Texas Ransomware Attack Presents Opportunity for MSSPs, Other Providers

Ransonware attacks hit 22 Texas cities last weekend with evidence pointing to a single threat actor as the impacted entities struggle to return to normal operations.

According to the Texas Department of Information Resources (DIR), as of Tuesday, more than 25% of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number back to operations as usual. Most of those targeted by the ransomware attacks were smaller local governments.

Because this is an ongoing federal investigation, DIR said it can’t provide additional details about the attack.

According to NPR, those responsible are demanding a collective ransom of $2.5 million, and so far there are no indications that the amount has been paid.

Imperva’s Terry Ray

Terry Ray, senior vice president and fellow at Imperva, tells us there already have been at least 23 reported cyberattacks on the public sector in 2019, from Fisher County, Texas, to Flint, Michigan, to Albany and Baltimore, and now towns all across Texas. It’s only a matter of time before cities realize they can’t afford these infections and dedicate the resources needed to improve their security posture, he said.

“MSSPs and cybersecurity providers can help by making advanced data security solutions available, accessible and easy to implement for city governments,” he said. “These attacks should present an opportunity to MSSPs and providers. Like any cyberincident, the victims should execute a remediation plan, as well as a risk-based review of all critical assets, especially data, and how it’s accessed and stored. Security service organizations are almost always going to be equipped to provide enterprise level security for any size organization. Though, I’ll add, that no security is 100%. Organizations simply work to reduce risk to an appropriate level based on the asset.”

Chet Wisniewski, principal research scientist at Sophos, said starting with his company’s research from 2018 on the SamSam ransomware crew, “we began to see a shift in the threatscape to a new generation of ransom attacks.”

Sophos’s Chet Wisniewski

“As we dove deeper, we predicted the convergence of bespoke ransomware attacks into what we are now calling automated, active attacks (AAA),” he said. “These attacks netted larger and larger ransoms, but at a much smaller volume than previous ransom schemes. Recently, we began seeing a rise in supply chain compromise as a method of increasing the scale of attacks without increasing the workload on the criminal’s resources. Sadly, our prediction that this would likely escalate has proven true as we observed with the Texas municipality attacks this week.”

Shared/managed services are critical to improving security at many organizations, especially municipalities that cannot afford enough full-time security staff and need top expertise, Wisniewski said. However, they must be held to account for the privileged access they have been granted, he said.

“Too often, shared service providers have shared credentials for staff to obtain remote access to systems, exposed remote access services for convenience and one set of administrative credentials that are the keys to not just their own kingdom, but to all who have placed their trust in them,” he said. “This makes them ideal targets for criminals as we have seen previously with cloud service providers and payment services firms.”

All shared service providers should be required to use multifactor authentication (MFA) in combination with VPNs for remote access to systems for administrative purposes, Wisniewski said. Don’t let shared services turn into …