Even as ransomware grows, agency CISOs have faith that their practices and tools will prevent a major incident.
Despite the meteoric rise of ransomware, federal agencies feel they are prepared to handle the threats that come along with the use of the malicious software.
Multiple agencies that spoke with FedScoop said they have not seen a severe uptick in ransomware attacks, and any such attacks can be mitigated with the cybersecurity tools and policies they already have in place.
The first half of 2016 has seen a sharp increase in ransomware — malware that encrypts the contents of a victim’s hard drive or server while hackers demand payment for the decrypt key.
While the vast majority of these attacks have been focused on the public sector, federal agencies have seen evidence of ransomware attacks as well. In response to an inquiry earlier this year from the Senate Homeland Security Committee, the Department of Homeland Security said there had been 321 ransomware incidents reported by 29 different agencies since June 2015. However, not every report was a successful attack, according to the response, and many were stopped by agencies’ security centers.
Additionally, the technology support staff for the House of Representatives issued a warning in May after a congressional staffer fell victim to an attack.
When ransomware did infect the staffer’s computer, “the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency,” the response said. In the House of Representatives case, third-party email applications like Yahoo Mail were blocked.
Federal agency statistics back up what numerous government officials told FedScoop, highlighting that they have seen cases on ransomware, but they followed standard procedure to mitigate any resulting incidents.
FedScoop spoke to officials at the departments of Commerce, Defense, and Health and Human Services, and the White House’s Office of Management and Budget, who said they either haven’t had any cases of ransomware or have followed internal mitigation processes to remedy the problem.
Several of the agencies pointed to an April blog post from DHS that lists the following criteria for protection against ransomware:
Employ a data backup and recovery plan for all critical information and back up your data on a regular basis, ideally stored offline;
Update software and operating systems with the latest patches;
Restrict users’ ability (permissions) to install and run software applications, and apply the principle of “least privilege” to all systems and services; and
Remind employees to never click unsolicited links in emails.
In the instances when ransomware are spotted, the agencies FedScoop spoke with said that they do not and would never pay ransoms in the event of an attack.
“If an individual were to come to me and say, ‘My computer’s locked for $500,’ I would just take it from them and throw in on top of the pile,” said a security official who spoke on the condition of anonymity to FedScoop. “We would give that person a brand new computer, wipe the old one, back it up and move on.”
More so than ransoms, what worries agency CISOs is the behavior that leads to infecting systems with malware: clicking on links or downloading documents from emails from phishing attempts. According to Leesburg, Virginia-based PhishMe, ransomware is included in 93 percent of phishing emails.
Commerce Department CISO Rod Turk says he has been relying on anti-phishing training to stop a host of threats, including ransomware.
“The best solution for ransomware is good cybersecurity and IT practices,” Turk told FedScoop. “You want people to be able to understand what [attacks] look like. To that extent, hopefully you will be able to stop it right up front.”
However, security firms are finding that criminals are getting so sophisticated with their phishing attempts that training courses may not be enough to stop employees from clicking on errant links.
“A lot of people are saying, ‘Oh, if users weren’t clicking on these files, we wouldn’t have a problem,’” Andy Feit, head of threat prevention marketing at Check Point Software, told FedScoop. “I’ve seen so many examples of where the hacker has done significant research into an organization to understand who is their supplier of certain parts, and sends them an invoice that looks legitimate with a spoofed email. You would never know this isn’t a legitimate email, and then you click on that attachment, and you open a PDF that’s looks entirely safe and even expected to arrive.”
Those targeted emails are arriving more and more. Earlier this year, Symantec found that ransomware attacks in the first quarter of 2016 are coming at quadruple the rate seen last year. In Infoblox’s first quarter Threat DNS Index, the company found a 35-fold increase in newly observed domains created for ransomware.
Additionally, The FBI’s Internet Crime Complaint Center has reported that individuals have filed 7,694 ransomware complaints since 2005, with losses totaling about $58 million — $24 million in just the last year.
In various blog posts, DHS and FBI have shied away from support for paying ransoms, saying payment doesn’t mean systems will be unlocked.
“Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” FBI Cyber Division Assistant Director James Trainor said in a blog post.
FedScoop reached out to the FBI multiple times for comment on if agencies have been given their own directives when it comes to ransoms, but the agency did not respond.
So even as attackers focus on targets like hospital systems and local police departments for ransom, government information security professionals are confident they have the steps in place to guard against the rising ransomware threat. But that doesn’t mean they are without worry.
“I’m always fearful,” said Turk. “You are always concerned, but you do the best you can to protect yourself.”