On August 16, Texas local government became the latest victim of the expanding global racket that is ransomware.
We’d like to offer more detail on the incident but, so far, the Texas Department of Information Resources (TDIR) has said very little beyond the fact that 22 departments (originally said to be 23 but adjusted) were affected.
Perhaps that’s not surprising – when ransomware visits 22 departments in a single state, the security staff are likely to have their hands full restoring services.
What we do know is that, so far, two victims have come forward: the cities of Borger and Keene.
The mayor of Keene, Gary Heinrich, told NPR that the ransom demand was $2.5 million.
Henrich indicated that it was a supply chain attack:
They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.
Some reports indicate that the ransomware used was a generic type known as ‘.JSE’ (after the extension that appends encrypted files), while another points the finger at something called ‘Sodinokibi’ (REvil), whose appearance was recently covered by NS.
Naturally, the attack was highly targeted:
At this time, the evidence gathered indicates the attacks came from one single threat actor.
Whatever unfolded in those departments last week, we can infer the seriousness of events from the list of US agencies that were namechecked in the official TDIR press release:
- The Texas Department of Information Resources
- The Texas Division of Emergency Management
- The Texas Military Department
- The Texas A&M University System’s Security Operations Center/Critical Incident Response Team
- The Texas Department of Public Safety
- Computer Information Technology and Electronic Crime (CITEC) Unit
And that’s without counting the US Department of Homeland Security, Federal Emergency Management Agency (FEMA), and the FBI.
How did something that once attacked isolated police departments and universities grow into a problem menacing entire layers of state government and even, on several terrible occasions, the administration of entire cities?
Extortion epidemic
While US government is far from being the only target of ransomware crime, the sheer number of attacks affecting this sector is no coincidence.
As well as being one of the largest governments on earth, the US is one the most complex, covering a web of federal, state, city, county, municipality, and township administrations, which vary by state.
Such complexity makes defense against ‘devil takes the hindmost’ threats such as ransomware inherently difficult. Attackers only need to find one vulnerable system in a single office. Once behind firewalls, such threats can easily spread quickly.
Hitting public organisations is also astute – the public pressure to get them working again is huge, something the attackers know works in their favour.
Texas’s own figures suggest that so far in 2019, ransomware has cost its counties $3.25 million, cities $2.5 million, and its education sector another $1.8 million. Unreported ransomware could be as high as additional $5 million (these numbers don’t include the toll on individuals and businesses).
And it’s not only Texas. In June, it was Louisiana schools, causing a state of emergency to be declared.
In May, the city of Baltimore was hit by an attack that might have been aided by the infamous EternalBlue vulnerabilities.
Others victims have included Georgia’s court system, a Florida city so badly affected it reportedly paid a $600,000 ransom, and Monroe College in New York.
Modus Operandi
Sophos CISO Ross McKerchar spoke to us about how these sorts of attacks unfold.
The bad guys are moving upmarket with coordinated and planned attacks, aiming for larger payouts rather than opportunistic and automated attacks. This is likely a reaction to improved protection against fully-automated attacks.
Ross explained that these sorts of attacks typically:
- Take longer to unfold: There’s a higher dwell time as the attackers manually work their way around the network towards their targets.
- Are harder to recover from: Attackers tend to understand the business and go for the most impactful assets. They take their time to ensure backups are also encrypted, and attempt to gain deep access to the environment, such as domain admin, making them much harder to kick out.
- Are carefully priced: In some cases, the attackers even access finance systems first so they know exactly how much the business can afford to pay.
How to protect yourself from ransomware
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.