Inside Out Security Blog   /  

How has Ransomware Impacted the US Government?

How has Ransomware Impacted the US Government?

Ransomware crimes have been soaring this year. It has stalled the operations of not only hospitals and businesses, but also the US government – federal, state and local governments, law enforcement agencies and even schools.

How has the government reacted to this rising threat?

Want to learn ransomware basics and earn a CPE credit? Try our free course.

“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

It’s been a challenge. Protecting a government’s digital assets has been time-consuming as threats constantly evolve and become even more sophisticated.

CIO Rami Zakaria of California’s Sacramento County said that he has four people who dedicate much of their time responding to potential threats and breaches.

He advised, “This is the new reality. You have to invest in information security.”

Part of that investment means backing up your data. While some IT professionals have said that they have a backup and they won’t have to pay the ransom. Once you add time, effort, upgrades, restoration, cleanup, etc it’s a type of payment that has impacted government operations.

How are the different branches of government paying? We broke it down, starting with the state, local and education agencies.

Ransomware twice as likely to hit State, Local and Education (SLED)

In 2014, thirty-five state and local governments reported problems with ransomware.1 So while this number isn’t huge, it’s also not insignificant. Because that same year, an attacker demanded $800,000 from the city of Detroit after infecting some of its computer files. However, the city didn’t pay because the encrypted data was stale.

And by 2015, according to a new report, the State and Local Government and Education (SLED) — 67% of government networks and 72% of education networks triggered critical malware or ransomware alerts, compared to just 39% of non-SLED networks triggering similar alerts.

The same report also said that SLED are nearly twice as likely to be infected with malware or ransomware and four times more likely to be infected with Cryptowall.

Earlier this year, ransomware infected a New Jersey school district’s “entire operations from internal and external communications to its point-of-sale for school lunches. It also prevented any students from taking the scheduled exams, which are entirely computerized.”

The school district didn’t pay the ransom and announced, “Encrypted files were restored from backup to their original state. Servers were restored to remove any trace of the malware. Email and other systems are being restored as quickly as possible.”

However, another district paid the $8,500 ransom because more than 40,000 teachers and students relied on the servers and thought that the amount wasn’t a lot for what the data is worth. They did say that paying more might not be an option.

The Federal Government’s Battle with Ransomware

While SLED has been struggling with ransomware, it appears that the federal government has been as well.

The Department of Homeland Security stated, in 2015, over 300 ransomware-related incidents affected 29 different federal networks. However, the Department is not aware of any instances in which federal agencies paid the ransom. Where government systems were confirmed to be infected with ransomware, the majority of infections affected end-user workstations. In all cases, the system was removed from the network and replaced with a clean system.

Despite efforts to thwart ransomware from the federal government, the fight continues.

Earlier this month, it appears that the House of Representatives technology service desk warned representatives of increased ransomware attacks on the House network. A spokesperson for the House Chief Administrative Officer declined to confirm whether or not the ransomware attacks were successful and it’s not clear whether the ransom was paid.

What they did confirm was that the ransomware attacks on the House would have a similar impact to any other large organization and would disrupt government operations. A ransomware attack could lock down draft bills, memos, emails and sensitive information.

Technologies that Stop Ransomware

To protect federal agencies against ransomware, the National Cybersecurity and Communications Integration Center has been using the EINSTEIN 3 Accelerated (E3A) system, which is designed to detect and block cyberattacks from compromising federal agencies.

However, according to a Government Accountability Officer(GAO) report, EINSTEIN has limits. Einstein comes up short because it relies on known signatures, which makes it vulnerable to new strains of ransomware.

“It doesn’t do a very good job in identifying deviations from normal network traffic,” said Gregory Wilshusen, the GAO director of information security issues who co-authored the audit of the Department of Homeland Security’s National Computer Protection System, which includes Einstein.

CIO magazine also warned, “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”

If signature-based approach isn’t working, what technologies are being implemented to stop ransomware?

Security expert and founder of Bleeping Computer Lawrence Abrams recently wrote that “behavior detection is becoming the best way to detect and stop ransomware as signature detections have become easily bypassed.”

Behavior detection technology is also known as User Behavior Analytics (UBA) and it’s quickly becoming the best ransomware prevention measure.

UBA compares what users on a system are normally doing — their activities and file access patterns – against the non-normal activities of an attacker who’s stolen internal credentials.

First, the UBA engine monitors normal user behavior, by logging each individual user’s actions – file access, logins, and network activities. And then over time, UBA derives a profile that describes what it means to be that user.

So when a thousand “file modify” action happens in a short period of time, your IT admin will be notified.

Try UBA, it halts ransomware and prevents any further disruptions in government operations.

 

Further reading:

 

1 http://www.govtech.com/security/Ransomware-Poses-Tremendous-Threat-to-Police-Departments.html

We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works