Ransomware attacks on government grow
Cities, counties try to reckon with costs, enhancing security.
When two ransomware attacks hit the city of Riverside in April and May, it wasn’t the first time the city’s public safety servers lost data because of a malicious virus, this newspaper found in a review of city records.
A check of newspapers across Ohio reveals similar unfortunate targets around the state: Licking County government, the Columbiana County courts and townships in Clinton and Morrow counties were once all ransomware victims. In Clark County, hackers encrypted the Mad River Twp. Fire and EMS servers with ransomware in December.
The damage extends across the nation: When a library system in South Carolina faced a ransomware attack, patrons couldn’t check out or return books. In Richmond, Indiana, the local housing agency fell victim to a $8,000 ransom. Hackers shut down 2,000 computers at Colorado’s transportation department, then attacked again when the agency tried to recover.
While the hackers’ ideal target — and the damage caused — varies, one certainty is that local governments are not exempt from the pain of ransomware, which is malicious software that threatens to block access to data or to publish it unless the infected organization pays a ransom.
The ransom demands are often relatively small compared to an organization’s overall budget, but the cost of avoiding payment can be steep, as the city of Atlanta found this year. An attacker demanded a $50,000 ransom to restore the Atlanta’s systems, but the city ended up shelling out nearly $2.7 million on eight emergency contracts in an attempt to fix the problem.
Experts encouraged all computer users to follow one rule to avoid ransomware’s predilection for data destruction.
“Real simple,” said John Moore, a computer technician in Trotwood. “Back up your data.”
Prior attack uncovered
Hackers hit Riverside’s police computers with ransomware several years before the latest incidents, emails obtained by the newspaper show. The attack — previously unknown to the public before this story — occurred under a prior city manager and also saw the police department lose documents, according to an email from Councilman Steve Fullenkamp to other city leaders.
Sometimes, as was the case with at least one of Riverside’s recent attacks, the virus can be downloaded by clicking on an infected email. Organizations often don’t learn they have been infected until they can’t access their data or until computer messages appear demanding a ransom payment in exchange for a decryption key, according to the FBI’s website.
The first of the recent attacks against Riverside erased about 10 months of police records, the records show. The second attack wiped just several hours of data, because the city had backed up the data.
The U.S. Secret Service’s Southern District of Ohio Financial and Electronic Crimes Task Force is investigating the latest attacks.
“Task force agents have worked with the city and their IT contractor to mitigate vulnerabilities in the network and to assist in further securing their data,” said Kevin Dye, U.S. Secret Service Dayton office resident agent in charge. “At this time, based on significant analysis, it is not believed that any data or personal information has been exposed.”
Riverside city officials were advised not to talk publicly about the investigation, the records show, but the newspaper’s review of documents confirms the city is “working to correct our vulnerabilities.”
“Part of our immediate actions include updating the virus protection on our IT devices ... restricting permissions given to staff, applying filters to web content, changing/updating passwords, and adding (virtual private network) connections for police cruisers,” wrote Mark Carpenter, Riverside city manager, in a May 15 email to city council. “We are still pursuing an assessment of our equipment and the process we have in place.”
Health care targeted
Beyond government, health care presents another major bullseye for hackers.
The WannaCry ransomware attack last year — reportedly developed by North Korea, an allegation Pyongyang denies — caused chaos across thousands of computers in more than 100 nations, though hospitals in the United Kingdom were among the hardest hit.
A hacking group named Orangeworm presents some of the newest threats in health care. The group seeks to install malware called “Kwampirs” on MRI and X-ray hospital equipment, according to the cybersecurity company Symantec.
Orangeworm’s end game is still a mystery, said Pranav Patel, chief executive of Dayton start-up MediTechSafe. The hackers could be plotting a ransomware attack, a largescale theft of patient or corporate data, or they could be orchestrating a health scare by potentially controlling the devices, for instance, altering MRI results, he said.
“They are learning all about the device operations and vulnerabilities so then when they really want to exploit them, they could,” Patel said. “The value of the data is quite high, and if they ever were to create a threat, you are talking about patient safety.”
Premier Health uses sophisticated software to monitor and stop hacking threats in real-time, said Gary Genter, Premier Health chief information officer.
“Our tools are looking for those different variants, making sure that if it does see anything in our system it quarantines it very quickly, but also if it sees it trying to get into our network blocks it at the firewall,” Genter said.
Experts: Back up often
Experts say promptly installing system software updates when sent by Apple or Microsoft can help ensure computers have the latest defenses against the newest threats. Moore, the local computer technician, stressed the need for computer backups.
“You’re not going to get your data back unless you pay them, and the reality check is, if you just back up your data it wouldn’t be a problem because you can re-wipe and re-install the whole thing,” Moore said.
Moore also advised paying close attention while opening or responding to emails.
“No one from Ireland sent you $2 million,” Moore said. “If you don’t know the person, don’t open the email. If it looks too good to be true, it probably is.”