Ransomware Attacks Strain U.S. Governments and Local Utilities

The FBI is notifying partners (GFS) of cyber actors who are carrying out ransomware attacks against local government agencies that have resulted in disrupted operational services, public safety risks, and financial loss. Ransomware attacks on local government entities and the resulting impacts are particularly significant due to the public’s reliance on critical utilities, emergency services, educational institutions and other services overseen by local governments, making them attractive targets for cybercriminals. Victimization incidents reported to the FBI between January and December 2021 indicated that local government entities within the GFS were the second most victimized group behind academia.

In 2021, victims of US local government agencies were primarily in smaller counties and municipalities, which was likely indicative of their cybersecurity resources and budgetary limitations. The 30-country “The State of Ransomware in Government 2021” survey, conducted by an independent research group commissioned by a UK-based company, found that remediation of a ransomware attack against a local government often included financial liabilities related to operational downtime, people time, device costs, network costs, lost opportunities and, in some cases, ransoms paid. Additionally, the survey found that local governments were the least able to prevent encryption and recover from backups, and had the second highest rate of ransom payment compared to other infrastructure sectors. reviews. According to a US-based media source reporting on state and local governments, the understaffed and outdated systems of underfunded public sector organizations often put them in the position of paying ransoms just to recover the data.

Recent reports indicate that ransomware incidents against local governments have resulted in disruptions to public and health services, emergency and security operations, and the compromise of personal data. These types of attacks can have a significant impact on local communities by straining financial and operational resources and putting residents at risk of further exploitation.

  • In January 2022, a US county took computer systems offline, closed public offices and conducted emergency response operations using “backup contingencies” after a ransomware attack impacted local government operations. The attack also disabled the county jail’s surveillance cameras, data collection capabilities, internet access, and disabled automated doors, leading to security issues and a lockdown of the facility.
  • In September 2021, cyber actors infected a US county network with ransomware, shutting down the county courthouse and stealing a significant amount of county data (including residents’ personal information, employees and suppliers). The actors released the data on the Dark Web when the county refused to pay the ransom.
  • In May 2021, cyber actors infected local government systems in US counties with PayOrGrief ransomware, rendering some servers inaccessible and limiting operations. The attack disabled online services, including scheduling COVID-19 vaccination appointments, and the attackers claimed to have 2.5 gigabytes of data, including internal documents and personal information.
  • In January 2021, cyber actors infected local government systems in US counties with ransomware that compromised computers in prisons and courthouses in addition to election, assessment, financial, zoning, law enforcement files. law, prison management, dispatch and other files. The attack impacted the Sheriff’s Department’s records management program and the county clerk, treasurer, and computer supervisor of the Office of Assessment and Public Defender. The ransomware note stated that the files would be deleted after two weeks if the ransom was not paid.

Ransomware tactics have evolved and will continue to evolve, as noted in the February 2022 Joint Cybersecurity Advisory (CSA) by government agencies in the United States, Australia, and the United Kingdom.1 The top three infection vectors tops in 2021 were phishing emails, exploiting protocols, and exploiting software vulnerabilities. These have likely been exacerbated by the ongoing remote work and learning environments that have expanded the attack surface and challenged network defenders. In 2021, actors have broadened their targeting tactics and widened the scope of victimization potential by implementing fee-for-service business models, sharing victim information across actor groups, diversifying victimization strategies, extortion and attacking upstream/downstream access and data sources such as cloud infrastructure, managed service providers and software supply chains.

Over the next year, local government agencies across the United States will almost certainly continue to be subject to ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety and entailing significant financial liabilities. The FBI has the opportunity to disrupt some of this activity by leveraging partnerships with domestic and foreign governments, as well as the private sector, to more effectively identify actors, finance, and infrastructure.

Learn more about IC3