Two months have passed since the city of Baltimore was hit by the latest in a string of ransomware attacks targeting municipalities, and things still aren’t completely back to normal. The attack, perpetrated by an unknown cyber criminal, impacted over 10,000 municipal government-owned computers, and disrupted tax collection and city employees’ access to their email and voicemail accounts. In addition, more than 1,500 pending home sales were delayed, though officials were able to resume processing real estate transactions some days later.
The attackers used a fairly new strain of ransomware called RobbinHood to encrypt all user files on the affected computers. The algorithm they employed is said to be unbreakable with today’s cryptographic technologies. City officials refused to pay the ransom of 13 bitcoins—worth between $80,000 and $100,000—the attackers have demanded. Instead, Baltimore’s leaders have struggled to rebuild applications, user accounts, and portions of their network from the ground up, a process that’s laborious, slow, and expensive. Estimates of lost revenue and recovery costs are currently in the neighborhood of $18 million.
City residents have been frustrated and disappointed with the slow pace of recovery, especially since the temporary manual processes Baltimore has put in place for some administrative components are tedious and inefficient. Other residents are incredulous that the city wasn’t better prepared for this sort of attack since this is the second time within a year its systems have fallen victim to ransomware.
Lack of Awareness, Lack of Patching, Lack of Funding
It’s tempting to believe the strain of ransomware involved was highly and technically sophisticated and was able to bypass security controls that the city’s IT team had established in the wake of last year’s incident. But analysis of the RobbinHood malware indicates that can only be distributed through methods requiring extended access to network-level controls—and it most probably was distributed via the compromise of a user account with privileged credentials.
Other experts have claimed the affected systems were vulnerable because Baltimore failed to install a Windows patch that Microsoft had issued in 2017.
Credentialed account compromise can often be prevented with good password hygiene, and by training employees to avoid social engineering or phishing attacks. The vulnerabilities that come from failing to apply software patches in a timely manner can be reduced by turning on automatic updating, or by running periodic vulnerability scans to identify such security weaknesses within the environment.
But keeping software up-to-date and keeping employees well trained in cybersecurity best practices is a process requiring time and effort. The city must be able and willing to invest enough resources in maintaining secure systems and cultivating a cyber-resilient culture. When funds are lacking, it’s all too easy to put off routine security tasks until “later,” only to learn the delay has had devastating consequences.
Costly Upgrades in Hope of a More Secure Future
Even as they continue to work through the strenuous recovery process, city officials in Baltimore are taking this latest ransomware attack as an opportunity to upgrade their network security architecture. They’re bringing in outside experts in security services to advise and guide them, and they’re looking to move vital segments of their infrastructure to the cloud.
Such improvements are vital first steps toward building a more cyber resilient municipal government, of course. Officials will need to make the right investments in cost-effective security solutions, including advanced endpoint protection platforms, virtual web application firewall technology, secure DNS filtering and comprehensive, integrated network-level solutions. But they will also need to cultivate an organizational mindset that values and prioritizes information security, and understands the importance of collaborating with IT teams to ensure threats like RobbinHood never gain a foothold in their city again.
To do so, city government leaders will need to abandon old ways of thinking about cybersecurity and adopt a more proactive approach, instead. Rather than assuming they can establish zones “inside” the network where users–and the data packets they create–are assumed safe, in today’s most effective information security architectures, no one inside or outside the network perimeter is automatically trusted. With this mindset, known as the “Zero Trust” approach, every user’s identity is to be verified, every host name or IP address is to be confirmed non-malicious, and every unknown file is to be analyzed before any of them are deemed safe to execute on or access the network.
To learn more about Zero Trust security architectures and the key steps to implementing Zero Trust in your own environment, download our eBook, today.
TEST YOUR EMAIL SECURITY GET YOUR INSTANT SECURITY SCORECARD FOR FREE