Naked Security Naked Security

Georgia hit with malware yet again

The Department of Public Safety says it won't pay, but given the umpteen times the state's agencies have been hit, somebody's not listening.

It’s getting hard to keep track of how often Georgia’s been hit with ransomware in the past 14 months or so.

The most recent slap: attackers preyed on the Georgia Department of Public Safety (DPS), according to Government Technology Magazine. The DPS encompasses agencies including the Georgia State Patrol, Georgia Capitol Police and the Motor Carrier Compliance Division, which carries out safety inspections.

Chief Information Security Officer David Allen told the magazine that his staff noticed the attack early Friday morning after some network resources and communication systems went wonky.

Chief Technology Officer Steve Nichols said that the DPS was forced to bump all servers offline while the Georgia Technology Authority investigates the attack. That includes email servers and those that support the department’s public website and backend. Nichols said:

As soon as they saw what was happening [Friday morning] they took all the servers offline across their entire infrastructure.

As of Monday, Government Technology was reporting that Georgia’s DPS hadn’t found evidence of sensitive data being compromised in the attack. State troopers are having to resort to old-school law enforcement, though, said Nichols:

If a trooper is out on a highway writing a ticket, for example, they might be doing it with a pen and paper instead of a tablet. Or, if they’re looking up a license plate, they would radio it into a dispatcher instead of using a tablet.

As well, as the Atlanta Journal-Constitution reports, Georgia State Police, Georgia Capitol Police and Department of Motor Vehicle Safety have all had to switch to an older radio and phone system.

Attackers have Georgia on their mind

Pity anybody working in IT for Georgia these days: over the past year, it’s been a mad scramble of ransomware attacks and costly mop-ups for the state and its agencies.

The first attack hit the city of Atlanta in March 2018 and destroyed years of police dashcam video, as well as freezing systems. Six days after it was hit, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn’t go online to pay their water bills or parking tickets.

That attack involved SamSam ransomware – a high-profile ransomware that was typically used in targeted attacks where cybercriminals break into a victim’s network and launch ransomware manually, to cause maximum damage and disruption.

The crooks demanded what was then roughly $52,000 worth of bitcoin.

In November 2018, two Iranian men were indicted in the US for the Atlanta attack, which was only one out of a crime spree that hit 200 victims, including hospitals, municipalities, and public institutions.

Then, earlier this month, Georgia’s court systems got hit with ransomware that might have involved Ryuk, a relatively new strain of targeted ransomware that picked up where SamSam left off in August 2018.

Another attack came this month: a few weeks ago, on 17 July, the government of Henry County in Georgia – the second fastest growing county in metro Atlanta – announced it had been hit by malware. There was no ransom demanded at the time, so it might have not been a ransomware attack. Whatever it was, county officials wound up losing access to the internet and most online services. Four days earlier, on 13 July, the police department in Lawrenceville, Georgia was hit with ransomware. Hackers encrypted most of the department’s data, including body camera footage.

Will Georgia’s DPS pay?

CISO Allen told Government Technology that paying ransom to crooks isn’t the DPS’s policy. Nor is it his policy to even read the ransom notes, he said:

In all honesty, I don’t even typically look at the files they leave behind on how to contact them. I don’t agree that it’s more cost effective to pay [the ransom] because even if you pay it and get some of your system decrypted, it doesn’t always happen in a clean fashion.

That, in fact, is an attitude shared by US mayors: a few weeks ago, the US Conference of Mayors resolved that ransomware attackers could all go suck on a lemon.

After a whole lot of good, solid “whereas” points, the nonbinding resolution for the country’s mayors was this:

NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home”>XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.