top of page

Ransomware on the Rise: Protecting Local Government Agency Data from Digital Extortion

Writer's picture: Bill TolsonBill Tolson


The business data security environment is constantly evolving, and more advanced ransomware attacks have become a primary concern for government agencies. From city clerks managing sensitive citizen data to state and local IT departments safeguarding critical infrastructure, everyone has a role in protecting against these constantly adapting digital extortion attempts.

 

Successful ransomware extortion events quickly make citizens increasingly wary of supplying their personally identifiable information (PII) to government agencies, breaking citizens' trust in their state and local government agencies.

 

This blog explores the growing ransomware threat to state and local government agencies - outlining the risks, potential consequences, and strategies for prevention, detection, and response.

Understanding Ransomware

Many California state and local government agencies have already experienced attacks on their systems. Whether successful or not, these attacks can throw agencies into turmoil and affect service levels and budgets. In fact, of the nearly 4,200 US-based ransomware victims between 2020 and 2021, 260 were in California, making it the hardest-hit ransomware state in the nation.

 

But what is ransomware?

 

The original ransomware variant is a type of malicious software inserted into target systems via phishing or other malware tricks. It is designed to encrypt target systems' data, essentially locking all users out of their own files and systems. Attackers then demand a ransom payment, often in cryptocurrency, to allow the decryption of the data to restore full access. These attacks can adversely affect government operations, disrupt essential services, and expose sensitive citizen PII.

 

Here's a breakdown of a typical ransomware attack:

  1. Infection: The attacker gains access to a government system through various methods, such as phishing emails, infected attachments, or unpatched software vulnerabilities.

  2. Encryption: The ransomware can wait for set periods before activating and encrypting sensitive files and databases, rendering them inaccessible to agency personnel. (This waiting period also ensures that enterprise backups will include ransomware.)

  3. Ransom Demand: A message pops up on the infected devices or systems, demanding a ransom payment and threatening to permanently delete the data or encryption keys or leak the sensitive data online if payment isn't received.

 

Recently, ransomware attacks have evolved in their tactics. Some of the newer attack strategies include:

 

  1. Double Extortion:

    • Attackers not only encrypt data in place but also copy sensitive data and move it to the hacker’s servers for ongoing threats.

    • This enables the attackers not only to threaten to disable the agency’s systems permanently but also the attackers threaten to publish stolen client data if the ransom isn't paid, adding additional pressure on the agencies.

  2. Triple Extortion:

    • The logical next step of double extortion is where the attackers also threaten to notify clients, customers, partners, and media about the breach. This version started to show up more as the EU (GDPR) and numerous US states began passing data privacy laws that demand data collectors offer much higher levels of data security or face huge fines and lawsuits.

  3. Supply Chain Attacks:

    • Targeting software suppliers or managed service providers to infect multiple downstream customers simultaneously.

    • A recent example of a supply chain attack is the Kaseya VSA attack of 2021.

  4. Fileless Ransomware:

    • Operates entirely in computer memory without writing files to disks.

    • This version is more challenging to detect by traditional antivirus solutions.

  5. Delayed Encryption:

    • Infiltrating systems and lying dormant for days, weeks, and months before encrypting agency data, making it much harder to trace the initial point of entry. This tactic also ensures that backups are also infected with the ransomware.

 

These above strategies often combine multiple techniques to increase effectiveness and evade detection. Agencies must stay informed about these constantly evolving threats and implement comprehensive, multi-layered security measures to protect against them. 


System Backups are now a Target

Many believe that a robust backup program can defeat or at least reduce ransomware effectiveness; however, standard backup procedures are no longer a defense against newer ransomware attacks.

 

Ransomware attackers have begun to employ newer tactics to prevent victims from using backups to recover their data, effectively removing this system defense. Some of the main attack strategies:

 

1.     Targeting backup systems:

  • Attackers often specifically seek out and encrypt or delete backup files and systems.

  • They may corrupt backup catalogs or configuration files to render backups unusable.

2.     Deleting Volume Shadow Copies:

  • Many ransomware variants delete Windows volume shadow copies, which are often used for system restore points and backups.

