Posts

CALL TO ACTION UPDATE – Doing your part about civic ransomware

Does the all caps “CALL TO ACTION UPDATE” get your attention? It’s supposed to.

The facts:

  1. The call to action still stands.
  2. Our municipalities are still under siege.
  3. The ransomware threat has far from abated.
  4. Too many communities are under-prepared.

You aren’t powerless. You have options.

  1. You can sit there and do nothing, playing the victim.
  2. You can point fingers and complain, playing the critic.
  3. You can wait for somebody else to do something, playing the sluggard.
  4. You can be part of the solution by doing something constructive, playing the responsible citizen. In my opinion, this is the best option.

If you choose (or have chosen) option 4, pen an email to your local government officials. Respectfully ask them how they’ve prepared for an eventual ransomware attack. If you are willing and able, offer to help them if they need it. If you aren’t willing or able to help them, refer them to one of us who is willing and able to help them.

Follow the guidance in my previous CALL TO ACTION article or follow your own charge.

For those of you who choose to do nothing, you have no right to play the victim card or complain. You give up those rights, in my opinion.

UPDATE

Now for the update. Many of you have taken me up on the CALL TO ACTION. You have emailed your local government officials and you’ve shared some of their responses with us at unsecurity@protonmail.com.

Kudos to you for choosing option 4 (above)!

Here are some of the responses that have been shared with us, protecting the names of the innocent/guilty.

Response from small city in a rural area:

We are familiar with these attacks on cities and we utilize network security professionals to protect our systems.  We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and storing our data off site to protect against ransom demands and other risks.

Not too bad. The resident followed up with the city to gain more insight and offer help. Nice work!

Response from a medium-sized U.S. county:

Thanks for reaching out. No organization can claim with 100% certainty that they are protected from any cyberattack. However this is a very front and center topic for <REDACTED> County, and many efforts have been taken to reduce our risk and exposure to various kinds of cyber attacks, including Ransomware.

The County does not have a defined policy regarding what they would do if faced with this decision (in fact none of the metro counties have one, last time I checked), but in my conversations with Administration I do not believe paying a ransom would be an option they would choose.

Hope that helps answer your question.

This is good to know, yes? Someone (why not us/you) should work with this county to address the issue, and while we’re at it, address the issue with all “metro counties”. Kudos to this county official for responding with some transparency!

Response from a mid-sized suburban city:

Thanks for the email. For the security of the City’s network and systems, we follow the recommendations set by the <REDACTED – state’s criminal justice system>. We also use a third party vendor that does penetration testing against our firewall to try to stay ahead of the malicious attacks. We conduct staff cybersecurity training with this third party vendor to ensure our staff is behaving appropriately as well.

OK, maybe not a great response, but a response nonetheless. Didn’t really address the ransomware preparedness question directly, but a conversation has begun. The resident will be following up. Making a difference!

Response from another mid-sized city:

Thank you for your email. The City of <REDACTED> has a multi-faceted approach to cybersecurity.  We have improved security both internally and externally.  While no system is immune from attack, we are actively scanning and patching for vulnerabilities.  A specific key to protecting against ransomware is to have good, frequent, and tested backups.  We maintain a healthy backup system and in the case of a ransomware attack being successful, could restore lost data as needed. It is our policy to not pay ransomware demands.   Our <REDACTED> has made security a top priority, and has taken many steps to enhance the City’s security posture.  This includes revamping the firewall and anti-virus infrastructure.  We continue to take cybersecurity very seriously, and are constantly striving to keep our data secure and protected against attack.

Not bad. Another conversation starter and another difference made, even if a small one.

Final Words (for now)

Responses from good citizens continue to come in to our mailbox (unsecurity@protonmail.com) and we’re encouraged by the actions some of you are taking! For those who haven’t yet reached out to your local government officials, get on it! Again, you can follow the guidance here if you want.

The problem isn’t going away. Here’s some recent news about ransomware and our local communities:

My other related posts in chronological order:

OK, the rest is up to you (or not). That’s the way it is.

CALL TO ACTION – Do Something About Civic Ransomware

Another city ransomware attack, another payment to the attackers. Another win for the bad guys, and another loss for the rest of us. The question is, are you going to do anything about it?

This time the news comes from Lake City, Florida. The 12,000+ citizens of the small(ish) northern Florida town will foot the 42 bitcoin (~$500,000) bill for the city’s poor preparation. Actually, insurance will cover the direct cost and the city only pays $10,000. Chalk up another loss up for U.S. cities (and their citizens). The money the attackers walk away with will most certainly be used to attack other victims, including other cities. Oh, and as far as insurance goes, we all pay a price in higher insurance premiums and limited coverage options. Insurance companies aren’t in the business of losing money.

