Threat actors are targeting municipalities with ransomware and many don’t know that it’s a huge risk.
As described by the US Department of Homeland Security, ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
Municipalities are prime targets because the attackers know that their IT teams are small with few cyber security team members if any. If a city’s data is held ransom, attackers know that the victims will be under a lot of pressure to pay and there’s a history of cities that have reluctantly done so in order to get their data back. For example, Lake City in Florida paid nearly a half million dollars and the city of Riviera Beach in Florida paid a $600,000 ransom in June 2019 to recover files following a ransomware attack.
Attacks are often performed using phishing emails that include malicious attachments or via drive-by web attacks when a person visits an infected website where malware is downloaded and installed without the person’s knowledge. Sometimes attackers put malicious files or links on “watering hole” sites that are known to be visited by employees of municipalities.
DNS is used during one or more stages of a ransomware attack as victimized systems make DNS queries to IP addresses involved in the attack, when the ransomware propagates via spam campaigns or when the infected system checks in with the command and control infrastructure. DNS can help prevent, identify, and detect ransomware attacks and help resolve them faster.
Infoblox can help immediately by enabling the implementation of a DNS Response Policy Zone (RPZ) to prevent access to all domains known to be associated to malware. Infoblox threat intelligence feeds include domains used in ransomware attacks and provides protection against malicious domains. The DNS, DHCP and IPAM data that Infoblox collects and reports provides detailed visibility into infections and can be used for prioritizing remediation. Once a malicious threat is detected, Infoblox can share that event information and context with security tools like a SIEM, vulnerability scanners and NAC solutions to trigger these tools to either scan the device for vulnerabilities or prevent access to the network until it is deemed compliant with policy.
The Infoblox Activity Report and Dossier tool can be used to determine if malware attacks are taking place, and to identify the source of the attacks. Action can then be taken such as enabling more security feeds and adding malicious domains to blacklists.
The Infoblox Cyber Intelligence team has written several Cyber Campaign Briefs on ransomware including Shade, Sodinokibi (subject of a recent DHS report), MegaCortex, Cryptomix, and Ryuk ransomware as well as a survey of ransomware in 2018, all of which are available on the Threat Intelligence Reports page.