3.     Encrypting network-attached storage (NAS) devices:

  • Attackers target network-connected backup devices, encrypting the backups stored there.

4.     Disabling or altering backup software:

  • Some ransomware strains attempt to stop backup services or alter backup software settings.

5.     Exploiting cloud backups:

  • If cloud backup credentials are compromised, attackers may delete, copy, or encrypt cloud-stored backups.

6.     Long-term persistence:

  • Attackers may remain in the system undetected for months, ensuring that even older backups are infected.

7.     Attacking offline or cold storage backups:

  • Sophisticated attackers may target air-gapped or offline backup systems if they can gain physical access.

8.     Threatening to leak sensitive data - extortionware:

  • Even if backups are available, attackers may threaten to leak sensitive data to pressure victims into paying.

9.     Exploiting backup software vulnerabilities:

  • Attackers may exploit known vulnerabilities in backup software to compromise the backup systems.

 

  • To counter these tactics, government agencies should:

  • Implement the 3-2-1 backup rule (3 copies, two different media, one off-site)

  • Use air-gapped or immutable data backup strategies

  • Encrypt all backed-up data

  • Keep backup software and systems updated and patched

These basic measures can significantly improve an organization's resilience against ransomware attacks targeting backup systems.


Why are Government Agencies being Targeted?

Government agencies are becoming priority targets for ransomware attackers for several reasons:


  • They retain high-value data

  • Most local agencies have limited resources

  • And the disruption potential is large


The Hidden Costs of Ransomware Attacks

Ransomware attacks present a heightened risk to agencies, especially in smaller municipalities.


Smaller local agencies face several unique considerations due to citizens' reliance on local services and the sensitive nature of the data they handle. Attacks disrupting operations such as permitting, payments, tax collection, and emergency response endanger the public and undermine trust in government.


Ransomware attacks can inflict lasting damage that goes far beyond ransom payments. The FBI warns that when systems grind to a halt and government operations are paralyzed, direct financial and public service consequences quickly arise. The FBI even mentions new "data wiper" malware designed for maximum disruption. Data-wiping code may sit dormant for a pre-set period of time and then trigger, causing lasting damage

.

These attacks strain IT teams and crush morale across many governmental organizations.

 

Remember that encrypted and immutable trusted backups and trusted storage repositories have the same ransomware defense capability as offline or air-gapped backups.


Protecting Your Agency: Strategies for Prevention, Detection, and Response

Fortunately, there are steps government agencies can take to reduce the risk of ransomware attacks and improve their response capabilities.

  1. Regular Backups: Regularly back up critical data to secure offline locations to ensure you have a clean copy for restoration in case of an attack.

  2. Software Updates: Patching known vulnerabilities in operating systems, applications, and firmware is crucial to eliminate potential entry points for attackers.

  3. Encrypt all backup data: This ensures that backups cannot be opened and that sensitive data cannot be copied for later ransom.

  4. Write all backup data to immutable storage: This ensures that backups stored on-prem and in the cloud cannot be deleted or corrupted by the ransomware.

  5. User Awareness Training: Educate staff about phishing tactics and best practices for email security to reduce the risk of human error leading to malware infection.

  6. Multi-Factor Authentication: Implement multi-factor authentication (MFA) to add an extra layer of security beyond passwords.

  7. Adopt the principle of least privilege: This is a concept that a user should only have access to what they absolutely need in any given system to perform their responsibilities and no more.

  8. Network Segmentation: Dividing your network into smaller segments can limit the spread of ransomware in case of an infection.


Additional Security Considerations for City Clerks

City clerks hold a unique position within government agencies. They manage a vast amount of sensitive citizen data, including birth certificates, marriage licenses, death certificates, payment data, and voter ID history. This data is essential for citizens to access essential services and defensibly navigate legal processes. Ransomware attacks targeting city clerks' offices can be particularly disruptive, causing delays in issuing critical documents and creating anxiety for residents.

 

However, government agencies can significantly reduce risk by taking a proactive approach to ransomware attacks, including local agency adoption of the California Trusted Systems specification.  


