Local governments keep losing millions in preventable ransomware attacks
Hackers are targeting local governments through email attacks — with costly results.
These attacks, utilizing deceptive sender identities, almost always start with a spear-phishing email.
In this kind of attack, the spear-phishing message uses a faked sender identity so it looks like it comes from a trusted source — perhaps a manager in the same department, a contractor used by the department, or another government agency. An unsuspecting government employee, believing it to be a legitimate message, clicks on the email’s attachment and unwittingly installs ransomware, which then rapidly spreads through the government’s network, shutting down email, blocking access to crucial files, and in some cases even taking a whole city’s emergency services system offline.
Recovering from an attack like this isn’t easy, placing local government officials in a difficult ethical dilemma: to risk availability of key government services and risk millions of taxpayers dollars in remediation costs (replacing computers, rebuilding networks, reinstalling software, etc), or to pay hundreds of thousands of taxpayer money in ransom payments…. Or both.
Millions in ransomware and BEC losses
A quick survey of recent news shows almost $2 million in losses from email-based attacks against local governments, just in the past month:
- Riviera Beach, Florida paid $600,000 to ransomware attackers in June — in addition to spending $1 million for new computer hardware. “The hackers apparently got into the city’s system when an employee clicked on an email link that allowed them to upload malware,” which shut down the city’s email as well as its 911 system.
- Lake City, Florida, paid a $460,000 ransom in June after a city employee clicked on an email attachment. The city was hit with the same “Ryuk” ransomware variant that targeted Riviera Beach. According to CrowdStrike, Ryuk’s initial vector is a piece of malware called “TrickBot,” which is usually distributed via email.
- Key Biscayne, Florida also got hit with the Ryuk ransomware after a city employee clicked on an email attachment, thus unleashing the malware. There’s no word yet on the costs or whether the town of 3,000 has decided to pay the ransom.
- The City of Griffin, Georgia got scammed out of $800,000 in a classic impersonation-based business email compromise (BEC) attack. According to the report, “A city employee thought they got an email from a vendor the water department works with. But it turns out it was a cybercriminal who spoofed their email address was able to steal several hundred thousand dollars.”
Additionally, a ransomware attack in May cost the city of Baltimore $18 million. The city refused to pay the $70,000 ransom.
And before that, a ransomware attack on Atlanta cost the city $2.6 million in recovery costs in 2018.
An avoidable cost
The critical point is that these attacks are costly to recover from — but they are entirely preventable. They all start with a phishing email.
According to recent research by Barracuda, 83% of all email attacks make use of impersonation (deceptive sender identities) to fool recipients into trusting the messages. These fake identities also make it easy for the malicious messages to sail through existing email security systems, because the sender appears to be a known sender with a good reputation.
A focus on sender-based email security and email authentication will cut off the vast majority of such email attacks — blocking the phish before anyone has a chance to click on them.
By validating the identity of the sending domain, organizations like municipal governments can block any messages from untrusted or unauthorized senders. And if governments also authenticate their own domains (using open standards like DMARC), they can ensure that attackers can’t impersonate them in any messages — to city employees, service providers, or even citizens. And since government contract awards are publicly available information, it is easy for hackers to craft sophisticated messages and fake invoices to target local governments. To prevent this, some government officials are considering requiring contractors to authenticate their domains to be eligible for future government contracts.
The turnkey solution
Sender-based identity validation is a lot more cost-effective than paying hundreds of thousands or millions of dollars in ransoms and remediation costs. Best of all, it can be accomplished with minimal demands on limited city IT staff’s time.
Valimail offers a complete anti-phishing defense for government that blocks untrusted sending domains, blocks untrusted accounts on open-signup systems like Gmail or Yahoo! Mail, and can also authenticate a government’s own domains to prevent abuse. Implementation takes about 100 days on average, with an average of 0.2 FTE in staff time, although some of our government customers have deployed Valimail’s technology and achieved protection from impersonation in mere weeks.
Our solution is also authorized for government use under the GSA FedRAMP program, so you know it has the reliability and security needed to support government organizations at all levels: Federal, state, and local.
Contact us today to request a no-cost domain analysis. This 2-week analysis will reveal which senders are using impersonation to slip past your email defenses — and it’s the first step to blocking them and securing your employees’ inboxes.
Top photo: Baltimore City Hall. Source: James Cridland/Flickr