If government cybersecurity executives are not taking the threat of ransomware extremely seriously, they should be. Although this type of security threat is not new, it’s increasingly common, and it may be one of the most damaging methods of extorting money from unsuspecting or unprepared individuals in the digital age.
Ransomware is a type of malicious software that installs covertly on a target user’s computer, encrypts the user’s files and then demands a ransom payment from the individual or organization to restore those files. More-advanced malware can encrypt users’ files and mounted file systems on network shares, rendering them inaccessible, and likewise demand a ransom payment to decrypt the files.
What’s particularly interesting about ransomware is that it affects personal as well as business environments, and it serves in both opportunistic and targeted attack campaigns. It’s therefore truly a unique hybrid.
Threats to Agencies
Government agencies are particularly vulnerable to these types of attacks because they maintain and have access to lots of personal information about individuals. Personally identifiable information (PII) can be worth a lot of money in the criminal market, and the fact that agencies hold this data can be a strong motivator for ransomware attacks.
If an agency possesses such data about thousands of individuals, an attacker could assume there will be a high profit associated with that information. In addition, agencies commonly have sprawling IT infrastructures with dated technology, as well as a lack of security expertise.
According to a document from the U.S. Department of Homeland Security (DHS) from late 2015, the agency’s National Cybersecurity and Communications Integration Center had received reports of 321 ransomware-related incidents affecting 29 federal agency networks since June 2015.
Certainly, the problem of ransomware has garnered the attention of government entities. For example, the U.S. Federal Trade Commission (FTC) recently held a workshop dedicated to this topic. As the agency noted, “With alarming frequency, ransomware hackers are sneaking into consumer and business computers, encrypting files containing photos, documents and other important data, and then demanding a ransom in exchange for the key needed to decrypt the files.”
Sometimes these hackers pose as representatives of the FBI or other law-enforcement agencies, the FTC said. They claim the ransom is a fine for viewing illegal material and that failure to pay the fine will result in criminal prosecution. Individuals and organizations, including government agencies, are falling prey to these schemes, according to the FTC.
In March 2016, the U.S. and Canadian governments issued a joint alert about ransomware infections. The DHS and the Canadian Cyber Incident Response Center (CCIRC) noted that in early 2016, destructive ransomware variants such as Locky and Samas were infecting computers belonging to individuals and businesses, including health-care facilities worldwide.
As the agencies noted, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
Combating Ransomware Attacks
Fortunately, federal agencies can take steps to address the growing ransomware challenge.
One of the easiest things they can do is make sure all sensitive data is protected. In general, data is far more important than the physical condition of the system that stores the data. To ease recovery from a ransomware attack, agency IT and security executives must know where the sensitive data resides and who can access it. They also need to know about any out-of-the-ordinary usage activity, such as excessive reads or changes associated with particular data.
Another important tactic is to conduct frequent data backups and frequent testing of these backups. Client desktop and laptop devices and data center servers can be easily recovered with properly tested backup and restore processes. Untested backups will likely fail when a system restore tries to return a system to its operational state after a shutdown.
If a system backup can be restored to an operational state and the data stored on that system is unchanged or recoverable, the agency need not be concerned when a ransomware attack occurs. Having a solid response strategy in place is much more important than trying to block every variety of ransomware to prevent attacks from happening in the first place.
Agencies should deploy security tools that are designed to defend against ransomware attacks. These tools can quickly identify and assess a ransomware attack, determine what systems are affected and develop a plan of action to respond and recover.
As for whether an organization should pay or not pay a ransomware fee, there really is no easy answer. If at some point the impact of the attack to the agency and its clients—in terms of value—meets the amount of ransom demanded, it might make sense for the organization to simply pay the ransom and move on.
But it’s worth noting that paying the ransom might help validate the actions of the attacker and encourage future ransomware attacks. In addition, agencies have no guarantees that the attacker will even release files or provide the ability to release the files after receiving the ransom.
So, clearly, risk is associated both with paying and not paying ransomware demands.
Ransomware is potentially one of the most damaging security threats federal agencies are facing today. It gives attackers the ability to extort money from government employees and organizations that are generally unprepared for such incidents.
The more end users in the public sector can identify and understand ransomware attacks, the better agencies can prepare themselves to defend against them. The key to preventing or minimizing the impact of ransomware is “data awareness”: knowing where the most vital, sensitive data resides, how it’s protected and who has access to it. Data awareness can help agencies prevent access, identify threats and respond effectively.
By learning as much as possible about what’s in their data and how it’s being used, government agencies can defend against ransomware attacks and make recovery from these incidents a simple process.
About the Author
With more than 15 years of data-security experience in various roles inside and as an advisor to organizations, Andrew Hay serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data-security strategy.