California Trusted Systems: An Effective Defense Against Ransomware

Recent data breaches targeting California state and local government agencies have highlighted the destructive consequences of inadequate agency cybersecurity measures. For example, in 2021, a ransomware attack negatively impacted Los Angeles County's computer systems, disrupting access to essential services and causing millions of dollars in damages.


A more recent example of a ransomware attack occurred on July 19, 2024, when the LA County Superior Court was hit with a ransomware attack.


The California Trusted Systems program is an essential tool for California state agencies to mitigate these risks by establishing a documented and rigorous security baseline for California agency IT systems. It creates a framework for California government agencies to select and implement secure information systems that comply with stringent data security standards.


Trusted System compliance requirements:


  1. An agency maintains at least two separate copies of an electronic resource/data file

  2. Use proper hardware/software and media storage techniques to prevent unauthorized additions, modifications, or deletions of digital data

  3. Store at least one copy of a document in a separate and secure location - this requires that at least one of the copies of a stored electronic document or record be written in a way that does not permit any unauthorized alterations or deletions and is stored and preserved in a separate and safe location/data center – in other words in an encrypted format and stored on immutable or WORM media in two separate locations

  4. The system withstands independent audits to ensure document integrity and compliance


Establishing a compliant, trusted system should not rest solely on a given agency’s records manager. In fact, it requires support from an agency’s upper management, legal counsel, and the IT department. It also requires an organization to create and document policies and procedures that provide appropriate electronic record handling and processing as well as training for all employees. 


Benefits of Trusted System Compliance for Local Agencies

California Trusted System compliance only applies to California state agencies—not local city and county agencies. However, the basic requirements of trusted systems compliance would greatly benefit local agencies with increased cybersecurity and ransomware protection, regulatory data retention requirements, and FOIA response.


In the previous “Understanding Ransomware” section of this blog, I described the newer threat vectors that ransomware developers have adopted, including coping sensitive data for later extortion and searching for and deleting backups to ensure the victim cannot restore their systems after encryption.


Trusted system compliance can directly neutralize these two new attack strategies by:


  1. Encrypting all sensitive data, making it impossible for backup data to be copied and used later for extortion

  2. And storing all backed-up data on a cloud-based immutable storage tier, ensuring data backups cannot be deleted or corrupted

The restorVault Trusted System Data Storage Platform

The restorVault Trusted Storage Cloud Archive and Data Virtualization platform was explicitly designed to meet the California Trusted System requirements. The restorVault solution addresses the following compliance criteria: 


  • As previously stated, the first requirement for Trusted System certification is that an agency maintain at least two separate copies of an electronic resource/data file. Each file (and its individual hashed fingerprint) is stored in two separate vaults on the restorVault cloud infrastructure, and each file copy is stored in a different data center for redundancy.

  • The second requirement is that the agency utilize proper hardware/software and media storage techniques to prevent unauthorized data additions, modifications, or deletions. The restorVault solution stores all data in the restorVault cloud, which is encrypted AND stored on immutable/WORM storage tiers to ensure “copy of record” status. In reality, encrypting sensitive data in the restorVault cloud ensures sensitive data cannot be copied/stolen and used for extortion. Additionally, immutable storage ensures that the newer forms of ransomware cannot corrupt or delete your data.

  • Third, agencies must store at least one copy of each document/file in a separate and secure location, with at least one copy in an unalterable format, i.e., immutable or WORM storage. As stated above, the restorVault platforms enable the storage of each data file in two separate data center locations in an encrypted state.

 

Additional restorVault data integrity capabilities include:

  • Digital fingerprinting – Each time a file is saved, a unique fingerprint is generated using an MD5 or SHA1 hash of its contents and metadata, so history and file contents cannot be altered after the fact.

  • Serial Numbers—Each file is assigned a serial number to ensure that no files are missing or have been tampered with.

  • Secure Time – The system time clock is secured using a global, redundant, authenticated time source (Stratum Level I hardware time sources).

  • Data Encryption – 256 AES data encryption is provided in transit and at rest.

  • Data Verification—All stored files are re-verified against their fingerprints every 90 days, repaired using the second copy if necessary, and retained per customer-defined policies.

Contact us today to learn which agencies have already adopted the restorVault California Trusted Systems data storage platform and how we can help your agency.


Comentarios


bottom of page