OnPolicing Blog

In 2019, government organizations were the intended targets of nearly two-thirds of all known ransomware attacks in the United States.^[1] While many of these events go unreported, at least 70 state and local governments are known to have been attacked last year alone, representing a notable uptick from prior years.^[2] Ransomware attacks generally take the form of hackers obtaining access to a network and deploying malware to encrypt the victim’s data; they then charge a ransom in order for the victim to regain access to their data.

These attacks can bring government operations to a standstill, and result in costs to the municipality that range from tens of thousands to tens of millions of dollars to return to full capacity. It is estimated that between April and June of 2019, government victims of ransomware attacks paid an average ransom of over $300,000.^[3] However, even when the financial demands were met, the hackers did not always remit control, and the integrity of the system remained compromised.^[4]

When a government agency such as a police department is unable to access its data or utilize its network, law enforcement and other public safety operations are dramatically impaired. For example, the impacts of these attacks were demonstrated in recent years when:

• Baltimore, MD’s computer-aided dispatch system for 911 and 311 calls was hacked and briefly disabled, causing dispatchers to revert to manual processes;^[5]
• Riviera Beach, FL records were encrypted and all city services except 911 were suspended for three weeks until the city council paid more than $600,000 in ransom;^[6]
• Atlanta, GA lost years of dashcam footage from patrol cars, which was necessary in DUI cases in which officers’ testimony was not sufficient and;^[7]
• an attack on the city of Lodi, CA disabled phone lines and caused police officers to handwrite reports.^[8]

Given the severity of these situations, many law enforcement agencies see paying the ransom as the only practical solution.

Additionally, for many agencies, not paying the ransom and working to mitigate the damage done by the attack can be measurably more expensive.^[9] For example, a March 2018 ransomware attack on the Atlanta, Georgia government that took nearly all of the city’s agencies offline was estimated to have incurred a total cost of nearly $17 million, while the ransom demanded was roughly $50,000 worth of bitcoin.^[10] Similarly, in May 2019, Baltimore, Maryland was targeted in an attack demanding a $76,000 ransom. The city opted not to pay, and as a result the attack cost the city more than $18 million between restoration costs and lost revenue.^[11]

Ways to Protect Your Agency From Ransomware Threats

Part of the reason that state and local governments are so attractive to cybercriminals is that their limited budgets make it difficult for them to recruit, train, and retain cybersecurity professionals.^[12] In the face of this challenge, it remains that a comprehensive ransomware threat mitigation should be central to an agency’s cybersecurity strategy. This strategy should be multifaceted, ranging from sophisticated backup solutions, to simple reminders to be diligent about opening emails and attachments. Isolating an agency’s core system’s network from the agency’s workstations can drastically reduce the likelihood of a compromised workstation also compromising the system as a whole. Cloud offerings are isolated by design which drastically reduces the risk of data loss and reduces downtime if workstations become compromised.

Prioritize Robust System Backup Strategies That Include Cloud Solutions

To secure your data, it is critical that your agency invest in a robust backup strategy. Data backups are the most well-protected when stored in secure cloud environments rather than on-premise servers. Utilizing a CJIS-certified cloud provider also means that the agency shares the burden of responsibility for security, relying on the larger budget and more advanced data storage infrastructure that the vendor provides. For example, major cloud service providers such as Amazon and Microsoft can maintain current security updates and upgrades for systems while also offering security certifications and protections that would be too expensive and time-consuming for individual agencies to manage. Additionally, the immutable infrastructure of virtual cloud storage and computing means that the system is less vulnerable and more resilient with regard to cyber threats.

As an added benefit, in addition to ransomware and other cyber security threats, CJIS-certified cloud solutions should also provide disaster recovery systems with layers of redundancy options across multiple geographic locations, differing tectonic plates, and flood zones, providing a defense against physical threats in addition to cyber ones.

Commit to a Good Secrets Management Approach

Secrets, the credentials or authentication measures that allow a user to access a sensitive system, are critical to mitigating cybersecurity threats. Most ransomware attacks begin with a phishing email to gain entry-level access, then embedding tools (e.g., mimikatz) originally used for development to steal hashed secrets and open up more of the enterprise–a big reason agencies need a proactive secrets policy. A good secrets management approach includes rotation of credentials, use of dynamic secrets, reduction of secret sprawl, managing who has access to a system and who has the ability to revoke that access, and robust auditing capabilities.

