Texas officials have said that none of the municipalities impacted by the crippling ransomware attack last month have yielded to the ransom demand.
In its first update since August 20, the Texas Department of Information Resources (DIR) — which is leading the investigation into the incident — said more than half of the affected entities have resumed usual operations.
“All the impacted entities had transitioned from assessment and response to remediation and recovery with business-critical services restored by August 23,” the agency noted.
The coordinated ransomware attack hit 22 agencies on August 16, with their IT systems locked out by Sodinokibi (REvil) ransomware after hackers breached the software of a third-party service provider used to remotely manage their infrastructure.
Then late last month, reports emerged that criminals had demanded a collective ransom of $2.5 million to regain access to those IT systems. But with the amount not being paid, it increasingly appears the officials decided to restore from backups.
The DIR chalked up the quick incident recovery to a previously established response plan that was put into action immediately. With support from over 10 government agencies, it said all sites were cleared for remediation and recovery within a week after the attack.
To pay or not to pay?
The development comes as several US cities have been crippled by a wave of ransomware attacks, with infections leading agencies to spend hundreds of thousands of dollars to recover access to systems.
“Ransomware attacks are a tried and tested method to get money for adversaries as they find it very lucrative,” Eric Cornelius, Chief Product Officer at Cylance, told TNW. The cybersecurity firm was acquired by Canadian enterprise software company BlackBerry earlier this year.
Last week emerged news of a ransomware gang trying to extort an exorbitant sum of $5.3 million from the city of New Bedford, Massachusetts. But after the criminals rejected a smaller counter-offer of only $400,000, ZDNet reported the city eventually chose to restore from backups.
DIR has posted an update regarding the August 2019 Texas Cyber Incident. Please see the September 5th press release below. More information about #ransomware, #cybersecurity best practices, and other updated information is available on our website: https://t.co/kVQb0eKIjs pic.twitter.com/4NvMZVnNaQ
— Texas Department of Information Resources (@TexasDIR) September 5, 2019
“The conventional recommendation is to never pay a ransom. However, security professionals are beholden to the business financial interests and its key stakeholders — which may mean going against conventional wisdom,” states Forrester’s Guide To Paying Ransomware report.
Cities have often opted to pay for ransoms, as it’s the quickest way to resume normal function in the face of spiralling costs to recover and implement cybersecurity defenses to help protect against attacks in the first place. But the controversial trend is not being looked upon favorably.
“We would not be negotiating ransoms if the threat were to manifest physically,” Ryan Kalember, who leads cybersecurity strategy for California-based enterprise security solutions provider Proofpoint, told TNW. “Insurance has changed the economics in favor of the attackers. But there needs to be more conversation when taking such risk management decisions.”
An IBM Security and Morning Consult survey published last week found that nearly 60 percent of respondents said they are against their local governments using tax dollars to pay ransoms. An overwhelming 90-percent majority of US citizens said they’re in favor of increasing federal funding to improve cybersecurity in cities.
On the other end of the spectrum is the ransomware negotiation itself. “We use a machine learning approach to proactively detect and prevent ransomware threats,” said Cornelius.
“Unfortunately, there are also situations where organizations only reach out to us after they’ve been a victim of an ransomware attack,” he said. “We’ve successfully negotiated with the attackers in those cases, resulting in a 80-percent reduction in asking price.”
The need for preparedness
Kalember says the dynamic threat landscape means hackers are carefully picking their targets knowing that they have insurance and tend to pay out. Urging system administrators to be on the lookout for risks associated with remote desktop tools, he stressed the need for better preparednessness.
“Most of the ransomware attacks are unskilled efforts,” Kalember said. “There are not enough data practices in place. Watching out for phishing emails, hardening the IT infrastructure, removing administrator rights, and adding multi-factor authentication can go a long way towards improving security.”
In addition, the Texas DIR is also recommending companies and organizations that they block inbound network traffic from Tor Exit Nodes and outbound network traffic to Pastebin.
“The devil is in the details,” Cornelius said. “90 percent of it boils down to practicing good IT hygine. Attackers most often capitalize on well-known exploits. It’s very important that vulnerabilities are identified and patched timely.”