County News

Ransomware attacks on the rise in 2017

FBI:  745 ransomware victims in first quarter of 2017, totaling $512,000 in losses; 2,673 reported in '16

Facing the loss of its data, officials in Montgomery County, Ala., authorized funds last week to pay a ransom to hackers to get its government back up and running. After the county’s computer system was hit Sept. 19 by a ransomware attack, one of its options was to pay the ransom within seven days before data was destroyed. The county ended up paying between $40,000 to $50,000 to obtain nine bitcoins to pay the ransom, County Commission Chair Elton Dean said in a news conference. Dean said the loss of files would have cost the county about $5 million.

Learn More

The FBI's tips on dealing with ransomware

The county, which counts about 230,000 residents, was unable to issue vehicle tags or registrations or handle business or marriage license requests while it was tied down. The county’s chief IT officer, Lou Ialacci, said all of the county’s departments were affected.

Montgomery County isn’t alone. There have been hundreds of ransomware victims this year and the FBI says the practice is on the rise. Ransomware “is a very big problem and it has not abated as yet,” said Ron Yearwood, section chief for the FBI’s Cyber Operations, headquartered in New York. When there’s a major ransomware attack, the FBI’s little known Cyber Action Team gets into the picture. “They’re considered the elite among intrusion investigators,” Yearwood said.

In the first quarter of 2017, the most recent figures available, there have been 745 victims of ransomware, losing more than $512,000 to cyber hackers, the FBI said, along with much more lost in work hours, etc. At that pace, the FBI could see more victims than last year, when 2,673 notified the crime-fighting agency about ransomware attacks. And those are only the attacks the FBI knows about. “Typically, we see under-reporting,” Yearwood said.

While most county IT officials probably are aware that ransomware attacks are normally delivered through spam emails or “spear phishing emails,” which target specific individuals, in newer instances of ransomware, some cyber criminals aren’t using emails at all, according to the FBI. They can bypass the need for an individual to click on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers, the FBI warns.

How do you keep the bad guys out? Yearwood said that some of the best ways to prevent a ransomware attack include two-factor authentication, limiting remote access and segregating critical data behind multiple defenses.

A little-known defense that is outside of traditional thinking: “We talk about looking outward” to see if a hacker is getting into your system, Yearwood said. “If an adversary is able to get past your defenses without your knowledge, and the outwardly looking defenses don’t catch them or alert to them…the intrusion goes unnoticed, it doesn’t get caught in that capacity and they can be on the network for a very long and extended period of time. So, I would challenge any potential victims out there to not just protect the perimeter, but also look at the traffic going across their network, do some auditing on their system. An example of that would be passive GMS monitoring. It could help you identify suspicious outbound connections.”

If you’ve been hacked, don’t touch anything until you’ve contacted the FBI, Yearwood said. If you are contacting the FBI about a possible hack, pick up the phone and call them, don’t try to contact them via email on the computer system, he advised.

If you shut down or disconnect your system, it could make matters worse.

And be sure to establish a relationship with your local FBI office before you need them, Yearwood noted.

The FBI says it does not recommend paying a ransom in response to a ransomware attack. Paying a ransom not only doesn’t guarantee that you will get your data back — there have been instances where organizations never got a “decryption key” after having paid the ransom, the agency said. Paying a ransom could embolden the cyber criminals to target more organizations and offers an incentive for other criminals to get involved in this type of illegal activity, the FBI said. And by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.

But “each incident is different,” Yearwood said. “Each will have to determine the best path forward. We would refrain from being so presumptuous from making that decision.”

If your county has not experienced a ransomware attack, consider yourself lucky. Here’s a look at some recent attacks on county government systems:

Butler County, Kan. employees noticed an attack to their computer network after 911 operators and jail staffers saw errors pop up on their screens, County Administrator William Johnson said. “They absolutely shut down our network. We believe they struck on a Saturday because they knew there would be fewer people working.”

“We were pretty embarrassed by this originally,” he said. A data restoration company the county is using told them that these kinds of attacks are almost impossible to stop. “It’s just how difficult you can make it for them.” The attack crippled the county’s motor vehicle, driver’s license and register of deeds operations, as well as computerized warrants and inmate records, Johnson said.

In the future, Johnson said, the county will likely step up its employee training regarding suspicious-looking emails. “That is where we have failed,” he said. “It’s like a fire drill. It’s a sad day in our society when we have to do something like this.”

An attack on Schuyler County, N.Y.’s computer system prompted an investigation by the FBI and the county hired a private cyber security law firm, Mullen Coughlin LLC of Wayne, Pa. Unlike Butler County, Kan., no county department was ever shut down, but some features of the county’s 911 system were impacted, such as mapping.

In Becker County, Minn., thanks to the county’s purchase last year of a backup and continuity system, the county was able to save data and allow IT personnel to quickly retrieve it after a ransomware attack in August. The $89,000 backup system allowed the county to restore its network within about 24 hours and get its website, printers and network back up and running in a few days. As soon as the county discovered the attack, they shut down their connection to law enforcement and other agencies, White said.


FBI tips on dealing with ransomware

So, what does the FBI recommend you do to prevent a ransomware attack? As ransomware techniques and malware continue to evolve — and because it’s difficult to detect a ransomware compromise before it’s too late — counties should focus on:

  • Awareness training for employees.
  • Robust technical prevention controls.
  • Creation of a solid business continuity plan in the event of a ransomware attack.
  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts — no users should be assigned administrative access unless absolutely needed — and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over email.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular internet browsers, compression-decompression programs).
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

Contact the Editor

Bev Schlotterbeck
Executive Editor
(202) 942-4249
bschlott@naco.org