Site icon Sophos News

Ransomware disrupts 22 Texas government departments

On August 16, Texas local government became the latest victim of the expanding global racket that is ransomware.

We’d like to offer more detail on the incident but, so far, the Texas Department of Information Resources (TDIR) has said very little beyond the fact that 22 departments (originally said to be 23 but adjusted) were affected.

Perhaps that’s not surprising – when ransomware visits 22 departments in a single state, the security staff are likely to have their hands full restoring services.

What we do know is that, so far, two victims have come forward: the cities of Borger and Keene.

The mayor of Keene, Gary Heinrich, told NPR that the ransom demand was $2.5 million.

Henrich indicated that it was a supply chain attack:

They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.

Some reports indicate that the ransomware used was a generic type known as ‘.JSE’ (after the extension that appends encrypted files), while another points the finger at something called ‘Sodinokibi’ (REvil), whose appearance was recently covered by NS.

Naturally, the attack was highly targeted:

At this time, the evidence gathered indicates the attacks came from one single threat actor.

Whatever unfolded in those departments last week, we can infer the seriousness of events from the list of US agencies that were namechecked in the official TDIR press release:

And that’s without counting the US Department of Homeland Security, Federal Emergency Management Agency (FEMA), and the FBI.

How did something that once attacked isolated police departments and universities grow into a problem menacing entire layers of state government and even, on several terrible occasions, the administration of entire cities?

Extortion epidemic

While US government is far from being the only target of ransomware crime, the sheer number of attacks affecting this sector is no coincidence.

As well as being one of the largest governments on earth, the US is one the most complex, covering a web of federal, state, city, county, municipality, and township administrations, which vary by state.

Such complexity makes defense against ‘devil takes the hindmost’ threats such as ransomware inherently difficult. Attackers only need to find one vulnerable system in a single office. Once behind firewalls, such threats can easily spread quickly.

Hitting public organisations is also astute – the public pressure to get them working again is huge, something the attackers know works in their favour.

Texas’s own figures suggest that so far in 2019, ransomware has cost its counties $3.25 million, cities $2.5 million, and its education sector another $1.8 million. Unreported ransomware could be as high as additional $5 million (these numbers don’t include the toll on individuals and businesses).

And it’s not only Texas. In June, it was Louisiana schools, causing a state of emergency to be declared.

In May, the city of Baltimore was hit by an attack that might have been aided by the infamous EternalBlue vulnerabilities.

Others victims have included Georgia’s court system, a Florida city so badly affected it reportedly paid a $600,000 ransom, and Monroe College in New York.

Modus Operandi

Sophos CISO Ross McKerchar spoke to us about how these sorts of attacks unfold.

The bad guys are moving upmarket with coordinated and planned attacks, aiming for larger payouts rather than opportunistic and automated attacks. This is likely a reaction to improved protection against fully-automated attacks.

Ross explained that these sorts of attacks typically:

How to protect yourself from ransomware

Exit mobile version