UPDATE: September 9, 2019: Local Texas government agencies fully restored business-critical services approximately one week following a widespread ransomware attack, which hit in August, according to the Texas Department of Information Resources (DIR).
More than half of the 23 organizations impacted are "back to operations as usual," according to DIR. Agency officials were "unaware" of any ransom payments.
Dive Brief:
- In Texas, at least 23 government entities were hit by a "coordinated ransomware" attack coming from a single threat actor, according to updates from The Department of Information Resources (DIR).
- The ransomware attack, which began Friday, targeted mostly "smaller local governments," according to the announcement. Governor Greg Abbott issued a "Level 2 Escalated Response," just under the requirements to qualify for a Level 1 or emergency response, according to an emailed statement from Nan Tolson, Abbott's deputy press secretary.
- The Level 2 response seeks support from outside the state, including the Department of Homeland Security and the Federal Bureau of Investigation. DIR, Texas Division of Emergency Management, Texas Military Department and Texas A&M University Systems Security Operations Center/Critical Incident Response Team are involved in the investigation.
Dive Insight:
Smaller governments are more likely to have legacy systems and modest security, making for easy targets.
Texas' current predicament is the result of "finding a common type of highly vulnerable organization that have the willingness – and ability – to pay a ransom," Matthew Gardiner, director of cybersecurity marketing at Mimecast, told CIO Dive in an email.
Paying a ransom comes down to basic math — weighing the cost of recovery versus the cost of the ransom — and most municipalities conclude the price of the ransom is cheaper.
But paying a ransom is a gamble because it doesn't guarantee the return or unlocking of data. It also, critics argue, sets an unhealthy precedent.
Last month more than 225 U.S. mayors agreed to not pay a ransom during a cyberattack, saying doing so "encourages continued attacks," according to the 2019 list of resolutions from the U.S. Conference of Mayors.
By the time the mayors met, two Florida cities had already paid their attackers' ransoms and bad actors took note.
Because local governments have public-facing contact information, like emails, personalized phishing schemes are an easy tool for bad actors to deploy. "It isn't necessarily a case of 'coordination,' but rather a case of 'targeted marketing' by the cybercriminals," said Gardiner.