The quote of the day; “I would’ve never dreamed this could’ve happened, especially in a small town like this” – Lake City Mayor Stephen Witt.

(BTW, I don’t view this as his fault. We, the information security community, obviously failed in reaching him with the message)

Additional details of this latest ransomware payment:

So, what are YOU going to do about this? Yes, you! When I refer to “you”, I’m referring to everyone/anyone, security people and non-security people alike. All of us are in this together.

Should we wait until your city gets hit, or maybe we believe in the false narrative that it will never happen to you/your city?

Will your mayor or local government official be quoted on the news, having “never dreamed” that such a thing could happen?

DO SOMETHING – START HERE

Earlier this week, I posted an article about an email that I was going to send to my city and county officials. I sent the emails a couple of days ago, but haven’t heard anything back yet. Not to worry, I’m determined (and so should you be).

One of the things I didn’t really expect was for people to follow my lead. It was impressive to read and hear about people who took this as a call to action. They’ve been inquiring of their local governments about ransomware protections too! That’s great news! So far, more than a dozen people have told me that they have written their city and/or county government. Some are even getting good responses back.

Here’s what I’m asking you to do:

  • If you haven’t emailed your city and county government officials (inquiring about their ransomware readiness), PLEASE DO IT.
  • If you’ve emailed your city and/or county government officials, but haven’t received a response within a few days. PLEASE EMAIL AGAIN. Stay engaged until you get an answer.
  • If you’ve emailed your city and/or county government officials, and have received a response PLEASE SEND THE RESPONSE TO US. You can send it to us through the UNSECURITY Podcast email address (unsecurity@protonmail.com).
  • No matter what you do, please follow these rules:
    • DO – Always be courteous.
    • DO – Always be respectful.
    • DO – Help if you can.
    • DO – Remember the goal, we are trying to help and we are trying to prevent more occurrences of the Atlanta, Baltimore, Riviera Beach, and now Lake City ransomware events.
    • DO – Ask us questions and make suggestions (unsecurity@protonmail.com).
    • DON’T – Try to answer questions that you don’t feel (or know you’re not) qualified to answer. Email unsecurity@protonmail.com, and we’ll find a good resource/answer for you.
    • DON’T – Use threatening language or insinuate threats of any kind.

EMAIL TEMPLATE

Feel free to use this sample email template that I used or create your own.

———-START EMAIL———-

Dear <INSERT NAME>,

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you.

How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack?

I ask you because there have been a rash of ransomware attacks that have hit city governments recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/), the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers), and Lake City, Florida (https://www.cbsnews.com/news/ransomware-attack-lake-city-florida-pay-hackers-ransom-computer-systems-after-riviera-beach/). I hope we’ve planned well and will not pay a ransom (even through insurance) if/when an attack was to occur. Rather than reacting for such an occurrence, I’m hoping that our <CITY/COUNTY> has planned ahead.

Although I work in the information security field, I have no interest in selling anything. I’m just a concerned/interested citizen. If I can help, I will.

Thank you for making <CITY/COUNTY> a great place to live!

Respectfully,

-<YOURNAME>

———-END EMAIL———-

Let’s make this a way we can start fighting back against criminals who are fleecing our cities and our friends. This is only the start. Next steps come after getting responses.

Again, we are all in this together. Please be helpful, respectful, and courteous.

 

Ask Questions – Get Answers (hopefully)

Yesterday I wrote a pointed blog post about ransomware (Don’t Suck – Stop Paying Ransoms) and how it ticks me off when people pay a ransom to an attacker. This morning we recorded episode 33 of the UNSECURITY Podcast about the same subject. During the discussion with Brad on the show, I made the comment that I was going to email my local government officials to inquire about how they will avoid the same mistakes that the City of Baltimore and the City of Riviera Beach made.

Here’s the email that I wrote. I encourage you to write your local government officials too. Accountability is good for everyone.

I sent this email to my City Administrator and the County Administrator where I live.

———-START EMAIL———-

Dear <INSERT NAME>,

Hope you are well.

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you. How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack? I ask because there have been a rash of ransomware attacks that have hit city government recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/) and the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers). As a citizen, I hope we’ve planned well and will not pay a ransom if/when an attack was to occur. Although I work in the information security field, I have no interest in selling anything. Just a concerned/interested citizen is all.

Thank you for making <CITY/COUNTY> a great place to live!

-Evan Francen

———-END EMAIL———-

I’m sharing this because I hope it will motivate you to do the same thing in your city and/or county. Please be helpful, respectful, and courteous. Once I get an answer back, I will probably offer free help. We’ll see.

Don’t Suck – STOP Paying Ransoms

So, in case you haven’t heard, we have this problem. Yeah, there’s this thing called ransomware, and it’s sort of all over the news.

