Massive Ransomware Attack Infects 23 Government Agencies in Texas

On August 16th, government agencies from the state of Texas fell victim to a massive ransomware attack. The incident was isolated to 23 local government departments; the State of Texas networks and systems were not affected by the event. The agencies that were infected with the ransomware are continually working to restore their systems. However, the name of the agencies affected and the size of the ransom have not been disclosed. 

Currently, the ransomware attack is being designated as a high priority incident, and the affected entities are now being assisted by multiple agencies on both state and federal levels.

The malware that infected the local government departments is known as ransomware. Ransomware has long been a  type of malware that encrypts the files on a target system and makes them inaccessible to the user. In most cases, the only way to retrieve the data is with a decryption key, which is held by the cybercriminals behind the attack. The ransomware victim is then extorted to pay, usually in the form of cryptocurrencies, in order to receive a decryption key and gain access to their files. There are multiple variants of ransomware threats each with their own unique capabilities. In the case of the Texas incident, it is not yet known which type of ransomware variant, or what vector was used to infiltrate and infect the local agencies. 

Affected Agencies are Advised to Contact their Local Emergency Management Disaster District Coordinator

 
According to a statement by the Texas Department of Information Resources (DIR), cyber forensics suggest that the ransomware campaign was coordinated by a single individual. The identity of this lone hacker is not yet known. State agencies such as the Texas Military Department (TMD), the Texas Department of Public Safety (TxDPS), Division of Emergency Management (TDEM), are allocating resources to the most impacted areas. Federal organizations such as the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), the Federal Emergency Management Agency (FEMA), and other partners are also assisting in the cyber incident.

Cyber Crooks Demanded a Total of $2.5 Million in Ransom

As of the end of August 2019, it is still unknown who stays behind the attacks against the Texas local governments, yet the available evidence still points at a single party responsible for the severe cybersecurity incident. One of the affected cities announced the cyber crooks demanded the payment of a collective ransom of $2.5 Million while new data provided by DIR shows that the number of victims has been established to 22. In the meantime, most of the affected institutions seem to have returned back to their normal activities - over 25% of the victims have already completed the response and assessment stage and moved on to remediation and recovery.

Although the names of all impacted by the ransomware attack municipalities in Texas is still undisclosed, two of them came out with public statements to the topic. Officials from the City of Border stated that their financial services and operations have been affected. As a result, the respective departments cannot accept utility and other payments, while their Vital Statistics services are down as well so that no birth and death certificates can be issued. The other city that admitted having become a victim of the attack is Keene, stating that the attackers demanded $2.5 million in exchange for a decryptor tool. Keene Mayor Gary Heinrich said that the city’s administration also cannot process card payments.

The Attacks Have Most Probably Been Conducted Through Compromised MSPs

According to Mayor Heinrich, the threat actors have probably compromised a managed service provider (MSP) in order to get access to the networks of the attacked institutions. MSPs are commonly used by city administrations for technical support as they are a convenient way to manage the IT infrastructure of an institution that cannot handle that on its own. That is often the case with small local governments that usually lack qualified staff for complicated IT-related tasks. External companies providing MSP services use software that allows remote access to the networks of their clients so that their IT experts can fix problems, monitor activities and install updates. Mayor Heinrich claims that Keene’s local government has used the same external company for IT support as many of the other compromised municipalities, so that particular MSP seems to be a common factor among the recent Texas ransomware attacks.

Government targets are larger than ever

The targeting of government agencies by ransomware is part of a growing trend among cybercriminals. Instead of indiscriminately spreading ransomware, hackers are now targeting large organizations in both the public and private sector. The rationale behind the attack is that larger organizations are more likely to pay a big ransom to regain access to their data as opposed to a household computer. Essentially, by victims paying a large ransom, the cybercriminals will be further empowered and emboldened to conduct other malicious activity. Moreover, the money obtained in ransomware attacks, suspected to cost victims millions of dollars, keeps the trend of attacking vulnerable targets a priority among cybercriminals. It just so happens that government entities are prime targets for ransomware perpetrators considering as many as 23 agencies in Texas alone have reported attacks the date of August 16, 2019.

One of the most infamous examples the new ransomware  trend involves the Wannacry and NotPetya Outbreaks in 2017 that affected thousands of businesses, governments, and critical infrastructure around the world. Another recent campaign involving a pervasive ransomware known as LockerGoga ransomware. LockerGoga  affected over 100businesses and healthcare organizations in the United States and has been associated with hacker groups out of Russia leveraging it and many other similar threats, such as Ryuk ransomware.

Ransomware attack prevention measures everyone can take

Coordinated ransomware attacks like the one that infected 23 government agencies in Texas are nothing new under the sun. However, the idea of a "single threat actor" is more prevalent somewhat due to the attacks yield a higher than normal payout if the attack proves to be successful. Ransomware perpetrators are relentless and are now acting alone as the proper resources to propagate ransomware are more readily available. 

Below we have listed many suggested practices government agencies, companies, and even personal computer users should take to prevent massive ransomware campaign attacks.

• Never open suspicious or unexpected attachments or links in emails.

• Be aware of single threat actors that attempt to impersonate legitimate entities or staff.

• Promptly alert IT staff or supervisors if there is ever a question about the legitimacy of an email, link, or attachment file.

• Before clicking on an email link, always hover over them to ensure they will direct your browser to a legitimate site.

• Never provide personal information or organizational information unless there is no doubt about the identity or legitimacy of the source.

• Consider taking cybersecurity awareness training courses or utilize cybersecurity resources made available to you by your employer.