A hacker found their way into the server and launched a ransomware attack the night before. They left contact information and a message: If you want your server back, pay up. "Obviously we didn't call the number," said The Village City Manager Bruce Stone. "I assume what would happen then if you call the number is they'd tell you how to get bitcoins or something to make a payment."
Stone's hunch might have been right. A common theme among ransomware hackers is to lock down a system and only open it back up upon payment — often using the Bitcoin cryptocurrency because it's harder to identify who's behind transactions. The city was able to restore their files from a backup. Stone never considered paying the ransom.
Ransomware is a cyberattack that encrypts the target's data. Without a key to unlock the malicious program, there's not much someone can do if they don't have a secure backup. In the United States, cybersecurity researcher Emsisoft estimates that ransomware cost governments, businesses and even people with personal computers more than $1 billion in 2019. It's such a problem, the Oklahoma House of Representatives voted unanimously this month to outlaw it on a state level.
Another study by Check Point research last year showed hospitals and health care organizations were the hardest hit by ransomware. Typical attacks demand several hundred thousand dollars and some have demanded $5 million or more, USA Today reported. Hospitals are often targeted because criminals know they are more likely to pay than other businesses. That's because hospitals can't shut down for long without impacting patient care.
Even small attacks can have devastating financial effects on individuals, according to the federal Cybersecurity & Infrastructure Security Agency. Some ransomware attacks are indirect, meaning they can land in the inbox of a random person's home computer.
But if using ransomware becomes a state crime, does Oklahoma have the resources to investigate and prosecute?
One of the biggest problems to obtaining justice for ransomware victims is location. The malicious code can be deployed from anywhere in the world, and tracking down perpetrators isn't easy. They often demand cryptocurrency like Bitcoin for ransom, which avoids using bank transfers.
The proposed law under consideration at the State Capitol also adds other malicious programs to the criminal statutes like viruses, spyware, Trojan horses and any other computer program that's meant to disrupt, destroy or gain unauthorized access to computers.
Matt Singleton, chief security officer for the state government, said cyber crime perpetrators fall on a spectrum. "You have folks that are just young high school kids that are seeing what they can do," Singleton said. "On the other end of the spectrum, you have what we call APTs, advanced persistent threats." That includes well-financed teams of hackers, often funded and shielded by adversarial foreign governments, which makes a criminal investigation even more difficult.
The U.S. federal government has the resources to track down hostile hackers. Even in Oklahoma, the Federal Bureau of Investigation often partners with local law enforcement when a case arises here. But Singleton and his small army of 67 full-time cybersecurity professionals stand watch, looking for anomalies while protecting the state's vast network.
The number of attacks faced by a state like Oklahoma is simply staggering. Since Jan. 1, Oklahoma Cyber Command said it has detected 3.8 trillion attacks on state-owned computers that it protects, usually averaging more than 61 million attacks each day. Virtually every one is automatically parried and dismissed by anti-virus software and firewalls.
However, 263 attacks this year required state employees to contact the professionals at Cyber Command. Over the past year, the unit has beefed up its intelligence capabilities. The team creates intelligence products and analyses threats trying to find a foothold in state-owned computer systems.
Cyber Command Operations is a team of analysts that conduct investigations and the utilization of cyber threat intelligence. The Hunt and Incident Response Team is responsible for responding to cyber incidents and proactive measures like threat hunting.
The division's Compliance and Privacy Assurance team is tasked with protecting State and customer data through the implementation of security controls and standards. An additional component of this team is Security Provisioning which is responsible for ensuring the appropriate access is provided to State personnel.
And then last month, the agency overseeing Cyber Command launched the Information Sharing and Analysis Center (OK-ISAC), which provides real-time monitoring, vulnerability identification, incident response and threat intelligence to the broader community. "We can start pushing out that kind of cyber threat intelligence to our partners," Singleton said, noting that many local governments, businesses and other organizations don't have the resources to track what dangers lie beyond an Internet connection.
It's about protection, and if they perpetrator can be identified, prosecution. That's a big if, though.
Oklahoma's Computer Crimes Act needed an update, according to state Rep. Trish Ranson. The Stillwater Democrat filed House Bill 1759 this year to bring the law into the modern age with the hope that it could make investigation and prosecution more of a reality for local law enforcement. "That is the sticking point," she said. "But if we don't have anything in statute, we can't even begin to go there."
In a meeting with cybersecurity professionals before the legislative session this year, someone told Ranson that Oklahoma's laws against malicious hacking are "light years behind" where it needs to be. In 2017, Texas lawmakers updated their own laws to define ransomware and make it either a misdemeanor or felony depending on the amount of money involved or type of data affected. Ranson's bill strictly makes it a felony.
Cyber Command partners with the Oklahoma State Bureau of Investigation, which has jurisdiction to investigate computer crimes inside the state. In Singleton's almost two years with Cyber Command, however, no attacks he's been involved with tracking has made it to prosecution. The best prevention against ransomware, or any computer attack, is preparation. Singleton calls it "cyber hygiene."
"Security, education and awareness training is huge. That's probably the single-most effective deterrent," he said. "If your users understand what an attack looks like, and not fall prey to that, you're miles ahead from an (information technology) standpoint." He recommends regularly backing up data to an off-site server that can't be accessed by someone who's tunneled their way inside. Users should also recognize phishing attempts, which can be in the form of emails that look legitimate but carry harmful code.
The state of Oklahoma ramped up its cyber hygiene this year when it launched TX1, a massive backup of the state's data at a facility in Texas. The site not only keeps a backup in case data is lost somewhere in a state agency, but it's far enough away to avoid the same kinds of natural disasters that Oklahoma's primary servers face. The 2019 ransom wasn't the first for The Village. An earlier attack used phishing to gain access when an employee saw a legitimate-looking email and opened an attachment.
"It got back to our file server and four or five computers got infected," said Stone, the city manager. "We were pulling plugs frantically. It was scary, to be honest with you, pulling all the computers and turning them off and disconnecting the network to make sure that it didn't spread any further."
©2021 The Oklahoman, Distributed by Tribune Content Agency, LLC.