Florida has been hit by ransomware, other cyberattacks
Documents purportedly taken recently from the Florida Chamber of Commerce and the city of Key West are posted online but buried so deep on the Dark Web that a simple Google search won’t yield results.
The documents are virtual contraband — uploaded by a ransomware group claiming the material was stolen in a cyberattack.
Experts say thousands of unsuccessful attacks are launched every day. The public usually only hears about the ones that are prominent and successful cases.
These types of incidents are part of a worsening ransomware problem around the world that targets vulnerable organizations in the both the private and public sector. The FBI and two federal agencies warned Wednesday that cybercriminals are unleashing a major ransomware assault against
the U.S. healthcare system.
In 2019, cybersecurity experts saw municipalities across the country — often with unsophisticated computer systems, tight budgets and small IT departments — fall prey to a surge of similar attacks. It has continued in 2020.
About a month after Key West experienced a computer failure system in early September, documents from the city landed on a Dark Web leak site from Conti, a ransomware group that popped up this summer. In late August, the same group had posted documents claiming to be stolen from the Florida Chamber of Commerce.
The Chamber was mentioned on a list, by an online cyber group known as DarkTracer, of 700 organizations that experienced ransomware attacks with data published on the Dark Web. Other Florida victims on the list include an assisted living facility in St. Petersburg and the city of Pensacola, which suffered an attack in late 2019.
Cybersecurity experts estimate that data is stolen in about one in four attacks. The outcome often results in the information being posted online, and experts say that these incidents are a global security risk. Just days before a presidential election — that’s already on high alert for cyber interference — these types of attacks raise concerns about the integrity of cybersecurity systems around the state.
While the documents claiming to be stolen in these cases include publicly available and seemingly harmless information — based on the Miami Herald’s review — their existence still poses two key
questions, how can attackers get in and what else can they access?
And those are just the attacks with published data. Cybersecurity experts say that thousands of unsuccessful attacks are launched every day. The ones that make it to the public are usually the prominent and successful cases. Along with that, the laws requiring Florida businesses and local government to report cyberattacks are narrow, meaning agencies across the state could have dealt with similar attacks that the public doesn’t know about. Here’s an overview of the ones we do:
The Florida Chamber of Commerce, a significant political institution, said it experiences hundreds of thousands of attacks each year.
In February, the Palm Beach County Supervisor of Elections announced that the office had experienced a previously unreported ransomware attack weeks before the presidential election in 2016.
Key West in September suffered a computer system failure, and a ransomware group later posted documents it claimed it had obtained from the city.
Last summer, Key Biscayne, Riviera Beach and Lake City paid more than $1 million in total ransom to hackers in a string of attacks. A number of attacks on other local government agencies around the state have since occurred.
Earlier this month, Universal Health Services, which has two hospital locations around Florida, experienced a ransomware attack that took its entire computer system offline.
The AP reported that experts said at least five U.S. hospitals have been impacted this week in the wave of new attacks that the FBI announced, and hundreds more could be hit.
FLORIDA CHAMBER AND KEY WEST: HARMLESS AND UNREPORTED
In September, Key West suffered a computer system failure, which city officials said they believed to be a virus and put the city back to using pen and paper for everyday tasks.
City spokesperson Alyson Crean said she didn’t have any information about the attack, other than officials were still working to recover the computer system, but about 75% of their systems were back up and running about a month after the attack. City Manager Greg
Veliz did not respond to multiple emails and phone calls.
At the end of the September, Conti posted documents claiming to be stolen from the city. In most ransomware cases, data from an attack is published on the Dark Web, a portion of the Internet that is inaccessible through common browsers like Internet Explorer or Google Chrome, and is often used with anonymity for illegal activity.
Ransomware groups like the one that posted the Key West documents usually attack a system, ask for a ransom from the victim and threaten to publish stolen data if not paid. At the end of August, Conti posted documents claiming to be stolen from the Florida Chamber of Commerce.
Blake Dowling, CEO of Aegis Business Technologies, the Florida Chamber’s cybersecurity firm, said the organization was not asked for a ransom, nor was one paid. He added that the documents posted online were publicly available and could have been pulled from anywhere, although he did not answer questions about where these specific documents originated.
The publicly available host site has since been taken down, but the documents still exist on the
Dark Web. The Herald reviewed some of the documents before the public domain was deactivated. Most were seemingly harmless, containing outdated and general information. The most recent document was dated 2001 and no personally identifying information was published.
Dowling said that the Chamber was not the victim of a ransomware attack because it was not asked for a ransom. He said the Chamber did experience an attack this summer, but it was an unsuccessful attempt.
“The Chamber follows industry best practices in regards to cybersecurity, which allowed this summer’s attempted attack of their system, along with the hundreds of thousands of cyberattacks they receive each year, to be a non-issue,” Dowling wrote. “I’ve been in this business a long time and the items claimed to be stolen could have been found anywhere, on line, dumpster diving, etc.”
Brett Callow, Emisoft threat analyst, said that the proposition that cyber criminals took the documents from somewhere else online and posed it as
a successful attack was not out the question, but unlikely. He said he was not aware of any other situations in which a group like Conti lied about the origin of stolen documents.
