Breach Notification , Cybercrime , Cybercrime as-a-service

Texas Pummeled by Coordinated Ransomware Attack

Cybercrime Campaign Counts 23 Victims - Mostly Local Government Entities
Texas Pummeled by Coordinated Ransomware Attack
Officials say the ransomware attack didn't compromise state government networks. (Photo of a Texas state capital building in Austin by TSLAC, via Flickr/CC)

State officials in Texas are warning that multiple local government entities have fallen victim to a coordinated ransomware attack unleashed on Friday morning.

See Also: Cyber Insurance Assessment Readiness Checklist

The Texas Department of Information Resources, based in the state capital of Austin, issued a statement on Friday saying that the attacks had hit multiple "Texas government entities," claiming at least 20 victims. Following the attacks, DIR says it's leading the state's incident response efforts, backed by the Texas Division of Emergency Management, which was coordinating state agency support via the Texas State Operations Center.

"Local jurisdictions who have been impacted should contact their local TDEM disaster district coordinator," the agency said. "DIR is fully committed to respond swiftly to this event and provide the necessary resources to bring these entities back online."

In an updated statement released Saturday, DIR said the total victim count stood at 23 organizations. The Texas Military Department as well as Texas A&M University System’s Cyberresponse and Security Operations Center teams "are deploying resources to the most critically impacted jurisdictions," it added. The U.S. Department of Homeland Security as well as FBI's cyber division, among others, have also been assisting with the response.

"At this time, the evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time," DIR said. "It appears all entities that were actually or potentially impacted have been identified and notified."

Systems and networks run by the state of Texas have not been disrupted, DIR says.

Officials in Austin said their systems were unaffected by the attack. "We are monitoring the situation," Bryce Bencivengo, a spokesman for Austin's Office of Homeland Security and Emergency Management, told local NPR member station KUT.

Incident Response Underway

DIR declined to comment further about affected municipalities as well as what the incident response effort might entail - for example, if responders can restore crypto-locked systems from offsite backups. Even if such backups exist, however, restoration can be a time-consuming and laborious process (see: Cleaning Up After Ransomware Attacks Isn't Easy).

Other information that state officials have yet to release include details about whether the attack crypto-locked PCs, servers, or both; whether attackers have demanded a ransom; and if the state might consider paying any ransom. It's also not clear if the state has identified the strain of ransomware involved.

The attack campaign follows the state of Louisiana last month declaring a state of emergency after a rash of malware infections - at least some of which involved ransomware - slammed state schools.

Ransomware Profits Surge

Ransomware is more lucrative than ever for criminals. In an analysis of attacks seen in the second quarter of this year, ransomware incident response firm Coveware reports that the average ransom paid by victims more than doubled from the first part of the year (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).

Common industries targeted with ransomware in Q2 2019 (Source: Coveware)

"In Q2 of 2019, the average ransom payment increased by 184 percent to $36,295, as compared to $12,762 in Q1 of 2019," Coveware said. "The increase reflects the growing prevalence of Ryuk and Sodinokibi, variants of ransomware that have rapidly increased their demands. These types of ransomware are predominantly used in targeted attacks on larger enterprises, or on distributed networks of companies via IT managed service providers or hosting ISPs."

If victims are lucky, they can find a working, free decryptor via the No More Ransom portal. But criminals. of course. favor strains of ransomware that cannot be easily decrypted. When security experts crack a strain of ransomware, the developers behind it typically don't wait long before responding with an updated version that uses tougher-to-break encryption.

Frequent Target: Local Governments

The coordinated ransomware attacks against Texas government entities shows that local governments remain a frequent - and occasionally lucrative - target for criminals (see: Georgia County Pays $400,000 to Ransomware Attackers).

Perhaps it's no surprise, then, that in May, cybersecurity firm Recorded Future warned that ransomware attacks against U.S. cities had increased sharply (see: Ransomware Increasingly Hits State and Local Governments).

Since crypto-locking ransomware first appeared in late 2013, security experts and law enforcement officials have been recommending that victims - including government entities - never pay attackers, because doing so directly funds cybercrime and encourages such attacks to continue. Instead, they recommend that all organizations and individuals put in place essential security defenses that can block many attacks outright, as well as better enable them to wipe and restore affected systems if an attack does get through. Such an approach also has a significant upside: Victims might need never have to consider whether to pay a ransom.

Nevertheless, some public sector as well as private organizations do continue to pay off their ransomware-wielding attackers in exchange for the promise of a decryption key.

Recovery Challenges

When victims choose to pay, they may still face weeks or months of restoration work, provided the decryptor they receive functions. Even if it does work, security experts warn that files may have been incorrectly encrypted before being deleted, making them impossible for any tool to restore. In addition, some decryptors restore crypto-locked files to a single directory, breaking file hierarchies and requiring extensive amounts of manual work to rebuild affected systems.

Not paying, however, can be costly. For example, the mayor of Atlanta earned plaudits in 2018 for stating unequivocally that her city would not pay a $51,000 ransom demanded by ransomware attackers in exchange for a key to decrypt the city's crypto-locked systems. But that came at a cost, as Mayor Keisha Lance Bottoms later told a U.S. House of Representatives committee. Fifteen months after the ransomware attack, she said the city had spent $7.2 million on cleanup costs and said costs - only some of which are covered by insurance - might yet increase.

Meanwhile, officials in Baltimore estimate that recovering from a May ransomware attack that successfully infected city systems will lead to $18 million in recovery costs and lost revenue.

Faced with those types of costs, some government entities choose to pay.

After suffering a ransomware attack in June, for example, one small city in central Florida paid attackers about $530,000, or 42 bitcoins, to restore access to systems and data. Lake City said that aside from a $10,000 deductible that it had to pay, the ransom was negotiated and paid by the Florida League of Cities, with which it holds a cyber insurance policy. The organization began offering the policies several years ago to help cities deal with hack attacks. Lake City said that after paying the ransom, it received working decryption software (see: More US Cities Battered by Ransomware).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.