In late April, the Washington, D.C., Metropolitan Police Department confirmed that its IT systems had been breached after a ransomware group posted stolen information online. It was the latest in a long line of attacks on municipalities and public safety agencies—including police department ransomware attacks—that could exact a serious toll on vital public-sector work.
Ransomware attacks on government are nothing new. But their growing volume and sophistication require an urgent response.
What happened in the D.C. police ransomware attack?
The Babuk ransomware group claimed responsibility for the attack. It claimed to have stolen 250 gigabytes of police department data, including sensitive information on informants and police officers. The group threatened to release the former to local gangs and reportedly published information on four officers to the dark web.
While ransomware attacks are generally known to be cases where organizations are locked out of their data until they pay a ransom, some ransomware attacks feature another style of extortion. During ransomware attacks on government, for example, cyber criminals often steal information and threaten to leak it in an effort to extort money from their victims. Extortion tactics are deployed as a threat in 77% of ransomware attacks. However, attackers rarely steal information that could endanger lives.
Regardless of the sensitivity of the stolen information, ransomware groups, which have also launched ransomware attacks on hospitals and schools during the COVID-19 pandemic, prize profit above everything else.
Why public safety agencies are vulnerable
The Babuk group claimed that the D.C. police ransomware attack was its last. But many more groups will take Babuk's place, and ransomware attacks on government will continue along with ransomware attacks on hospitals.
Why?
It's easy money, for one. The ransomware-as-a-service model lets even tech novices monetize attacks. According to Verizon's 2020 Data Breach Investigations Report, 27% of malware incidents were ransomware-related. Public safety agencies, including police departments, are thought to be easy targets because they have so much to lose to attacks that target sensitive data or lock down critical IT systems. So far in 2021, 26 government agencies in the U.S. have been hit by ransomware attacks. As seen in the 2021 Data Breach Investigations Report, 70% of system intrusion attacks are of the ransomware variety through web applications seeking payment card data.
A lack of funding compounds the problem. According to Deloitte, most states only spend between 1% and 2% of IT budgets on cyber security, and many local governments have at most one security expert on their roster. Part-time cyber security efforts, the company warns, are no match for professional cyber criminals.
And the attack surface is growing. Public safety agencies have the twin concerns of running often unpatched legacy systems and protecting an increasingly distributed digital workforce. Phishing emails, unpatched vulnerabilities and remote desktop protocol endpoints with weak or compromised credentials are among the most common ransomware threat vectors.
Combating ransomware attacks on government and ransomware attacks on hospitals
The D.C. police ransomware attack raised eyebrows about the cyber risks that public safety institutions face. In theory, ransomware attacks on government and ransomware attacks on hospitals could be mitigated by taking out cyber insurance to cover losses. But this merely perpetuates the threat, and it does not guarantee that thieves will return access to stolen data.
It is better to take a proactive stance to preempt and prevent ransomware attacks. Here are some ideas:
- Educate and train staff to strengthen the first line of defense against phishing attacks. This is critical, as remote workers might be more distracted and more susceptible to risk.
- Segment networks to contain the spread of attacks and limit attackers' ability to move laterally across compromised networks.
- Use multi-factor authentication on all accounts, including remote desktop protocol servers, to make it harder for attackers to phish, guess or crack credentials and hijack key systems for network access.
- Regularly back up information according to the three-two-one rule. This will help you restore encrypted systems in a worst-case scenario.
- Bake cyber hygiene into security processes and policies. This means promptly patching key systems to shrink the attack surface.
- Draw up incident response plans with the input of key stakeholders, and practice them regularly to minimize the fallout should a cyber attack occur.
Police department ransomware attacks might not be a unique threat, but the risks and challenges they pose are serious and must be managed appropriately.
Learn how Verizon solutions can help municipalities combat ransomware attacks on government.