Manage Physical Endpoint Security Vulnerabilities

Protecting and securing the entire Internet of Things (IoT) environment within an agency, including the data at rest and in transit is critically important. A secure cloud environment will include controls and several options for data encryption for all the phases of data activity. Agencies can remove vulnerabilities as soon as they are discovered by automating firmware to push regular manual updates to connected devices such as city security and traffic cameras. Additionally, agencies should implement physical deterrence to discourage physical tampering or wiring of third-party man-in-the-middle devices.

Enable Advanced Threat Intelligence and Proactive Risk Mitigation

Restricting sources of inbound and outbound network traffic and committing to consistent monitoring of network traffic is the best way to be proactive when it comes to risk mitigation. Agencies should implement policy-driven security measures that address risks across connected devices, distributed data sources, and their increasingly mobile workforce.

Executing Audits and Testing

Ransomware attacks can result from the expanding scope of cybersecurity risks, new vulnerabilities, and unforeseen workforce behavior. Internal audits and testing ensure agencies are prepared as the threat evolves. Secure cloud providers, like Amazon Web Services, outline specific and regular intervals in their security audit guidelines.^[13] These efforts require stakeholder investment and buy-in prior to implementing, as they may cause significant changes across the people, processes, technologies, and strategies that define the organization and its operations.

Cultivate Security Awareness Internally

The best protection an agency has against phishing emails, besides training their officers and administrators to circumvent illegitimate communications, is to install a powerful firewall with VPN technology and data encryption to all department computers.

Takeaway

Ransomware attacks create serious issues for law enforcement agencies. Not only can they knock critical systems offline for extended periods and compromise the integrity and security of sensitive information, but they can also require enormous amounts of time and resources to undo. The good news is that many of the threats posed by cyber criminals can be mitigated with a preventive investment in a comprehensive cybersecurity strategy.

——–

About Mark43

Mark43 builds the world’s most powerful public safety CAD, RMS, analytics, and property and evidence platform while providing industry-leading customer care. Public safety has changed in the last 30 years. Technology vendors haven’t. Mark43 provides a refreshing, battle-tested, enterprise implementation experience and product for over 70 public safety agencies of all sizes, with a special competency for major agencies. The cloud-based products are built only with the most modern technologies and are constantly updated, guaranteeing that the platform always outpaces the rest of the market. For more information, visit www.mark43.com.

^[1] https://blog.barracuda.com/2019/08/28/threat-spotlight-government-ransomware-attacks/

^[2] https://blog.barracuda.com/2019/08/28/threat-spotlight-government-ransomware-attacks/

^[3] https://statescoop.com/ransomware-local-government-pays-10-times-more/

^[4]https://www2.deloitte.com/us/en/insights/industry/public-sector/government-ransomware-attacks.html#endnote-sup-13

^[5] https://www.baltimoresun.com/news/crime/bs-md-ci-911-hacked-20180327-story.html

^[6]https://www.cbsnews.com/news/riviera-beach-florida-ransomware-attack-city-council-pays-600000-to-hackers-who-seized-its-computer-system/

^[7]https://www.ajc.com/news/local/atlanta-police-recovering-from-breach-years-dashcam-video-lost/dowuJGBMcW7PLOdK0UhgJJ/

^[8]https://www.latimes.com/world-nation/story/2020-02-05/with-cybercriminals-on-the-attack-states-help-cities-punch-back

^[9] https://www2.deloitte.com/us/en/insights/industry/public-sector/government-ransomware-attacks.html#endnote-sup-13

^[10] https://statescoop.com/house-panel-floats-new-cybersecurity-grants-for-state-and-local-governments/

^[11] https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-ransomware-email-20190529-story.html

^[12] https://www.nascio.org/resource-center/resources/2018-deloitte-nascio-cybersecurity-study-states-at-risk-bold-plays-for-change/

^[13] https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html