    • Colorado-based NEO Urology paid a $75,000 ransom
    • Colorado-based Estes Park Health (EPH) – they had an incident response plan, but the insurance company paid the ransom. EPH paid the $10,000 insurance deductible for their ransom payment, but it’s not known how much the attacker’s ransom was.
    • Boston-based ResiDex Software – the ransomware attack was discovered on April 9th but was only disclosed this past week. ResiDex appears to have restored their systems from backup, not paying the ransom.
    • New York-based Olean Medical Group – they were hit this past week, and it appears they won’t pay the ransom. According to news reports “Olean plans to begin setting up a new system and will work to regain the encrypted records to populate a new computer system, helped by partner healthcare providers.
    • Seneca Nation Health System – calls their attack a “computer system failure” (the computer system wasn’t what failed, just sayin’). Not sure if there are plans to pay, but the CEO says “We are working feverishly to rebuild our system”.
    • California-based Shingle Springs Health and Wellness Center (SSHWC) – reported that their ransomware attack affects all 21,513 patients, but I don’t think they’re planning to pay the ransom. SSHWC is working to restore their systems by installing new servers and putting workstation upgrades on a “fast track”.

Then there’s this particular attack and response that caught my attention this past week.

The Riviera Beach City Council voted unanimously this week to pay the 65 bitcoin (more than $600,000) ransom.

At what point do we say enough is enough? What’s your excuse for not preparing or planning for a ransomware attack? It’s not like you don’t know that they’re a problem.

What would be your acceptable excuse for not planning for a ransomware attack?

Simple answer. There is no valid excuse. Stop looking for one and stop making sh_t up. If you’re offended, maybe that’s good. It’s the truth. You might have all sorts of excuses that you think are legitimate, but they’re all BS. You’ve run out of excuses. Regardless of being legitimate or not, here are some common ones that people try to pass off:

  1. Management support – you couldn’t get management to “buy in” and do the right thing. Sorry, not a valid excuse. Part of your job is to get management buy in, and you failed. If management has their heads so far up their @55, you should find another place to work where they will champion security. To management – get your head out of your @55, you’re not helping your company, your customers, your partners, or anyone else.
  2. Priorities – you have so much stuff on your plate, that you couldn’t get around to protecting yourself from ransomware. Hard to fathom how good information stewardship isn’t a top priority. I know you might have a thousand other things too, but ransomware protection should be near the top. If it isn’t, revisit your priorities and get to it.
  3. We don’t know how to protect ourselves – take the Ransomware Readiness Assessment that I mention at the end of this post/article or read some self-help articles online (there are hundreds of them).
  4. We have insurance – good for you. That’s probably prudent, but it will never make up for your lack of stewardship. When your insurance company pays, we all pay. Insurance companies aren’t in the business of losing money, so they’ll just jack up the rates and everyone will pay more. Simple economics, right?
  5. You need help – don’t we all? This isn’t as much of an excuse as it is an admission. It’s an excuse if you don’t do anything about it. There are hundreds of online articles full of good advice, and there are probably hundreds (if not thousands) of security professionals that would love to help. Heck, I’m not writing this article for my health. If anything, it’s probably bad for my health (you know, blood pressure and stuff).

Choices

If you get hit with ransomware, you have one of five choices:

  1. Take your chances by paying the ransom. This is a terrible choice (read below), but it is a choice nonetheless.
  2. Don’t pay the ransom and follow a planned and tested incident response process. Your incident response process should include investigation (looking for the source), containment, and mitigation (at a minimum).
  3. Don’t pay the ransom and struggle mightily because you didn’t plan well. Think Baltimore, Atlanta, and hundreds of other organizations that paid hundreds of thousands (or millions) of dollars in attempted recovery operations.
  4. Start over. Only differs from the previous choice because recovery efforts, in terms of data recovery, are no longer on the table.
  5. Shut down operations. Sadly, I’ve seen this more than once, and once was too many times.

There is only one good option among the five. That’s option #2, don’t pay because you can recover. You planned, you’re a good steward of the information entrusted to you (at least in this respect), and you serve your organization well.

The other four options are bad ones, but if you didn’t plan well, option #2 is off the table anyway.

The first option was the only one that considered paying the ransom, while the other four options did not. So, if you didn’t plan well, you must decide whether to pay the ransom or not.

Not paying the ransom

You either prepared well, or you didn’t.

  • If you did, then kudos to you. You’re more likely to be back up and running within a relatively short period, and your organization owes you a big debt of gratitude.
  • If you didn’t, you’re in for a doozy of a response. Get out your checkbook, because it’s probably going to get expensive. It might be so expensive, in fact, that your organization may not survive the ordeal.

