will be able to restore it.
6. Real-time data replication. Leverage file replication for backup purposes using a different target each day of the week. Keep the replicated data offline or archived when not in use. Replicate all files frequently and in real time if possible, so even very recent files have a good replica available for use.
7. Separate backups. Agencies end up paying ransom because they don’t have a safe, secure and separate backup, as was the case with last summer’s Lake City ransomware attack. Although Lake City had backups, they were on the same system the ransomware infected, so the files were inaccessible. It’s crucial to store and secure backups separately. Consider creating a mirror of the production environment in a secondary disaster recovery environment. Segregating systems (OS + application) from data minimizes the likelihood of criminals replicating the ransomware within the disaster recovery environment.
8. Easy failover/failback. Make it easy to shift input/output and processes from your primary location to your secondary disaster recovery location, and then to re-synchronize data back to the primary location. Scanning data at rest in the disaster recovery environment for malware elimination is a good first step. Then, save clean data on a public cloud. This way, if thieves hijack the production environment and disaster recovery, you can restore a clean copy of the data at a modest cost—no ransom required.
9. Practice preparedness. Proactively prepare and rehearse your responses to a ransomware attack. For example: cultivate relationships with local FBI offices and a trusted IT partner like Frontier. If an event does occur, you can follow your well-rehearsed plan and move quickly, significantly minimizing damage.
Whether you work for a state or local government agency, in a major metropolitan area or a rural town, a public school or a police force, the thought of a potential ransomware attack is scary and often overwhelming. But it needn’t be. By following the recommendations outlined above and implementing a network solution like Managed SD-WAN, you can minimize the risk of losing sensitive data and damaging your reputation, without paying obscene ransoms. But you must be proactive.
Serve your sector with total network control.
Call 844.994.1016 to learn more about Frontier’s government IT solutions or request a live demo of Frontier Managed SD-WAN.