Why are governments so vulnerable to ransomware attacks?

Government systems paralyzed by malware cause chaos. New research explores why are attacks so frequently successful.
Written by Charlie Osborne, Contributing Writer

Ransomware is a constant feature of the threat landscape and despite the damage and disruption it can cause, governments are failing to protect against this form of malware. 

Emisoft estimates that over 2019, ransomware attacks impacted at least 948 government agencies, educational entities, and healthcare providers. Analysis conducted by Recorded Future suggests that 81 successful ransomware attacks took place against US government bodies across the year, and these incidents would often have a knock-on effect of impacting high numbers of towns and cities in their local areas. 

Florida County, Louisiana, New Orleans, and Texas are only a handful of regions where ransomware has caused severe disruption. If ransomware infiltrates a government network, this can lead to the shutdown or a loss of access to core government systems, thereby impacting local community services.

IBM research has already suggested that many US local and state government agencies are "overconfident" in their attitude towards malware and cybersecurity incidents, and now, Deloitte further implies that governments are simply not doing enough. 

On Wednesday, Deloitte released a report, "Ransoming government: What state and local governments can do to break free from ransomware attacks," which explores how these attacks are able to take place -- and what government officials should be doing to tackle the ransomware challenge. 

According to the researchers, as local and state governments offer more services through digital outlets, this increased attack surface -- combined with the ease of obtaining off-the-shelf malware, Ransomware-as-a-Service (RaaS), and the option to use cryptocurrency for blackmail payments -- has opened up new avenues for exploit. 

"A few decades ago, there may have been a few computers in the central office of local school districts or police departments, but today every squad car has a computer, and each classroom likely has a few," the report notes. "Each of these computers is a potential access point for malicious malware, with the result that the potential attack surface that a government agency must protect has grown significantly without commensurate investments in cybersecurity."

Another problem which is causing unnecessary weaknesses in government platforms is the use of old, outdated, and inadequate systems and software. Failures to manage patch cycles, elderly operating systems that are close to or have gone beyond end-of-support dates, and tight budgets preventing modernization are contributing to ransomware infection rates. 

See also: Chinese hackers use decade-old Bisonal Trojan in cyberespionage campaigns

"Even current-standard, updated networks require constant effort to maintain security patches and configurations, a task that even the most well-staffed, well-trained cybersecurity staff could find difficult," Deloitte says. "For state and local governments operating with older, legacy systems, keeping those systems up to date can be a daunting battle."

However, the research suggests that as much of a challenge as antiquated systems can be, the human link is the greatest issue for government entities -- and without skilled staff and overall cybersecurity awareness, the possibility of threat actors using vulnerabilities, phishing, and social engineering to compromise networks increases.  

A survey conducted by NASCIO and Deloitte has found that a lack of budget has been the top concern for state government CISOs since 2010, and only one to two percent of an average IT budget is used for cybersecurity purposes. 

State and local governments will often pay up as the most logical course of action rather than attempt to restore systems through backups -- if this is even possible -- or face the possibility of weeks and weeks relying on pen-and-paper records. Cyberinsurance may cover a portion of payouts, and unfortunately, not paying up can sometimes prove to be significantly more costly. 

CNET: Clearview AI facial recognition app maker sued by Vermont

An example cited in the research is that of the city of Baltimore, which refused to yield to a $76,000 ransom demand, only to lose over $18 million in recovery costs and lost revenues. 

Ransomware will not disappear anytime soon, so how can state and local governments cope with the problem? 

Deloitte suggests that the key considerations need to be: 

  • Smarter systems architecture: IT modernization can only be deferred for so long and given the financial damage ransomware can cause, revamping old systems to prevent these attacks needs to be considered sooner rather than later. 
  • Staff training: Training and retention are key, as are public and private sector partnerships to expand available talent pools. 
  • Patch management, air gaps: Deloitte suggests that adequate patch management practices should be enforced and both data compartmentalization and air-gapped networks for backups should be considered. 
  • Cyberinsurance: While cyberinsurance can cover the cost of ransomware attacks, its use should be considered with care. These policies can have a knock-on effect of incentivizing threat actors to push for large payouts. 

TechRepublic: Cyberattackers are delivering malware by using links from whitelisted sites

"Connected devices, digital systems, and integrated data mean governments have the opportunity to serve people and communities like never before," said Deborah Golden, Principal and cyber risk services executive at Deloitte. "It also means there is a large surface for cybercriminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless."

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards