Summary
The FBI is informing Government Facilities Sector (GFS) partners of cyber actors conducting ransomware attacks on local government agencies that have resulted in disrupted operational services, risks to public safety, and financial losses. Ransomware attacks against local government entities and the subsequent impacts are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities, and other services overseen by local governments, making them attractive targets for cyber criminals. Victim incident reporting to the FBI between January and December 2021 indicated local government entities within the GFS were the second highest victimized group behind academia.
Threat
In 2021, local US government agency victims were primarily among smaller counties and municipalities, which was likely indicative of their cybersecurity resource and budget limitations. “The State of Ransomware in Government 2021” survey of 30 countries, conducted through an independent research group commissioned by a UK-based company, found rectifying a ransomware attack on a local government often included financial liabilities related to operational downtime, people time, device costs, network costs, lost opportunity, and, in some cases, paid ransoms. Further, the survey found local governments were the least able to prevent encryption and recover from backups, and had the second highest rate of paying the ransom compared to other critical infrastructure sectors. According to a US-based media source reporting on state and local government matters, underfunded public sector organizations’ understaffed and outdated systems often put them in the position to pay ransoms simply to get the data back. Recent reporting indicates ransomware incidents against local governments resulted in disruptions to public and health services, emergency and safety operations, and the compromise of personal data. These types of attacks can have significant repercussions for local communities by straining financial and operational resources and putting residents at risk for further exploitation.
- In January 2022, a US county took computer systems offline, closed public offices, and ran emergency response operations using “backup contingencies” after a ransomware attack impacted local government operations. The attack also disabled county jail surveillance cameras, data collection capabilities, internet access, and deactivated automated doors, resulting in safety concerns and a facility lockdown.
- In September 2021, cyber actors infected a US county network with ransomware, resulting in the closure of the county courthouse and the theft of a substantial amount of county data (to include personal information on residents, employees, and vendors). The actors posted the data on the Dark web when the county refused to pay the ransom.
- In May 2021, cyber actors infected local US county government systems with PayOrGrief ransomware, making some servers inaccessible and limiting operations. The attack disabled online services, including scheduling of COVID-19 vaccination appointments, and the attackers claimed to have 2.5 gigabytes of data, including internal documents and personal information.
- In January 2021, cyber actors infected local US county government systems with ransomware that compromised jail and courthouse computers in addition to election, assessment, financial, zoning, law enforcement, jail management, dispatch, and other files. The attack impacted the sheriff department’s records management program and county clerk, treasurer, and supervisor of assessment and public defender office computers. The ransomware note stated files would be deleted after two weeks if the ransom was not paid.
Ransomware tactics have and will continue to evolve as noted in the February 2022 Joint Cybersecurity Advisory (CSA) by government agencies in the United States, Australia, and the United TLP:WHITE TLP:WHITE Kingdom.1 The top three initial infection vectors in 2021 were phishing emails, remote desktop protocol exploitation, and software vulnerability exploitation. These were likely exacerbated by the continued remote work and learning environments which expanded the attack surface and challenged network defenders. In 2021, actors expanded their targeting tactics and widened the scope of victimization potential by implementing service-for-hire business models, sharing victim information among actor groups, diversifying extortion strategies, and attacking upstream/ downstream accesses and data sources such as cloud infrastructure, managed service providers, and software supply chains. In the next year, local US government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety, and resulting in significant financial liabilities. The FBI has an opportunity to disrupt some of this activity by leveraging partnerships with domestic and foreign governments, as well as the private sector, to more effectively identify actors, finances, and infrastructure.
