A coordinated ransomware attack hit 22 Texas local governments, but none of the impacted municipalities paid ransom demands, Texas state officials said this week.
Three weeks after the incident took place, the Texas Department of Information Resources (DIR) said that more than half of the impacted entities are now back to operations as usual.
The "coordinated attack" hit on Friday, August 16, when hackers breached the IT networks of 22 local governments (initially reported as 23) and deployed the Sodinokibi (REvil) ransomware.
The mayor of Keene, Texas, one of the impacted Texas cities, said hackers breached the city's network using the software used by an IT company to remotely manage Keene's infrastructure, software that was also used by the other municipalities.
Hackers asked a collective ransom from all 22 towns and counties of $2.5 million paid in Bitcoin, NPR reported.
Texas officials were prepared
But Texas officials were prepared for the incident. Similar to how Louisiana deployed emergency cyber-teams to deal with a rash of ransomware infections at three local school districts, Texas officials did the same.
Texas DIR deployed experts from more than ten government agencies and private sector partners to help cities recover.
Some cities restored impacted systems from backups, while other rebuilt networks from scratch. This allowed municipalities to avoid paying ransom demands.
Taxpayers don't want cities paying ransoms anymore
By doing so, government officials avoided another PR catastrophe. In recent months, taxpayers have been turning on cities that fail to invest or to safeguard IT networks, and then agree to pay gigantic ransom demands to criminal gangs.
An IBM survey published this week echoed this criticism. IBM found that 60% of respondents (US taxpayers) were against cities using state funds to pay ransom demands in ransomware incidents.
Instead, 90% of respondents said they would be in favor of the US government increasing federal funding to improve cities' cybersecurity.
As a result of more and more cities choosing to pay ransoms, recently, ransomware gangs have also become more brazen in their demands.
After realizing that insurance companies are likely to advise governments to pay ransom demands instead of covering the huge costs of rebuilding IT networks from scratch, ransomware gangs have started requesting more money.
After crooks demanded $2.5 million from Texas officials, this week, news also broke that another ransomware gang requested a whopping $5.3 million from a Massachusetts town, an offer the city turned down and decided to restore from backups, albeit it was initially willing to pay $400,000.
Advice from Texas responders
For this reason, it is important that cities protect their networks, instead of waiting around for something bad to happen, and then react to improve security.
To help out, the incident responders who managed the ransomware infections at the 22 Texas municipalities have published advice this week that companies and government organizations can follow:
- Only allow authentication to remote access software from inside the provider's network
- Use two-factor authentication on remote administration tools and Virtual Private Network tunnels (VPNs) rather than remote desktop protocols (RDPs)
- Block inbound network traffic from Tor Exit Nodes
- Block outbound network traffic to Pastebin
- Use Endpoint Detection and Response (EDR) to detect Powershell (PS) running unusual processes.