The threat actor behind the coordinated ransomware attack against multiple Texas local governments may have gained access to its computer systems via a third-party software provider.
According to NPR, which first reported the development, the attackers want a collective ransom of $2.5 million. So far, there are no indications the amount has been paid.
On August 20, the Texas Department of Information Resources (DIR) said as many as 23 state-run services — including police departments and libraries — had been had been affected by file-encrypting malware. Though very little is known about the attack’s origin or the strain of ransomware used, the agency revised the count to 22 two days later.
The news comes as ransomware attacks are becoming highly targeted, with criminals devising sneakier ways to inject malicious code into computer networks in hopes that companies and governments would pay them off.
Managed service provider as attack vector
“More than 25 percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual,” the DIR said.
But it stopped short of disclosing additional details, citing an ongoing federal investigation. It has not yet been identified who or what is behind the attack, but the DIR said evidence pointed to a single threat actor.
Nine of the 22 impacted local governments have been identified so far — Borger, Keene, Kaufman, Wilmer, counties of Grayson and Lubbock, and the police departments in the cities of Bonham, Graham and Vernon.
“They got into our software provider, the guys who run our IT systems,” Keene Mayor Gary Heinrich told NPR. “A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.”
Heinrich also said the same outsourcing company (aka managed service provider or MSP) provided IT support to many of the other affected local municipalities.
The need for cyber preparedness
The Texas security incident is unique in that it’s one of the first coordinated ransomware attacks to hit the US. And it certainly won’t be the last.
With businesses, healthcare institutions, and state-run facilities increasingly the focus of ransomware operators, small localities have become a lucrative attack surface — either because they’re more likely to pay, or they’re cash-strapped and therefore unlikely to be able to defend themselves adequately against ransomware.
In a report published in May, Massachusetts-based threat intelligence firm Recorded Future found at least 169 ransomware incidents targeting state and local government since 2013, with 21 of them reported just in the first four months of 2019.
More often than not, the IT departments tend to be under-resourced, and lacking funds or skilled staff members to upgrade their security posture and address vulnerabilities in a timely fashion.
The fact the attackers may have compromised a MSP is alarming enough because a successful break-in opens up access to multiple clients, making them all vulnerable at once. But the lack of readiness to mount a prompt incident recovery plan is a real cause for concern, and should be a wake-up call for all organizations and government agencies.