As ransomware attacks continue hit U.S. local governments, the FBI this week recommended that municipalities make contingency plans “for operational continuity" should an attack impact public services.
The FBI said that in 2021, local governments represented the second highest group to be victimized by ransomware actors, behind academia. These ransomware incidents have resulted in disruptions to health services and emergency operations, and they can “have significant repercussions for local communities,” said the FBI. Local governments are encouraged to think through contingency plans that look at how processes can continue to work through a ransomware attack - such as how administrative services can be continually conducted or emergency communications for dispatch centers can be re-routed in the case of a ransomware attack.
“In the next year, local US government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety, and resulting in significant financial liabilities,” according to the FBI in the alert this week.
Ransomware attacks on local governments are not new. In 2019, for instance, 22 Texas entities, the majority of which were local governments, were hit in what officials and researchers said was a targeted, coordinated attack. Individual local governments - ranging from Pensacola, Fla., New Bedford, Mass., Baltimore, Md. and Atlanta, Ga., to name a few - have also been hit over the years in ransomware attacks.
Allan Liska, intelligence analyst at Recorded Future, said that researchers with Recorded Future noted 176 publicly reported ransomware attacks against state and local governments in 2021 - and many more incidents that have not been disclosed likely exist, he said.
“2022 has already seen 29 publicly reported ransomware attacks, so it continues to be a problem this year," said Liska.
“It is not that ransomware groups are focusing on state and local governments, it is that local governments don’t have the resources to defend themselves against an overwhelming onslaught of attacks."
What makes these types of ransomware attacks particularly damaging is the potential impact they may have on the various services and utilities that are maintained and organized under the local government's umbrella. These range from critical utilities, such as online bill payment systems for energy or water utilities, to financial management systems and emergency dispatch services. A ransomware attack in January 2022 led an unnamed U.S. county to take its systems offline, close public offices and run emergency response operations. The attack disabled county jail surveillance cameras and data collection capabilities, and deactivated automated doors, triggering safety concerns and a facility lockdown, according to the FBI. Another attack that infected a U.S. county’s systems with the PayOrGrief ransomware disabled online services - including the scheduling for COVID-19 vaccination appointments.
Smaller counties and municipalities also often grapple with resource and budget limitations that make both defending against and remediating ransomware attacks more difficult. These understaffed and outdated systems often cause local governments to pay the ransom in an attack in order to get the data back. The FBI pointed to a recent survey that found that local governments were the least able to prevent encryption and recover from backups, and had the second highest rate of paying the ransom compared to other critical infrastructure sectors.
“It is not that ransomware groups are focusing on state and local governments, it is that local governments don’t have the resources to defend themselves against an overwhelming onslaught of attacks,” said Liska.
The alert comes after Mandiant researchers disclosed that APT41 had compromised at least six U.S. state government networks between May and February, as well as an FBI warning this week that state and local government officials in at least nine states received invoice-themed phishing emails, which in some cases were sent from compromised legitimate email addresses.
The FBI encouraged victims to report ransomware incidents as soon as possible, keep their operating systems and software up to date, implement a user training program and mandate multi-factor authentication.
“The FBI has an opportunity to disrupt some of this activity by leveraging partnerships with domestic and foreign governments, as well as the private sector, to more effectively identify actors, finances, and infrastructure," said the FBI.