The FBI released an alert on March 30, 2022, informing Government Facilities Sector (GFS) partners of cyber actors conducting ransomware attacks. These attacks have impacted local government agencies and resulted in disrupted operational services, risks to public safety, and financial losses. Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical infrastructure, emergency services, educational facilities, and other services overseen by local governments. This critical dependency makes these attractive for threat actors. Victim incident reporting to the FBI between January and December 2021 indicated local government entities within the GFS were the second highest victimized group, behind academia. Please note that much of the text of this FBI alert has been used within this blog.
In 2021, local US government agency victims were primarily among smaller counties and municipalities, which was likely indicative of their cybersecurity resource and budget limitations. “The State of Ransomware in Government 2021” survey of 30 countries, conducted through an independent research group commissioned by a UK-based company, found rectifying a ransomware attack on a local government often included financial liabilities related to operational downtime, people time, device costs, network costs, lost opportunity, and, in some cases, paid ransoms. Further, the survey found local governments were the least able to prevent encryption and recover from backups, and had the second-highest rate of paying the ransom compared to other critical infrastructure sectors. According to a US-based media source reporting on state and local government matters, underfunded public sector organizations’ understaffed and outdated systems often put them in the position to pay ransoms simply to get the data back.
Recent reporting indicates ransomware incidents against local governments resulted in disruptions to public and health services, emergency and safety operations, and the compromise of personal data. These types of attacks can have significant repercussions for local communities by straining financial and operational resources and putting residents at risk for further exploitation. Examples highlighted in the FBI alert include:
In January 2022, a US county took computer systems offline, closed public offices, and ran emergency response operations using “backup contingencies” after a ransomware attack impacted local government operations. The attack also disabled county jail surveillance cameras, data collection capabilities, internet access, and deactivated automated doors, resulting in safety concerns and a facility lockdown.
In September 2021, cyber actors infected a US county network with ransomware, resulting in the closure of the county courthouse and the theft of a substantial amount of county data (to include personal information on residents, employees, and vendors). The actors posted the data on the Dark web when the county refused to pay the ransom.
In May 2021, cyber actors infected local US county government systems with PayOrGrief ransomware, making some servers inaccessible and limiting operations. The attack disabled online services, including scheduling of COVID-19 vaccination appointments, and the attackers claimed to have 2.5 gigabytes of data, including internal documents and personal information.
In January 2021, cyber actors infected local US county government systems with ransomware that compromised jail and courthouse computers in addition to election, assessment, financial, zoning, law enforcement, jail management, dispatch, and other files. The attack impacted the sheriff department’s records management program and county clerk, treasurer, and supervisor of assessment and public defender office computers. The ransomware note stated files would be deleted after two weeks if the ransom was not paid.
The top three initial infection vectors in 2021 were phishing emails, remote desktop protocol exploitation, and software vulnerability exploitation. These were likely exacerbated by the continued remote work and learning environments, which expanded the attack surface and challenged network defenders. In 2021, actors expanded their targeting tactics and widened the scope of victimization potential by implementing service-for-hire business models, sharing victim information among actor groups, diversifying extortion strategies, and attacking upstream/ downstream accesses and data sources such as cloud infrastructure, managed service providers, and software supply chains. In the next year, local US government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety, and resulting in significant financial liabilities. The FBI has an opportunity to disrupt some of this activity by leveraging partnerships with domestic and foreign governments, as well as the private sector, to more effectively identify actors, finances, and infrastructure.
Malware Such as Ransomware Uses DNS All the Time
Malware attempts to exploit DNS in many ways. Malware often utilizes DNS because it is a trusted protocol, is ubiquitous in networks and is not protected. DNS can become a crucial control plane to prevent, identify, and detect, and rapidly resolve such attacks.
DNS security must be a critical part of your ransomware defense. Ransomware and most malware utilize techniques which depend on DNS at one or more points in their attack sequence. For example, DNS may be used during the reconnaissance phase when preparing a targeted attack. DNS is leveraged by threat actors when an infected system accesses the command and control infrastructure. DNS may also be used for malware delivery as victims attempt to access IP addresses involved in the attack. Finally, the exploitation phase may also involve DNS with an infected system.
BloxOne® Threat Defense (B1TD) is a cloud managed, hybrid DNS security solution that protects users and devices on-premises within the enterprise network, while roaming or remote, and in the cloud. B1TD blocks DNS based malware, including ransomware, communications with command-and-control servers, data exfiltration, and more. BloxOne Threat Defense provides AI/ML based analytics , threat intelligence and automation to detect and stop a wide variety of threats. These threats can include domain generation algorithm (DGA), data exfiltration, look-alike domains, and many other types of attacks which leverage DNS. To find out more about BloxOne Threat Defense: https://www.infoblox.com/products/bloxone-threat-defense/
The PDF of the full FBI Cyber Division Alert 20220330-001 is here: https://www.ic3.gov/Media/News/2022/220330.pdf