More than 50 cities and towns of all sizes have suffered ransomware attacks in the past two years, according to the FBI and Department of Homeland Security. Some that have been hit include Atlanta; Baltimore; Cleveland; Albany, N.Y.; Greenville, N.C.; Imperial County, Calif.; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and many more. The Atlanta attack alone cost that city an estimated $17 million. The village of Palm Springs in Florida was attacked in 2018 and ended up paying an undisclosed amount in ransom, but still lost two years of data.
Most officials at cash-strapped city halls do not realize that these costly ransomware attacks are usually initiated through a phishing breach. Phishing is a social engineering technique that tricks employees into taking actions they do not mean to take, because people are generally trusting unless some specific cue triggers their suspicions.
Hackers can spread social engineering through various types of digital communications, but the most common way ransomware infects a network is through phishing. In nearly every case, the final phishing payload is delivered via the Web. This could involve baiting someone to click on a bad email attachment, a phony browser extension or a fake banner ad. Once the bad guys have secured access to network credentials and logins, they can easily block access from the inside.
In one recent case from June, the city council of Riviera Beach, Fla., authorized the city’s insurer to pay $592,000 in bitcoin cryptocurrency to regain access to critical city data that had been walled off. That attack knocked out mission-critical computers at City Hall, along with systems to control the city’s finances and water utility pumping stations.
The cascading failure was traced back to a malicious link in a phishing email that a city employee mistakenly clicked on, paralyzing the whole computer system and sending all operations offline. Everyone from the city council on down was stranded without email or phone service. Paychecks that were supposed to be direct-deposited to employees instead had to be hand-printed by finance department staffers working overtime. Police even searched their closets to find paper tickets to give out traffic citations.
Also in May, the city of Baltimore became the victim of a ransomware attack that brought the local government to a standstill. Employees could not access the network for more than a month and local utility invoices stopped going out, curbing the city’s income. The hackers demanded a payout of $76,000, which city officials refused to pay. Unfortunately, the shutdown is now estimated to have cost Baltimore $18 million for remediation, new hardware, and lost or deferred revenue.
The real perils of ransomware continue to stem from phishing attacks, which rose 250 percent in 2018 and have continued to grow this year, according to Microsoft. Ransomware attacks have shown a corresponding growth in regularity and severity, according to data from Coveware. The average ransomware attack now lasts 7.3 days, while the average ransom request in the first quarter of 2019 increased 89 percent to $12,752. Meanwhile, the cost of downtime from a ransomware attack averages $64,645.
Here are some evasive phishing tactics that municipal IT and security teams should be aware of because most cybersecurity solutions would miss them:
- HTML Character Encoding – Allows an email’s HTML code to display properly in Web browsers but hides certain trigger words that most email security systems flag.
- Content Encryption – The content of the email is encrypted along with the attachments, preventing them from being seen by security solutions.
- Inspection Blocking – Uses block list to prevent connections from specific IP addresses and hosts that are associated with certain security providers.
- Phishing URLs in Attachments – By hiding the phishing URLs in attachments instead of the email itself, detection becomes more difficult. Weaponized documents have also become the phishing scheme of choice for nation states that target rival embassies, governmental offices, and agencies.
- Content Injection – Phishing threat actors include links to legitimate but vulnerable webpages or apps which redirect users to phishing sites.