The key is planning well! If you didn’t properly protect your data (air-gapped/offline backups, prudent access control, etc.), and if you didn’t plan, you’re a poor steward of the information that’s been entrusted to you. You should slap yourself (hard), update your resume, and maybe find another line of work. People have suffered and/or will suffer because of your poor choices.

Paying the ransom

If you planned (or think you planned), and pay the ransom anyway, take Estes Park Health (noted above) for instance, they claimed to have “incident response program”, but paid the ransom anyway (or their insurance company did).

What’s wrong with this picture?!

Maybe they thought they had planned but didn’t, or the maybe the plan just sucked. If you didn’t plan, or you didn’t plan well, you find yourself in a pickle.

We cited two examples earlier where the organization paid the ransom; Estes Park Health (EPH) and the City of Riviera Beach (FL). It appears from the news reports that one of the two might have had a choice in paying, while the other one did not appear to have a choice.

Estes Park Health (EPH) – the organization was hit by a ransomware attack on June 2nd. According to their own investigation, there was no data exfiltrated (common). The source of the attack wasn’t disclosed, but it was discovered (allegedly) when an on-call IT technician logged in from home and noticed files encrypting live, while he/she was on the system.

Sounds like just about everything was locked down; phones, network access, imaging files, etc. According to one news report, EPH had an “incident response program”, but determined at some point “the only way to restore the software in the clinic and the only way we were able to restore the imaging and so forth is because our insurance company paid the ransom money and we were able to get the keys to unlock those files.

No other significant details are available, like the type of ransomware used, how the ransomware got in, how much was paid, or what the “incident response program” called for. Two things are certain:

  1. The “incident response program” sucked.
  2. The criminals won.

Not only did the insurance company pay the ransom, they paid two ransoms! The insurance company paid two separate ransoms, as EPH discovered more locked files when decrypting its systems.

Riviera Beach City Council – on June 20th, it was reported that the Riviera Beach City Council voted unanimously to award attackers more than $600,000 for the privilege of accessing their own files. Attackers had broken in three weeks prior, and at some point, locked things up. The attackers held all/most of/some of the data entrusted to the city for ransom. Like most cases, the city had been working with “security consultants”, and it was determined the only way to decrypt the information was to pay the ransom.

The attack began on May 29th, when an employee at the Riviera Beach police department opened a malicious email. Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, they eventually opted to pay.

Interesting isn’t it? By proxy, it’s the police paying criminals. Supposedly, the payment is being covered by insurance, but so what?

If you pay the ransom, you suck

People don’t like to be told that they suck, because it sucks to suck. Maybe not sucking will motivate you to change some things and be better.

There are at least four reasons why paying a ransom pisses me off, and why it should piss you off too:

  1. You fund future attacks (against me and my friends). What do you think the attackers will do with the money they collect from you? They’ll take some for their own enjoyment, then they’ll funnel the rest into making their future attacks more effective. If you don’t pay, they have no money. Simple, right? If you think this is only about you, you’re selfish. Selfish people suck.
  2. It shows that you’re not a good steward. Somebody entrusted you with information, and they deserve better. The information (in most cases) isn’t yours, it belongs to someone else. If you can’t take good care of it, you shouldn’t have it. If you need it to run your business, then maybe you shouldn’t be in business.
  3. Attackers win. You might not be as competitive as I am, but you have to admit that it sucks when some jerk beats you at something. If the game was fair and you lost to a good person in a straight-up competition (like chess with a buddy), that wouldn’t be so bad. Here, you lost to a straight up jerk face and there’ll be no gentlemanly handshake at the end. You got taken and you’ll have to just suck it up (or just suck).
  4. Money that can’t be used for good. Every dollar we spend on information security is precious. Businesses are in business to make money and/or serve a mission. Money diverted from either one of these two purposes, takes away from your ability to succeed. What could the City of Riviera Beach have done with the $600,000+ if it were spent on something worthwhile. Wouldn’t the taxpayers rather have a nice new community pool, better streets, a few more safety personnel, etc.? Nope.

There are more reasons why we don’t pay ransoms, see what you can come up with yourself.

Now what?

Get to work. Do what you can to protect your organization from a ransomware attack and plan for one if (when) it were to occur.

Don’t know where to start?

Try our free FISASCORE® Ransomware Readiness Assessment

There aren’t any strings attached, there isn’t any registration required, and it’s freely distributable through a Creative Commons License (so, share it too!). I whipped this thing up in early 2017 for a bank customer then forgot I had it.

Are there other obstacles in your way?

Identify the obstacles and figure out how to remove them, go around them, go under them, etc.

Need help?

Reach out to any number of us information security people. Many of us will help you, including myself.

Moral of the story is 1) prepare and plan, 2) DO NOT pay ransoms, and 3) we’re all in this together. Good luck!