Fraud Management & Cybercrime , Government , Industry Specific

Ransomware Increasingly Hits State and Local Governments

Yet These Victims Are Less Likely to Pay Any Ransom, Recorded Future Finds
Ransomware Increasingly Hits State and Local Governments

For the second time in 14 months, Baltimore sustained a ransomware attack last week that crypto-locked files and damaged the city's IT infrastructure. But "Charm City" is no outlier when it comes to such incidents.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Over the past four years, the volume of recorded ransomware attacks targeting state and local governments in the U.S. has increased, hitting 53 separate incidents in 2018, according to a new report published by threat-intelligence firm Recorded Future. Already so far this year, there have been 21 reported attacks, which does not include the Baltimore incident from last week and several other events since the start of May (see: Baltimore Recovering From Second Ransomware Attack).

While the number of ransomware attacks is rising, researchers at Recorded Future found that of a total of 169 recorded ransomware attacks against state and local governments, only about 17 percent of these victims paid a ransom to their attacker. They say this hesitancy is due in no small part to local policies and regulations that discourage paying such ransoms.

But this left researchers asking: What are the motives behind ransomware attacks, if not financial?

The answer appears to be that such attacks are a valuable way for attackers to advertise their particular strain of ransomware.

"Most of these attacks don't garner much attention and most don't pay the ransom, but the attacks that do get attention, such as Atlanta [in 2018], and Baltimore last week, get weeks and months of attention. And when cities do pay the ransom that also gets outsized attention," Allan Liska, a threat intelligence analyst at Recorded Future and author of the report, tells Information Security Media Group.

"So, I think there is a perception in the underground community that these are easy and potentially profitable 'targets,'" Liska says.

Counting Ransomware Attacks

Any attempt to gauge the volume of ransomware attacks against local and state governments in America is a daunting task.

For starters, no central repository of attacks exists at a local level, and there's no uniform set of nationwide rules about how and when to report such attacks to the public. In other words, while regulations such as HIPAA require U.S. healthcare companies that sustain a data breach to alert the government - and potentially also victims - no such reporting requirements exist for non-healthcare entities that suffer a ransomware attack.

Instead, the Recorded Future analysis relied on local media reports dating from 2013 to the end of April of this year.

All told, Recorded Future counted 169 different ransomware attacks against local and state governments over the course of five years. However, it's possible that other incidents were missed or not reported. The analysis also does not count recent attacks in Baltimore, as well as against Lynn, Massachusetts, and Cartersville, Georgia, which all took place in May.

State and local government ransomware attacks between 2016 and 2019. (Source: Recorded Future)

The first known ransomware attack against a local government agency involved the Swansea Police Department in Massachusetts, which was infected with CryptoLocker in 2013. But a real pattern of such attacks didn't begin until 2016, when 46 ransomware incidents against government entities were reported over those 12 months.

In 2017, the number dipped slightly to 38 recorded incidents, reflecting overall ransomware attack trends for the year, according to Recorded Future's analysis. Then, 2018 saw an increase to 53, while this year already has 21 recorded attacks through April 30. At that pace, by the end of this year, there would be more than 60 such attacks.

Crime of Opportunity

Recorded Future says that while the number of such attacks has risen over the past 18 months, it's not due to the specific targeting of local and state governments, but rather remains a crime of opportunity. Once cybercriminals know they have accessed a government network - whether they were actively looking for one or not - they appear eager to encrypt files and ask for ransom, regardless of whether or not it was their original target.

Recorded Future sees two reasons why these ransomware attacks remain opportunistic. "The first is that attackers have preferred methods of gaining access to vulnerable networks, for example, either a favorite exploit or brute forcing certain exposed servers, they will scan vast swaths of IP space and automate the process of gaining access to those networks," Liska says. "Once they are in, they will look around and determine if it is a target worth attacking."

The second reason concerns the buying and selling of data on darknet sites. "There is also an extensive market selling access to compromised networks," Liska says. "For $10 to $15, an attacker may purchase access to an already compromised system in what is perceived to be a high-value network."

And no one is immune. The Recorded Future analysis found that 48 of the 50 U.S. states, as well as the District of Columbia, experienced at least one ransomware attack from 2013 to 2018.

Bill Siegel, the CEO of Coveware, an incident response firm that tracks ransomware and other cyberattacks, says creating a central repository of these incidents is overdue.

"The research showing that 48 out of 50 states have had a municipal organization impacted by ransomware is not surprising," Siegel tells ISMG. "As our country comes to grips with the importance of cybersecurity, centralized reporting of these incidents is critical, given their prevalence. Without reporting, how will we know if our country is under systemic attack at the state or local level verses just at the federal level?"

Liska suggests that ideal agency to help gather this information and disseminate this information would be the FBI, since the agency is already called in to investigate and advise on these types of cyberattacks.

Ransomware Evolves

Attackers' choice of ransomware continues to evolve as some variants fall in favor and others take their place, although attackers' choices can be difficult to track. Recorded Future found that the type of ransomware used in any given attack was only publicly reported in 40 of the 169 recorded government incidents it counted.

Broadly, however, whatever types of ransomware are pummeling private businesses appear to get quickly turned on local governments and agencies, which can include local municipal governments, schools and colleges and even local law enforcement, according to Recorded Future.

For instance, while CryptoLocker and CryptoWall attacks dominated in 2013 and 2014, WannaCry and SamSam were much more prevalent overall in 2016 and 2017 (see: Two Iranians Charged in SamSam Ransomware Attacks).

A breakdown of the known types of ransomware used in attacks. (Source: Recorded Future)

In the past six months, GandCrab and Ryuk have become the more dominant variants, although Baltimore and one at least one other government organization were hit by a strain of crypto-locking malware called RobbinHood (see: Georgia County Pays $400,000 to Ransomware Attackers).

Whatever the variant, Liska believes that his research is only showing the beginning of a trend that's likely to intensify over the next several years.

"Towns and cities absolutely need to up their security game," he says. "At least for now, ransomware attacks on these targets are trending upward and appear poised to do so for at least the next couple of years."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.