Local governments grapple with ransomware threat

Computers hackers are increasingly targeting local governments with cyberattacks for financial gain.

Hackers this week successfully infected government servers with malware in North Carolina, locking Mecklenburg County officials out of their systems and slowing its operations to a crawl.

Hackers demanded $23,000 in exchange for unlocking the stolen files. Officials are refusing to pay—meaning they will need to rebuild their systems from scratch.

{mosads}The ransomware attack is just the latest assault by hackers on local communities and organizations that lack the funding and resources of corporate America to defend against sophisticated cyber threats. 

“It has a hugely disruptive impact on the operation of local government,” Ryan Kalember, senior vice president for cybersecurity strategy at Proofpoint, said of the attacks.

Ransomware, which has been on the rise since 2015, is a type of malware delivered through a malicious link, email or other means that takes over a victim’s computer and encrypts the data, locking the user out of his system. The perpetrator then demands payments to unlock the data, usually made in bitcoin, a type of digital currency that has skyrocketed in value in recent months. 

The threat gained massive public attention in early 2016, when Hollywood Presbyterian Medical Center paid $17,000 to hackers in order to unlock its networks.

Hospitals have become a popular target for criminal hackers looking for a quick payday, and recent events also point to local governments as a prime target.  

In September, officials in Montgomery County, Ala., paid hackers more than $40,000 in bitcoin to recover large amounts of stolen data a week after its networks were hit with ransomware.

“You don’t think about these things till they happen,” Elton Dean, the county commission chair, told the Montgomery Advertiser at the time. “When you are talking about losing about $5 million worth of files, that’s kind of like an emergency situation.”

Local school districts have also been victims.

A school district in Dorchester County, S.C., found its servers infected with ransomware over the summer, which forced officials to pay a $2,900 ransom to recover stolen information.   

In September, a hacker going by the name of “Dark Overlord Solutions” targeted an entire school district in Flathead Valley, Mont., penetrating district servers and stealing confidential student and staff data. The hackers threatened to release the information if a ransom was not paid.

The attacks are garnering attention on Capitol Hill.

“These have become preferred weapons of our adversaries to adversely affect Americans at home,” Sen. Steve Daines (R-Mont.) said during a Senate Homeland Security hearing on Wednesday. “We had a cyberattack on a Montana school in Columbia Falls by an overseas actor. It forced the closure of several schools. It affected over 15,000 students.”

Experts say local governments have been disproportionately targeted because they typically lack the resources to respond to cyber incidents—making it all the more likely that they will pay the ransom.

“These types of criminals like others tend to look for low hanging fruit, unless it’s a state actor who is looking for some kind of ‘impact’ hit,” said Douglas Henkin, a Washington attorney specializing in cybersecurity.

Law enforcement and cybersecurity experts broadly recommend against paying ransoms because it does not guarantee hackers will return the data and could incentivize new attacks.

“Please don’t pay a ransom without talking to law enforcement,” former FBI director James Comey said at a 2016 security forum.

The issue is complicated for local organizations that lack proper backups of their systems. They are faced with either paying a ransom or taking on the time-consuming — and possibly costlier — task of rebuilding the stolen systems from the bottom up.

In the case of Mecklenburg County, officials expect the rebuilding process to take several days.

“I am confident that our backup data is secure and we have the resources to fix this situation ourselves,” Dena Diorio said Wednesday afternoon. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”

Would-be hackers can purchase ransomware kits on the dark web, making it easier than ever to target vulnerable organizations with this type of malware.

Federal law enforcement has seen some success in combating ransomware attacks, despite the broader difficulty of tracking down the perpetrators.

“Particularly as the attacks get more sophisticated, it remains difficult to identify and pursue the senders of the malware,” Henkin observed, “but there are instances in which authorities have publicly posted decryption keys for certain strains of ransomware, eliminating the need for victims of those strains to pay ransom or use other techniques to regain access to their data.”

The Department of Justice has sought to crack down on these illegal marketplaces, shutting down the vast AlphaBay dark market over the summer as part of a joint operation with authorities in the United Kingdom, the Netherlands, Thailand, and several other countries.

The Department of Homeland Security, which is responsible for protecting critical infrastructure from cyberattacks, also says it is working with the public and private sector to combat the ransomware threat. Mecklenburg County officials said both the FBI and Homeland Security had reached out to them over the recent incident. 

“We share timely, actionable threat information and mitigation strategies to help protect the networks and systems on which we all rely,” a Homeland Security spokesman told The Hill. “Upon the request, DHS has a cadre of cybersecurity professionals that can provide technical analysis and assistance during an incident for the affected entity.”

Still, experts predict that the threat of ransomware will continue to compound, given the potential gains and comparatively little risk for hackers.

Some say the targets could evolve as criminals identify other vulnerable victims.

“The number of victims is likely to increase,” Henkin predicted. “Although the incidents reported yesterday and today happen to involve local governments, you’re likely to see different targets at different times because these actors are extremely opportunistic.”