RANSOMWARE
“WE WERE GIVEN THE SAME MESSAGE BY ALL OF THEM.” — Kristine Trierweiler, Medfield, Mass.
threat, Trierweiler said the town called its virus protection firm to see if it could unencrypt or retrieve the town’s infor- mation. However, the backup system had been infected as well.
When Medfield officials realized there was no way to override the ran- somware, they sought advice from other municipal and state agencies that had also been hit by ransomware.
“We were given the same message by all of them: ‘If you want your data back, you will pay the ransom,’” Trier- weiler said. The town government paid about $300 in bitcoins within 48 hours, and the information was ultimately released.
Similar incidents have taken place in Greenland, N.H., which lost eight years’ worth of data to a CryptoLocker assault, and Ilion, N.Y., which made at least two ransom payments of $300 and $500 last year. The police depart- ment of the Village of Midlothian out- side Chicago paid $500 in bitcoins to free its files from hackers.
In 2015, the Multi-State Information Sharing and Analysis Center (MS-ISAC) — a nonprofit organization that works with DHS to prevent, track and address cyberattacks — provided digital foren- sic assistance on 45 ransomware cases involving government computers.
Brian Calkin, vice president of opera- tions at MS-ISAC, said agencies have been increasinglybombardedwithransomware since October 2014. “I don’t know that government agencies are being targeted as much as it’s opportunistic,” he added. “Unfortunately, a lot of government agen-
cies are not exercising best practices...and not patching their systems.”
Local government agencies, rather than larger state agencies, are more vulnerable to such attacks because “general security hygiene is lacking,” Calkin said.
DAY-IN, DAY-OUT SECURITY
Other than greater awareness and edu- cation for employees, what can govern- ment agencies do to mitigate the risk and the impact of such attacks, espe- cially when they’re working on a shoe- string budget?
Industry experts say it all boils down to managing the security basics day in and day out, without fail.
“Users are always, always, always, always going to be the weakest link,” Weatherford said. Beyond educating employees, other top priorities include making regular backups of key files and keeping them off-line, he added. He also counsels agencies not to allow un- managed or unsecured wireless access to systems.
In the months since its ransom- ware incident, the Town of Medfield has made changes to avoid falling prey to another attack. Use of USB drives has been restricted, all ap- plications that give remote access to vendors have been stopped at the firewall, and vendors must request access with documentation. Patches and security updates are made daily, and all the town government’s appli- cations have been moved to a cloud environment, with no shared fold-
ers on the network and no mapped drives, Trierweiler said.
Calkin recommended that agencies keep in touch with their state and lo- cal counterparts in the region directly or through groups such as MS-ISAC. They should also stay abreast of reports from security and technology service providers about potential threats. In many cases, Calkin said, if an agency gets wind of a ransomware attack as it is happening, the encryption of files can be stopped midstream and the attack can be thwarted.
For agencies that can afford to go the extra mile, Microsoft’s Office 365 offers “detonation chambers,” also known as dynamic execution environments, that allow organizations to open email at- tachments, execute untrusted or suspi- cious applications, and click on URLs in the safety of an isolated environment so they can determine whether the attach- ments or applications contain malicious code.
Simple policies such as proper man- agement of software patches can help prevent exploit kit-based attacks, said Bryan Lee, a threat intelligence analyst at Palo Alto Networks’ Unit 42.
“Microsoft provides quite a few dif- ferent group policy options for such things as globally disabling macro doc- uments or even [preventing] unknown executables from launching,” Lee said. “Blocking executable attachments in emails or even web downloads can further reduce the attack surface for an enterprise and prevent attacks from even occurring.” •
32 GCN AUGUST/SEPTEMBER 2016 • GCN.COM