The State of Ransomware in the Public Sector

Government agencies have seen plenty of ransomware attacks over the course of this past year. According to ZDNet, malicious actors used ransomware to target government entities more than any other sector in H1 2021. 

It’s therefore no surprise that ransomware infections among government organizations tripled in the first half of 2021 compared to the prior year. Things escalated even further in June of 2021. That month, public sector entities experienced 10 times as many ransomware attempts as organizations in other sectors, with growth at 917%. 

Why Ransomware Actors Target Government

There are a few reasons why ransomware attackers are setting their sights on public sector organizations. These types of entities tend to store highly sensitive information for large numbers of people, for instance. This makes the government sector an attractive target for malicious actors looking to monetize victims’ data on the dark web or leverage the threat of exposing the information in double extortion schemes.

Furthermore, governments are complex. They represent the intersection of different industries, noted GovTech, and they rely on third parties and contractors for ongoing projects. Such operational complexity expands the attack surface for government organizations, giving malicious actors plenty of attack vectors that they can use to infiltrate a target.

Why Government Organizations Suffer Ransomware Attacks

Many state and local government organizations don’t have the security basics in place. In 2019, for instance, a report issued by the State Auditor of Mississippi that uncovered “disregard for cybersecurity in state government.” 

Many public sector organizations at the state level lacked a security policy and recovery plan, said the report. They also didn’t perform required risk assessments or encrypt sensitive information at that time.

It was a similar story for U.S. local governments that year. According to a report from the University of Maryland, Baltimore County, “Serious barriers to their [U.S. local governments’] practice of cybersecurity include a lack of cybersecurity preparedness within these governments and funding for it.” 

It’s therefore not a surprise that over a third of local governments didn’t know how frequently a security incident occurred and that two-thirds of public entities at the local level didn’t know when they suffered a breach.

These findings are a concern given the emergence of complex RansomOps™, a very different animal than the commodity ransomware attacks of the past which were simple spray and pray operations targeting individuals with small ransom demands that typically infected targets spam phishing emails that seek to trickin a victim into clicking a malicious link or opening a tainted document.

Conversely, RansomOps are highly targeted, complex attacks that are more akin to an APT operation where the attacker wants to get access to as much of the network as possible before detonating the ransomware payload and demanding multi-million dollar ransom payments. As such, RansomOps tend to easily slip past weak ransomware defenses.

RansomOps typically include multiple players from the larger Ransomware Economy, each with their own specializations: Initial Access Brokers (IABs) who establish persistence and move laterally to compromise as much of a targeted network as possible then sell access to the network to other threat actors; RaaS providers who supply the ransomware, ransom payment mechanisms and even handle negotiations with the target; Affiliates who contract with the RaaS provider and actually carry out the attacks; Cryptocurrency exchanges who launder the ransoms, and so on.

How the Public Sector Can Defend Against RansomOps

In its Executive Order on Improving the Nation’s Cybersecurity, The White House wrote that Federal Civilian Executive Branch (FCEB) agencies “shall deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents'' like ransomware attacks.

But ransomware attacks don’t just involve a single endpoint anymore, as RansomOps campaigns can spread throughout the network to impact cloud workloads, productivity applications, and production environments and more.

With that said, the key to defeating complex ransomware attacks is having more than just prevention capabilities for known ransomware strains or relying on the time consuming and unreliable approach of “rolling back” the encryption after the payload detonates. 

RansomOps require the ability to detect the earliest stages of the attack and/or the means to intercept a ransomware attack at multiple points in the kill chain–at ingress, lateral movement, when user identities are compromised, at privilege escalation, when establishing command and control, at the data exfiltration stage and so on. 

Ransomware Requires an Effective Defensive

The best way to minimize the potential impact from ransomware attacks is to detect and block them earlier in the attack sequence. The Cybereason Predictive Ransomware Protection solution detects the earliest indications of a ransomware operation and eliminates the threat with automated prevention in just milliseconds.

This is why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture and every other ransomware family. 

Cybereason is dedicated to teaming with defenders in both the public and private sectors to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about the Cybereason Government advantage, see why the Cybereason Predictive Ransomware Protection remains undefeated against ransomware, browse our ransomware defense resources or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed