How COVID-19 is changing the game on ransomware

More money is needed to tackle the problem, especially as states deal with an unprecedented economic crisis caused by the pandemic. It's unclear whether Congress will foot the bill.

ransomware in cities
 

States, municipalities and critical infrastructure have borne the brunt of the ransomware, which historically has not been treated as a national security risk by federal policymakers until very recently.

Rob Knake, former Director of Cybersecurity Policy on the National Security Council under the Obama administration, said there was a perception that allowing cyber criminals to hit the lowest hanging fruit – ill protected municipalities, hospitals, companies and other institutions -- would provide incentives to drive better investment and security behavior from others.

"It really wasn't at the same level as say, Chinese espionage or Russian election interference. Those are the topics that the national security community had been focused on," said Knake at a May 4 webcast hosted by the Council on Foreign Relations.

Other than guidance about cyber hygiene, "we really haven't seen strong leadership coming from Congress or coming from the White House or for that matter the Department of Homeland Security," Knake said.

The financial pressures facing cities and states because of the coronavirus has changed this equation.

A number of lawmakers on Capitol Hill are pushing to include a dedicated pot of federal funding in future COVID-19 relief bills that states and localities can draw from to bolster protections. One such bill would set aside $400 million per year for states to tackle ransomware and other cyber threats.

Matt Pincus, Director of Government Affairs at the National Association of State Chief Information Officers, told FCW engagement from Congress and other policymakers around the issue has improved substantially following the high-profile ransomware attack on the City of Baltimore last year. However, one-size-fits-all solutions are hard to come by, as each state has their own policy on how employees should use personal devices, patch their systems and how to conduct telework safely.

"I would say that all the additional responsibilities of state IT [officials] since the pandemic began have exacerbated the amount of responsibility they have in the cybersecurity world," Pincus said in an interview.

NASCIO helped craft the $400 million funding proposal and has lobbied for lawmakers to include it in future coronavirus relief bills. One of the top asks the non-profit has heard from State IT leaders is the need for more training to school their employees on how to avoid phishing lures and other tactics that provide an initial foothold to ransomware actors. Pincus said multi-factor authentication, endpoint security, software patching tools and remote security assessments were also flagged as cybersecurity needs.

Referencing the Obama administration's "Cash for Clunkers" vehicle reimbursement program, Knake suggested Congress should approve a "Cash for COBOL" program to fund the replacement of outdated systems and code.

Adam Meyers, Vice President of Intelligence for cybersecurity firm CrowdStrike called ransomware "the single biggest threat that we've seen to enterprises today."

Over the past 18-24 months, cyber criminals have drifted away from other types of crime like bank fraud and wire fraud have transitioned their operations to ransomware and have increasingly targeted large entities that have an operational necessity to be up and running at all times. They leverage exposed services like Remote Desk Protocol or deliver banking Trojans and other malware spambots, all in service of an increasingly large payday.

"Ransomware actors have I think realized there's a cash cow in targeting many of these organizations, particularly when you get down to the state and local governments that may not necessarily have the cyber resources to protect themselves adequately…they're able to use that to their advantage to get these organizations to pay," said Meyers.

The Cyberspace Solarium report highlights confusion about accountability over ransomware is one of the major blind spots facing U.S. cybersecurity.

"Who is responsible for setting priorities (and providing funding) when it is necessary to 'turn the lights back on' following a major cyberattack… How do local hospitals, water treatment facilities, and municipal offices ask the federal government for assistance during a sustained ransomware campaign?" the report asks.

Pincus said NASCIO has historically gotten pushback from the Hill about subsidizing cybersecurity for state and local governments. His hope is that the COVID-19 pandemic has demonstrated that these entities are often on the front lines of processing benefits passed by lawmakers to deal with the crisis.

"The federal government charges the states to administer hundreds of federal programs…even funding that's in the CARES Act," he said. "If you want unemployment insurance to be distributed amongst citizens, you need to make sure that you have systems that are capable of doing it."

Rep. Dutch Ruppersberger (D-Md.) has successfully pushed for more federal funding to states and localities for their cybersecurity needs in the past and was one of four members who requested House leadership include regular grant funding in a future stimulus bill. A spokesperson for Ruppersberger's office told FCW they have not heard back from House leadership since sending the letter in mid-April.

"I think the challenge is going to be convincing members of the connection between the pandemic and ransomware," the aide said, noting that emphasizing how greater reliance on digital services by many states and municipalities during the lockdown offers one such avenue. "I think it's going to be a messaging battle."

A spokesperson for the House Homeland Security Committee said members are still pushing House leaders to include the bill in future spending packages.

One thing most agree on: all parties should do everything they can to avoid paying the ransom. Pincus said NASCIO's message to states is the same as those offered by the Cybersecurity and Infrastructure Security and other federal agencies: don't pay.

Knake said organizations today are paying a price for past decisions made by organizations who failed to heed that advice.

Criminal groups have "built these organizations starting from that $50 ransomware from your grandmother's computer, taking that money and reinvesting it in their capability and so what we're seeing today is the result of that," Knake said. "We have grown these criminal enterprises, we have paid their R&D budgets and now they are targeting us and we are in very bad shape."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.