City shakedown: How a targeted attack left a local government in a cyber fix

Public entities tend to have tighter budgets than organizations operating in the private sector, and this can have an impact on their ability to invest in information technology (IT) security. As a result, they are becoming an increasingly attractive target for cybercriminals.

For example, in 2018, Atlanta’s municipal government was hit by an outbreak of SamSam ransomware that brought down their computer systems, resulting in numerous municipal services being impaired and an estimated bill of $9.5 million to recover from the incident. More recently, in May 2019, Baltimore’s government fell victim to a ransomware attack, causing widespread disruption.

Whether these were targeted or merely opportunistic attacks remains unclear, but what is undoubtedly true is that the nature of cyber extortion events has changed over recent years.

In the past, ransomware was often distributed widely through mass-email campaigns without a specific target in mind in the hope that a small number of individuals and organizations would be caught out. However, as ransomware has become an established method of attack, endpoint protection systems have become increasingly effective at blocking ransomware.

To make up for this, many cybercriminals are now handpicking vulnerable organizations and encrypting their data. And because they have a better understanding of their victims, these cybercriminals are also raising their demands accordingly, with many requesting amounts in excess of $50,000.

Recently, one of our policyholders affected by this type of incident was a local government for a small city with a population below 100,000.*

Related: 95,000 Delawareans impacted by data security breach

Brute force attack uncovers easy-to-guess passwords

The incident began when a hacker was able to gain access to the city’s computer systems via the Remote Desktop Protocol (RDP). RDP allows remote users to connect to the desktop of another computer through a network connection and is typically used by organizations to allow employees to access their networks while they are away from the office.

Having identified this open port as a way of gaining access to the city’s computer systems, the hacker initiated a brute force attack against the local administrator account by running a computer program to crack passwords by trying every possible password combination in quick succession. Unfortunately, the password for this local administrator account was commonly used and had been set up as a default for new accounts but had never been changed.

Upon logging into the local administrator account, the hacker made use of a password-scraping tool that allowed them to obtain login credentials for other accounts on the network with greater access privileges. From here, they used a scanning tool to gain information about what was on the insured’s network. In particular, the hacker appeared to be attempting to find the location of any back-ups in the knowledge that if they encrypted them, they would have more leverage when extracting the ransom payment. In this case, the city had failed to save their back-ups externally, allowing the hacker to locate them while searching the network.

The hacker then went on to the next stage of the attack. They began using a strain of ransomware to encrypt the city’s data, applications and back-ups, leaving a ransom note demanding 15 bitcoins (equivalent to over $60,000 at the time of the attack) in exchange for the decryption key.

Related: Study: Criminals sell hacker toolkits on dark web

Ransomware research leads to breakthrough

Upon discovering the ransom note, the city’s IT staff initially tried to deal with the incident themselves, but with the back-ups encrypted, they soon realized that any attempt to decrypt the affected servers without the decryption key would be unsuccessful.

Without access to their computers, employees would be unable to respond to email queries and complaints from city residents and certain processes, such as applications for social housing or building permits, would all have to be carried out manually. Furthermore, with online payment systems rendered inaccessible, city residents would be unable to pay things like water bills or parking tickets.

It was therefore essential to act quickly, and it was at this point that the incident was notified to CFC. Utilizing the information contained on the ransom note, our threat intelligence team figured out which ransomware variant had been used to carry out the attack. With this tool, our team managed to decrypt the servers without having to pay the ransom demand or cause major disruption to public services.

Questions emerge over hacker’s access of sensitive data

The city had now regained access to their computer systems, but there was still a question of whether there had been a data breach. The city stored sensitive information on their computer systems relating not only to employees but to a large number of city residents too, and if this had been accessed or exfiltrated during the course of the attack, a large-scale notification process would have to be carried out.

In order to address this issue, we engaged one of our forensic partners to determine the root cause of the attack and discover what exactly the hacker had done while they had access to the insured’s computer systems. This was a significant undertaking as the city’s network was made up of over 700 connected devices, with nearly 500 users across 20 sites.

After several weeks of investigations, it was determined that the hacker had not accessed any sensitive information, and this was based on three factors:

• there was no evidence of large zip files being created;
• the artifacts on the system relating to the attack appeared to be limited to harvesting password credentials; and
• the amount of time the hacker spent on the system was not deemed to be long enough to carry out meaningful data exfiltration.

The city may not have had to carry out notifications, but the cost of the attack was still significant. The cost of the forensic investigation and security assessment alone came to $180,541. This came on top of the $15,000 in legal fees and $5,000 to engage a crisis communications consultancy to deal with a media inquiry about the attack, bringing the total claim cost to $200,541.

Related: Protecting your customers’ personal data

Large networks and sensitive data put public entities at risk

This scenario highlights a few key points. Firstly, it demonstrates how important it is to work with an experienced cyber insurer with a dedicated incident response team in place. When you buy a cyber policy, you are not just buying a promise to pay valid claims. You are also paying for a service to help and advise you when things go wrong. This includes gaining access to threat intelligence that many organizations may be unaware of.

Secondly, if businesses are using the Remote Desktop Protocol, then they should make sure that it is not exposed directly to the internet and make use of a virtual private network (VPN) instead. Malicious actors are constantly seeking out vulnerabilities to exploit, and an open port used for RDP is one of the most common that they look out for. In addition, businesses should ensure that they have good password hygiene in place and enable two-factor authentication to reduce the risk of attacks like this from happening.

But most importantly, it reveals how vulnerable public entities are to sizeable losses like this. Because public entities are primarily financed by taxation or central government funding, they do not have the business interruption risk that most private organizations face. However, due to the fact public entities will typically operate large networks with significant amounts of sensitive data, they can incur substantial system damage, forensic investigation and notification costs in the event of a cyber attack, illustrating the importance of cyber insurance for local governments and municipalities.

*Note: Summary based on real events, but entity shall remain anonymous. 

Related: As cyberattacks increase, cities push risky strategy

James Burns is the cyber product leader at CFC Underwriting Ltd. He can be reached at jburns@cfcunderwriting.com.