Coordinated Ransomware Attack Used for the First Time in 22 Local Governments in Texas
Ransomware attacks on local governments are becoming all too common these days. Past ransomware attacks, while targeted, were conducted separately. The latest ransomware attack on 22 local governments across Texas marks a shift in the way ransomware attacks are launched: in a coordinated manner.
The Texas Department of Information Resources, in a press statement, said that on the morning of August 16, 2019, a total of 22 local governments in the State of Texas reported a ransomware attack. While not naming the affected local governments, the Texas Department of Information Resources said majority of the victims are smaller local governments.
Ransomware is a type of malicious software (malware) that attackers use to infect computers. In a ransomware attack, files in the affected computers are encrypted, rendering them inaccessible to legitimate users. Through the infected computer screens, victims are informed about the file encryption. Victims are also informed that the only way to access the files back is through ransom payment. Attackers typically demand to pay in cryptocurrency like Bitcoin.
The City of Keene, a city with just over 6,100 population, confirmed that it’s one of the 22 local governments affected by the ransomware attack. Keene Mayor Gary Heinrich told NPRthat the threat actor wants a collective ransom of $2.5 million.
Heinrich said the threat actor compromised the information technology software used by the city. He said this information technology software was managed by an outsourced company. This information technology software, he said, was also used by the other affected local governments. “Well, just about everything we do at City Hall is impacted,” Heinrich said.
The attack on the 22 local governments in the State of Texas is the first recorded coordinated ransomware attack in which the attack was done on the same day and with a collective ransom demand. According to the Texas Department of Information Resources, evidence shows that a single threat actor is behind the ransomware attack on these 22 local governments.
Past Ransomware Attacks
In recent months, other local governments in the State of Texas experienced different sets of a ransomware attack. Past attacks, however, weren’t launched in a coordinated manner. In May this year, another local government in Texas, the City of Laredo, experienced a ransomware attack which affected the City’s email and computer systems. The said IT systems are now fully operational.
In April this year, the Sheriff’s Office of Potter County, a county in Texas, experienced a ransomware attack. Brian Thomas, Potter County Sheriff, told the New York Timesthat as a result of the attack, records, warrants, reports and other materials over the past 18 months were rendered inaccessible. “We had to go back in and re-enter all of that stuff,” Thomas said. “We just finished that up about a week and a half ago.”
According to the United States Conference of Mayors, at least 170 county, city or state government systems have experienced a ransomware attack since 2013. Ransomware attacks on local governments, however, aren’t unique in the U.S. Three local governments in Ontario, Canada – Town of Wasaga Beach, Town of Midland and City of Stratford – disclosed that they had experienced a ransomware attack.
Out of the 170 county, city or state government systems that have experienced a ransomware attack since 2013, it isn’t known how many paid ransom and how many didn’t pay. In the case of the ransomware attack in the City of Laredo, Rafael Benavides, a spokesman for the City, told the New York Times that the City didn’t pay any ransom to get the systems running again.
The City of Riviera Beach, Florida, meanwhile, paid ransomware attackers nearly USD $600,000. The Town of Wasaga Beach in Canada, for its part, paid the attackers nearly $35,000 Canadian, while the Town of Midland paid an unspecified amount. In the case of the City of Stratford, it isn’t known whether or not the City paid the attackers ransom.
While it may appear that ransomware attackers are after local governments, these attackers are also going after private organizations and businesses. To date, the biggest ransomware payment worth nearly one million dollars was paid to the attackers by a South Korean web hosting provider.
Ransomware attackers aren’t only going after local governments and large enterprises. Malicious actors are also going after small and medium-sized organizations and even individuals. Local governments and large enterprises can’t hide ransomware attacks as the effects, such as the breakdown of the IT system, can’t be hidden from the public.
Individuals who are victims of ransomware attacks often don’t report these attacks. In other parts of the world, small and medium-sized organizations often hide ransomware attacks. In Canada, since November 1, 2018, the country’s Digital Privacy Act mandates that cyber attacks, such as ransomware attacks, affecting an individual or individuals should be reported to the authorities.
Malicious actors are constantly finding new paths in infecting computers with malicious software such as ransomware. While past ransomware attacks had been conducted separately, a threat actor has now found a way to make this attack in a coordinated and simultaneous way.
In the case of the recent ransomware attack on 22 local governments in Texas, the attack path was an information technology software used by the affected local governments. Whatever the path the ransomware attackers are using, it’s important to be proactive in attacks like these by keeping backups of your organization’s critical data and keeping copies of these backups offline or better yet in the Cloud.