The City of Knoxville, TN was left reeling in June after a cyberattack crippled its systems. The city suffered a further setback when the hackers started publishing stolen data online in a bid to extract a ransom payment.
Ransomware attacks have intensified in scope and scale, and a new report from cybersecurity firm BlueVoyant said local governments must be more vigilant in dealing with these threats, and need federal leadership to step up and provide more guidance.
That echoes the final report issued by the Cyberspace Solarium Commission and its subsequent amendments to reflect the challenges wrought by the coronavirus pandemic (COVID-19), which have increased vulnerabilities in local government IT systems.
And it comes with ransomware attacks becoming increasingly sophisticated and relying on a series of steps designed to extort payment from local governments, including press releases and the threat of publicly releasing data.
Austin Berglas, a former FBI special agent in New York and head of ransomware and incident response at cybersecurity firm BlueVoyant, walked Smart Cities Dive through a typical ransomware attack with a series of redacted screenshots, as well as the report.
Step 1: The hack
Hackers can gain access to government servers and computers through a variety of methods, but the most common are through employees opening phishing emails, or by the hackers gaining access to machines through Remote Desktop Protocol (RDP). RDP is typically used by IT workers, either in-house or outsourced, to gain access to computers for technical assistance.
Once the hackers gain access and carry out their hack, computers typically see a message like the one below with instructions on opening a file from the desktop with further instructions. No other access to the computer’s files will be possible.
Step 2: Instructions
If someone using the computer clicks on the Notepad file as requested, they are taken to a series of instructions on downloading a TOR web browser and then going to a specific URL. At that website, which hackers want to have accessed via TOR so it cannot be tracked, a ransom payment can be made to unlock the files and other documents that have been held hostage.
On their websites, the hackers offer a variety of other services, including the ability to communicate with them in real time. Some also pledge to help in the future so this kind of hack does not repeat itself.
"This is no doubt a business, and there are other groups out there that in addition to having that live chat and support team will also offer an additional service," Berglas said. "Lucky you to have to hire this group to consult after they decrypt your network and get everything back up and running. They're there to be consultants to help you make sure that this doesn't happen again."
Step 3: The threat
Some cities choose to pay the ransom and unlock all their files, fearing the consequences of their networks being down for too long and wanting the nightmare to be over.
Indeed, the economic costs of such a hack can be huge. New Orleans said in early January that it had spent more than $7 million in recovery costs after a cyberattack crippled its computer systems.
But some do not cooperate with the hackers. And those that do not often are faced with an explicit threat that the stolen data and information will be made public on the hackers' website. A heavily redacted version of a page by hacking group Maze shows various data dumps that can be accessed, as well as an accusation that a company is "trying to hide a successful attack on their resources."
Berglas said the negative publicity for the hacked company or city is a new tactic being deployed, and it can have devastating consequences on reputations.
"It's a new game, and really, really hard to beat," Berglas said. "If you're an organization and you're being faced with a $20 million ransomware attack, and you've seen proof of life and you realize that they got access to your most sacred files, and if those files were leaked, it would do massive harm to your brand reputation, what are you going to do?"
Step 4: Press releases
The hackers then step up that public pressure with press releases, which are a combination of threats about what will happen to cities' and companies' data if a ransom is not paid, as well as offers of help in a consulting capacity to prevent a repeat.
Those threats also include a deadline of three days to start negotiations, and an ominous warning from the hackers. "If you have failed to start communication in 3 days you can blame only yourself for you [sic] reputation damage and financial lost [sic]," the press release reads.
Berglas said it used to be that many hacking groups would give organizations time to put together a ransom payment, but that is no longer the case as they have reduced the window for payment.
And what many employees don't realize is that if they open the link enclosed in the prior instructions, that starts the countdown mentioned in a press release. So if no one clicks on it, the hackers do not know if they have had any bites on their efforts.
"Hopefully that organization has an incident response plan or has some Incident Response Team on retainer that can come in and help them with it," Berglas said. "But we've seen too many organizations click on that link, and then go, 'Oh crap,' and then call a team and now the team has 24 hours to scramble to help negotiate or make a payment."
As city and state governments try to better prepare themselves for ransomware attacks, Berglas said there needs to be a more standardized way for them to protect themselves and enhance their security protocols.
That standardization could be seemingly as simple as ensuring every local government's website shares the same domain, ".gov," as that can be searched and have any threats tracked by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
The domain name also has added features for local governments like two-factor authentication and the use of the Hypertext Transfer Protocol Secure (HTTPS) for secure communication over the internet.
Berglas said while municipalities are keen to emphasize they are investing in cybersecurity protections for their systems, albeit sometimes only after a major attack, that standardization means federal government protection is playing a leading role.
"I know a lot of these local municipalities, even though they might have certain technology in place, say they are a little bit ahead of the curve and might have endpoint technology that's monitoring all their endpoints and servers," Berglas said. "Do they have the resources in place to actually monitor it? A lot of these things can be solved by having one standardization, one domain, and allowing the federal government to push resources down to make sure that everybody is practicing the same high level of hygiene."
Berglas said it is hard to make blanket policies like a refusal to pay ransoms, something that the U.S. Conference of Mayors (USCM) advocated for last year, especially for businesses that rely on e-commerce and so cannot afford to be shut down for months at a time while they recover their data manually.
But with renewed federal leadership on the cyber challenges faced by local governments, Berglas said it can help localities get the protection they need from the national government and the kind of protection that federal agencies enjoy from CISA and other authorities.
If local governments take threats seriously and are made aware of the impacts of having critical infrastructure taken offline, like what happened in Baltimore with the hacking of its 911 dispatch system, Berglas said that could inspire investment in the necessary cybersecurity hygiene. That inspiration could also come from greater federal leadership, he added, but it has to be less about reacting to events and more precautionary.
"When people realize that you can put state and local infrastructure in the same bucket as health care, and that a ransomware attack against certain state and local infrastructure is essentially going to affect life and limb like an attack against a hospital or a health care provider, people are going to wake up and realize that they need to put more resources there, but that's going to take too much time," Berglas said. "It's almost asking for a cyber 9/11 to happen before people react."