New York wants to ban taxpayer-funded ransomware payments

New York state senators have proposed two bills that would require government agencies to tell ransomware attackers to get lost.
The first bill, S7246, was proposed by Senator Phil Boyle on 14 January. The bill would keep government hands out of taxpayers’ pockets, restricting the use of taxpayer moneys when it comes to small cities or towns – with populations under 1 million – paying off attackers with tax money.
If passed, it would also set up a $5 million fund to help overhaul the IT infrastructures of such small towns.
From the bill, now under discussion in committee:

The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government.

The second bill, S7289, was introduced by Senator David Carlucci two days later, on 16 January. It would prohibit government agencies from paying ransom in the event of a cyberattack against their critical infrastructures.
S7289 is likewise under discussion in committee, and it’s unclear which bill will make it to a vote in the state senate.

First state to join US mayors in the ‘bug off’ camp

We’ve seen mayors in US cities resolve to eschew paying ransom to get their systems back from attackers, but New York is the first state to make a move in that direction – and to back it up with actual (albeit only proposed, at this point) legislation.
In June 2019, the US Conference of Mayors passed a non-binding resolution to tell attackers to go suck on rocks. That body is made up of mayors from 1,407 US cities with populations of 30,000. In its resolution, the mayors cited at least 170 county, city, or state government systems that have experienced a ransomware attack since 2013, with 22 of those attacks having occurred in 2019 alone, including the cities of Baltimore (it was at least its second ransomware attack, having also been hit a year before that); Albany, New York; and the counties of Fisher, Texas and Genesee, Michigan.
Ransomware attacks against state and local governments, while on the rise, are underreported – largely because there’s no requirement that forces governments to do so.
The text for S7289 referred to one of those attacks that happened in Albany last month: on Christmas day last month, the Albany International Airport was targeted, paralyzing the airport. The attackers demanded a ransom in exchange for the return of data and restoration of the airport’s systems. Desperate, the airport complied, paying an undisclosed amount that was less than six figures.
We don’t want to keep doing this, the bill says. We don’t want to keep rewarding these crooks for these attacks. From the bill’s text:

When municipal corporations and government agencies comply with these ransoms, they incentivize cyber-attackers looking to make a quick buck. Prohibiting these entities from complying with ransom requests will remove this incentive and safeguard taxpayer dollars.

Will refusing to pay make them go away?

Probably not, at least initially. Bill Siegel, CEO and co-founder of Coveware – a security firm that helps in ransomware attack recovery and sometimes negotiates payments on behalf of victims – told ZDNet that attackers may be tempted to test lawmakers’ resolve:

I do not think it will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations.

What’s more, if one of the bills passes, there could well be serious harm done and potential liability for the state agencies, he said:

If a state were to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered. 1) What happens if a NY-based municipal hospital is attacked, and the downtime causes the loss of life that could have been avoided if they were allowed to pay? 2) Are the state’s municipal organizations adequately staffed and budgeted with [disaster recovery] plans, backup systems, and security programs to effectively repel and recover from an attack without creating material interruption to civic operations?

There haven’t been any deaths attributed to ransomware attacks on healthcare facilities, or prisons, or emergency service dispatching, or schools – yet. That could be attributed to simple luck, given the havoc such attacks have raised, including emergency patients having to be redirected to other hospitals, medical records rendered inaccessible or permanently lost, cancelled surgeries, postponed medical tests, interrupted emergency-call services, police losing access to criminal histories or warrants, jail doors that couldn’t be opened remotely, and schools losing access to data about students’ medications or allergies.
A $5 million grant to bolster local governments’ security posture would be a step in the right direction, but it’s likely just a drop in the bucket when it comes to adequately hardening defenses.
After all, there’s a long, long way to go. Case in point: in October 2019, an audit of the much-attacked city of Baltimore concluded that its data-storage was “mind-bogglingly bad” – as in, many staffers in the city’s IT department were storing files on their computers’ hard drives, rather than keeping properly backed-up data, stored in the cloud or off-site.
Keeping data properly backed up is one of the key requirements when it comes to protecting yourself from ransomware. Here are some other ways:

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Latest Naked Security podcast