Ransomware attacks in the public sector have become increasingly common in recent years, with government agencies, healthcare organisations, and educational institutions being frequent targets. However, the public sector has always been a target for cybercriminals intent on data theft and criminal damage. This is verified by Verizon in their Data Breach Investigations Report 2020 (DBIR), with public administration being one of the most targeted industries, and ransomware being the most prevalent attack type. A report by Darktrace concurs, stating that in 2020 “local governments were the biggest target of ransomware attacks”.
Ransomware is a dangerous and insidious malware type that is becoming more prevalent across all industries. The nefarious actors behind the malware are also becoming more adept at extracting a ransom, not only by encrypting data but stealing it too. Here, we look at the impact that ransomware is having on the public sector and what can be done to mitigate this impact.
Why the Public Sector is at Risk of Ransomware Attacks
It can be difficult to get information on the true extent of cyber attacks in public offices. However, back in 2019, the security vendor, SolarWinds, performed a Freedom of Information request. The data returned had some interesting insights: whilst around one-third of respondents had experienced no cyberattacks, an increasing number experienced over 1000 targeted attacks.
Most of these attacks were in the form of phishing and malware. This was despite having traditional cyber security measures, like firewalls and antivirus software, in place. The research clearly shows that the public sector is on the radar of cybercriminals, and ransomware, being a current favourite malware, is a serious threat to the sector.
Recent high-profile attacks such as the ransomware attack on the utility company, Colonial Pipeline in the USA, demonstrate the lengths that ransomware gangs go to. In this cyber attack, data was not only made inaccessible through encryption, thus disrupting operations but it was also stolen and used as leverage to add pressure to pay the ransom.
A report from IBM X-Force found that 59% of ransomware incidents involved data exfiltration before the encryption event occurred. Colonial Pipeline was a good target for ransomware as it performs a critical infrastructure role. Similarly, public service industries are a critical infrastructure, providing important citizen services that are data-dependent: this point is not lost on ransomware gangs.
Public services such as school districts, healthcare institutions, and even local councils are all targets for ransomware attackers. A recent attack involved Ireland’s health system. The attack, suspected to be carried out by a hacking gang known as Wizard Spider, left hospitals without computers for over a week.
In a similar manner to the Colonial Pipeline attack, the hackers encrypted data and stole large amounts of information to increase the pressure to pay the $20 million (£14 million) ransom. In 2020, a ransomware attack affecting Redcar and Cleveland council ended up costing the council an estimated £10 million: the costs incurred included downtime and reductions in enforcement incomes.
Ransomware-as-a-Service in the Public Sector
The public sector covers a wide range of types of organisations from healthcare to local councils to policymakers and schools. The public sector, therefore, offers threat actors a variety of opportunities, to not only disrupt and extort but to steal data too.
Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC), recently said in a speech at the Royal United Services Institute (RUSI) Annual Security Lecture, that the rise in ransomware was due to a “cumulative effect” as organisations failed to deal with the ever-increasing sophistication of ransomware attacks.
Public sector organisations are at risk from the use of these more sophisticated attacks that include ‘Ransomware-as-a-Service (RaaS). These ransomware ‘kits’ make creating ransomware campaigns much easier. Anyone who wants to get in on the ransomware act can do so for the price of a monthly fee and a cut of the ransom.
In her speech, Cameron notes that RaaS is fuelling the increase in ransomware attacks. Of these RaaS kits, some are specially designed to target the government and public sector. An example is Eking RaaS, identified by Darktrace as being used to target government services in the APAC region.
How to Protect the Public Sector from Ransomware Attacks
The DBIR points out that in 85% of data breaches a human being is involved. The human factor is evident in many cyber-attack types including ransomware; an errant click in a malicious email often being the beginning of the ransomware nightmare.
As ransomware attackers focus on data theft as well as encryption, the ‘human in the machine’ becomes ever-more important as a way into an organisation. Phishing is a favourite attack vector of hackers because it works. In the latest DBIR for 2021, Verizon points out that phishing and ransomware were again prevalent; in terms of public administration attacks, social engineering is the preferred vertical used in 69% of breaches.
Ransomware delivery and infection enter through several routes, but as mentioned, phishing is one of the most common. A survey using managed service data found that 54% of ransomware attacks began with a phishing email: poor user practices (27%) and lack of security training (26%) were the next most common issues that led to ransomware infection.
Preventing Ransomware Attacks in the Public Sector
Preventing ransomware in the public sector is about reducing risk. Security risk is reduced using a socio-technical approach; much the same way that hackers attack the public sector and other industries using social engineering and technical vulnerabilities.
Alleviating the core vectors of ransomware infection begins within an exceptional security culture. This is driven by delivering effective security awareness training to all staff. This is augmented by using the best of breed security tools that meet the requirements of security standards and regulations such as ISO27001.
Ransomware attacks in the public sector are here to stay until organisations stop being infected and stop paying the ransom. In data-dependent sectors, such as public and government, the latter can be a hard choice to make. This means that structures must be put in place to mitigate the chances of a successful ransomware infection.