Why Are Ransomware Attackers Targeting State and Local Governments?

Writing in Government Technology, Daniel Lohrman, Chief Security Officer & Chief Strategist at Security Mentor, offered a chilling summary of the breadth and intensity of ransomware attacks targeting state and local governments. He cited high-profile attacks in Louisiana, Texas and Mississippi and noted that many localities are paying six-figure ransoms to avoid prolonged shutdowns or high remediation costs.

It’s not surprising that ransomware attackers are exploiting weaknesses in American cyber defenses to make money. The question, though, is why they are targeting state and local governments as well as public sector institutions like schools, hospitals and emergency services? To answer this question, I turned to Srini Subramanian, a Cyber Principal in Deloitte’s State & Local Government, Higher Education (SLHE) practice.

Subramanian pointed out that ransomware is not a new phenomenon. In fact, in the age of DOS and floppy disks, hackers were installing viruses and demanding cash be mailed to Post Office boxes as ransoms. However, as he noted, the attacks have become increasingly sophisticated. “You have a multi-stage attack with today’s ransomware,” he said.

“There’s the delivery of the malware and its operationalization, followed by negotiation and collection. At each stage, the attacker is vulnerable to detection and mitigation. Yet, they’re overwhelmingly successful,” he added. For Subramanian, the sophisticated of the attacks suggests that organized, highly-skilled criminal groups are involved.

As to why these groups are targeting government and public sector organizations, Subramanian pointed out that state governments are generally less well-funded for cybersecurity than their federal counterparts—and the federal government itself is very short on resources and people for security. “State governments are badly exposed,” he said. “Cities and schools are in even worse shape. They may not even have dedicated cybersecurity operations.”

Subramanian also noted, as did Lohrman, that public sector organizations face a serious backlash if they cannot deliver services. In some cases, people’s lives may be at stake, such as in a hospital or 911 ransomware scenario. Facing political pressure, it’s easier for some municipal entities to pay the ransom and get on with governing, rather than deal with the hassle of a remediation that may cost more than the ransom itself.

Public sector organizations face a serious backlash if they cannot deliver services. In some cases, people’s lives may be at stake, such as in a hospital or 911 ransomware scenario.

States and public sector institutions may also carry cyber insurance, which has been paying quite a few ransoms this last year. The practice may end at some point, but for now, insurance carriers are on the hook.

Legislative help appears to be on the way. Congress has passed S.1846, the State and Local Government Cybersecurity Act of 2019, which will, among other things, “make grants to and enter into cooperative agreements or contracts with States, local, Tribal, and territorial governments, and other non-Federal entities as the Secretary determines necessary to carry out the responsibilities of the [DHS] Secretary related to cybersecurity and infrastructure security under this Act and any other provision of law, including grants, cooperative agreements, and contracts that provide assistance and education related to cyber threat indicators, defensive measures and cybersecurity technologies, cybersecurity risks, incidents, analysis, and warnings.”

Legislative help appears to be on the way.

This is promising, but there’s still a problem with this analysis, in my view. There are many more businesses in the US that have money, cyber insurance, demanding customers and weak cybersecurity. Businesses are being targeted, for sure, but one could imagine that business is a far more profitable arena for sophisticated ransomware operations. Why is there such an emphasis on government targets?

There is no answer, except for speculation. However, informed speculation may be a useful way to frame the issue.

There is no answer, except for speculation. However, informed speculation may be a useful way to frame the issue. We know that Russian gangs, likely to be affiliated with or silently condoned by the Russian government, are carrying out many of these attacks. We know that Russia’s “Active Measures” directed against the United States are deliberately fomenting racial tensions to pit Americans against one another. Russia’s ability to use destructive disinformation to agitate white and non-white groups in the US was amply demonstrated in their 2016 election interference. This was documented in Senate investigations.

With that context in mind, the targeting of Mississippi, Texas, Louisiana, the Florida Panhandle, Baltimore and Atlanta start to make more sense. These are racial hot zones, unfortunately. Could it be that Russia is practicing for a bigger, deadlier version of the race-based disruption it mildly tested in 2016? It’s impossible to know, but the pattern and choice of targets—when so many corporate targets remain untouched—suggests a pattern well worth examining in greater depth.