“Anything is possible. They’re criminals and criminals lie,” Callow wrote in an email. “But what would be the point? It’d simply hurt their reputation.”
FLYING UNDER THE RADAR
Dowling did not answer specific questions about who was notified about the attack on the Florida Chamber or if it was reported to any outside agencies, but the leak has gone publicly unreported by the organization for months. Although there’s no evidence that any attacks on the Chamber have been politically motivated, the situation still begs the question: How does a potential cyberattack on a significant political institution fly under the radar?
There are no federal disclosure requirements for businesses, government entities or political institutions when they experience a data breach or cyberattack. Florida law requires businesses and local governments to report a data breach to the Florida Department of Legal Affairs if the attack affects 500 or more individuals in the state. The law, known as the Florida Data Breach Act, also requires the entity to report the breach to the individuals whose information was affected by an attack of any size.
But, in cases where a breach only affects general information, like documents or emails, there is no obligation for the organization to officially report the attack. The details of many reported attacks are also exempt from public record, meaning that it’s
possible there have been more similar attacks in Florida — and across the country — that the public doesn’t know about.
Florida Attorney General Press Secretary Kylie Mason said that although there is no law requiring smaller or general attacks to be reported, many entities choose to report those types of attacks out of caution.
“Generally speaking it has been our experience that, in an abundance of caution agencies [and businesses for that matter] notify this office whether they believe the breach meets the statute’s threshold or not as they want to be sure they are in compliance with the requirements of the law,” Mason wrote in an email.
Mason said that in 2019 her office received 273 notices of data breaches. She did not clarify if those all reached the 500 individual threshold.
Still, cases like the Chamber of Commerce lead cybersecurity experts to suspect that some smaller attacks may be flying under the radar.
Callow said that an attack only becomes public in two ways: if the victim reports or if the attacker publishes the stolen data. He said this means there’s likely more attacks happening than people are aware of. He pointed to the 2016 ransomware attack on the Palm Beach County Supervisor of Elections Office that went unreported for nearly four years.
In February, Palm Beach County Supervisor Wendy Sartory Link announced that the office suffered a previously unreported ransomware attack, just weeks before the 2016 presidential election. Link, who was not the Supervisor at the time, said the attack had gone unreported at the time. After her announcement, the Department of Homeland Security began
investigating the attack.
During the 2016 election two Florida County’s election systems were also hacked by the Russians. The identity of which two counties remained under wraps when Gov. Ron DeSantis was briefed by FBI agents last year and sworn to secrecy. Earlier this year, reporters identified Washington County as one of the two counties hacked, and last month journalist Bob Woodward’s new book reported that the other was St. Lucie County.
Link said she contacted the FBI in fall 2019 after a veteran IT employee told her about the 2016 incident. Similar to the attack on the Chamber, the compromised files in Palm Beach County were mostly general information, like Microsoft Word and Excel files. Because the attack in Palm Beach County did not affect the personal information of 500 or more people, under the Florida Data Breach Act the office had no obligation to disclose the incident.
The bill behind the Florida Data Breach Act was introduced in the Florida Senate in 2014 following a string of attacks on major corporations in 2013, including Yahoo and Target. The bill was sponsored by Florida State University President John Thrasher, who was then a Republican Senator.
LOCAL GOVERNMENTS ARE VULNERABLE
An FDLE spokesperson explained that state agencies have a separate set of reporting laws. State agencies that suffer a cybersecurity incident of any type must report the information to the Department of Management Services Division of State Technology and to FDLE. Similar to the Data Breach Act, the details of those reports are exempt from public records.
That leaves local and county governmental agencies with no set of clear guidelines for reporting cyber incidents other than the Data Breach Act. But, when Thrasher sponsored the bill in 2014 with businesses in mind, he couldn’t have known that local governments would become among the hardest hit in ransomware attacks.
Last summer, Key Biscayne, Riviera Beach and Lake City made headlines around the country when the three paid more than $1 million in total ransom to hackers in a string of attacks.
Brian Hawkins was the information technology director in Lake City at the time of last year’s ransomware attack that resulted in the city paying 42 bitcoin, about $460,000 to the attacker. He was fired following the attack, and has since filed a lawsuit against the city.
“This stuff happens every day,” Hawkins said. “Looking back, obviously after the attack, we could see some red flags. But, at the time some of those things were so subtle.”
Hawkins said there was no protocol in Lake City to deal with the ransomware attack. He said the city was transparent during the attack and acted quickly to contact local law enforcement, which then involved FDLE and the FBI to investigate the incident. He said he does not know if the attack was reported to the Attorney General’s office.
Hawkins, who now works at WatchPoint Data, a data security firm developing anti-ransomware software, said these smaller attacks could potentially signal weak systems, and it’s crucial to report incidents occur when they occur.
“When it comes to a cybersecurity standpoint, you have to take everything seriously,” Hawkins said.
When it comes to what should be publicly reported and what shouldn’t, Hawkins said he thinks it depends on the nature of the attack and what kind of information was exposed.
But, in his new role developing anti-ransomware products, he sees the importance of making the smaller attacks public, so companies like the one he works for can develop products to avoid even the smaller attacks.
“I don’t know that every single thing that happens needs to be reported publicly,” Hawkins said. “But, maybe it should be so that companies can continue to fight these types of attacks.”