FBI Issues Warning of Escalating Ransomware Attacks on Local Government Agencies

The FBI is warning of cyber actors increasingly conducting ransomware attacks on local government agencies. The attacks have resulted in disrupted operational services, risks to public safety, and financial losses.

The FBI issued the warning to U.S. government facilities sector (GFS) partners. Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities and other services overseen by local governments. That makes them attractive targets for cybercriminals.

Victim incident reporting to the FBI between January and December of 2021 indicated local government entities within the GFS were the second-highest victimized group behind education. These types of attacks can have significant repercussions for local communities. They strain financial and operational resources, and put residents at risk for further exploitation.

Specific Local Attacks

The FBI warning cites specific attacks:

• In January, a U.S county took computer systems offline, closed public offices and ran emergency response operations using backup contingencies after a ransomware attack impacted local government operations. The attack also disabled county jail surveillance cameras, data collection capabilities and internet access. Moreover, it deactivated automated doors, resulting in safety concerns and a facility lockdown.
• In September 2021, cyber actors infected a U.S. county network with ransomware, resulting in the closure of the county courthouse and the theft of a substantial amount of county data. That included personal information on residents, employees and vendors. The actors posted the data on the dark web when the county refused to pay the ransom.
• In May 2021, cyber actors infected local U.S. county government systems with PayOrGrief ransomware. That made some servers inaccessible and limited operations. The attack disabled online services, including scheduling of COVID-19 vaccination appointments. The attackers claimed to have 2.5 gigabytes of data, including internal documents and personal information.

The top three initial infection vectors in 2021 were phishing emails, remote desktop protocol exploitation and software vulnerability exploitation. Continued remote work and learning environments likely are exacerbating threats. This already has expanded the attack surface and challenged network defenders.

In the next year, local U.S. government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, the FBI said. This will further endanger public health and safety, and result in significant financial liabilities.

Paying Ransoms Discouraged

“The FBI does not encourage paying ransoms,” it said. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

However, the FBI said it understands when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.

Local government agencies should proactively initiate contingency planning for operational continuity in the event of a ransomware attack.

Tim Erlin is vice president of strategy at Tripwire.

Tripwire’s Tim Erlin

“This FBI [warning] provides a laundry list of recommendations that align with most of the best practices for cybersecurity,” he said. “But it can be difficult for organizations, especially larger ones, to keep track of the implementation of all of these controls. It’s important to remember that there are valuable community resources like the Center for Internet Security (CIS) and the NIST Cybersecurity Framework that can help give your cybersecurity initiatives some structure. While responding to an alert from the FBI is good, being prepared before the alert is issued is better.”

Cybercriminals to Always Target Critical Services

KnowBe4’s James McQuiggan

James McQuiggan is security awareness advocate at KnowBe4. He said organizations that provide critical services will always be a target for cybercriminals. That’s because of the capability of disrupting or damaging that environment.

“It has been evident that cybercriminals will go after smaller government organizations because of the lack of robust security programs or training programs for their users,” he said. “It is crucial that funding be available to shore up their defenses with security software updates and phishing assessments to reduce the risk of the common style of attacks that cybercriminals utilize.”