Lessons Learned from a Recent Ransomware Attack
Data breaches affect businesses of all sizes, in every industry, across North America. But one sector that’s been particularly impacted is government, from local to county to state. These institutions often struggle to respond to ransomware infections, system intrusions, and cyberthreats, leading more hackers to target them.
In fact, since 2017, more than 3,600 local, tribal, and state governments have been hit by ransomware, according to the Multi-State Information Sharing and Analysis Center, part of the nonprofit Center for Internet Security. One recent example stands out and demonstrates just how bad a data breach can be:
On September 8, in Suffolk County, on the easternmost end of Long Island, New York, antivirus software alerted county officials to a problem with online systems connecting more than 20 county agencies. That prompted a shutdown of everything from police department databases to tag and title systems, bringing online payments, email communications, and real estate transactions to a halt.
The attack was carried out by a well-known hacking organization called BlackCat, or ALPHV, which is notorious for stealing data from companies around the globe and threatening to sell it on the dark web if a ransom isn’t paid for its return. The hackers claimed to steal four terabytes worth of personal information, including court records, driver’s license numbers, and bank account details.
To deal with the hack, Suffolk County made an unusual decision: “We were just going to turn off the Internet to further contain this,” Lisa Black, chief deputy executive for Suffolk County, recently told The New York Times. “We were going to revert to 1990.” That meant replacing wire transfers with hand-signed paper checks, sending government documents by fax instead of email, and even transcribing 911 calls by hand—all while county staff tried to manually clean infected computers and restore lost files.
Some emergency systems came back online in October, but other parts of Suffolk County operations remain hobbled nearly three months after the original hack. Title searches for home sales are still being conducted on 125 replacement terminals sent to Suffolk by the state of New York. Just before Thanksgiving, the county admitted that personal information from nearly 500,000 traffic tickets had been leaked, and it’s still impossible to pay those tickets either in person or online. Email accounts for county employees were finally restored, but archived messages had disappeared. And the county comptroller still has to sign checks by hand.
Many cybersecurity experts said that Suffolk County had failed to proactively prepare for such a scenario. Earlier this summer, the outgoing county clerk had asked for a dedicated firewall to protect vulnerable data, but her request was rejected. But others argued that these types of hacks were difficult to rebuff, pointing out that even global corporations often fell victim to coordinate ransomware attacks. “At the local government level, you don’t have the resources or ability to respond to what amounts to [a] nation-state style attack,” Michael A.L. Balboni, president of a consulting firm hired to help Suffolk County respond, told The New York Times. “And it’s unrealistic to expect them to.”
Still, there are steps that every company can take to be better prepared for the inevitability of a digital attack. Below, CMIT Solutions collects seven tips that can help businesses across North America increase their cybersecurity protections and respond to cyber incidents.
1. Implement multi-factor authentication (MFA). This can serve as the first line of defense against system intrusions that take advantage of stolen or weak passwords. MFA is an authentication method that requires a user to combine something they know (a password) with something they have (a unique code delivered via text or email, or a push notification to a mobile device). A standard in the business world, MFA has been slower to roll out for local government agencies like those in Suffolk County.
2. Update legacy software and hardware. Like many local governments, Suffolk County was still conducting many critical operations on outdated platforms that they had yet to modernize. After the September attack, the county increased its 2023 operating budget by $9 million to fund upgrades and cybersecurity measures. But that might qualify as too little, too late since many digital operations could not be moved to more secure or updated applications. Often, simply neglecting to install a critical software update can lead to cybersecurity problems. Taking a proactive approach means deploying patches and updates automatically and during off hours when they won’t affect employee productivity.
3. Enhance system monitoring. Suffolk County’s antivirus software did its job by alerting executives to the ransomware attack once it started. But more robust protections could have blocked the infection from ever taking root. Such protections include intrusion detection tools like SIEM/SOC that can identify vulnerabilities before they’re exploited; network traffic analysis that can recognize indicators of suspicious activity; and advanced firewalls to provide stronger security for sensitive data.
4. Increase email protection. Employees looking for phishing attempts or suspicious messages are no longer enough. Instead, enhanced email monitoring can automatically detect dangerous links or illicit attachments, quarantining questionable messages in sandboxes for further review. Automated tools can also flag emails that may appear legitimate but actually contain misspelled domain names or poorly written subject lines, altering email rules to prevent them from ever landing in your inbox.
5. Keep track of unused devices, ports, and endpoints. Local government agencies and small businesses often struggle to offboard departing employees and deactivate old or unused devices. But these can represent easy targets for hackers. A trusted IT partner can help you monitor device activity and detect irregularities to prevent unauthorized access. Remote Desktop Protocols (RDPs) are also deserving of a close watch, as this common tool used in today’s hybrid workplace can be exploited to infiltrate a user’s computer and change administrative settings, which can lead to hacks.
6. Prioritize data backups. One way to mitigate ransomware attacks is to have reliable, remote, and redundant data backups that can be recovered and installed on systems after they’re wiped clean. Free consumer solutions like Google Drive and Dropbox aren’t enough for most businesses, either, with cloud-based enterprise backups a must. Testing those backups before an emergency strikes is critical, as well—to ensure that they’re functioning properly and to know how to quickly restore that data in the event of a manmade or natural disaster.
7. Suspect you’ve been hacked? Call an IT provider immediately. Quick-thinking action can often minimize the impact of a data breach or ransomware infection and contain spread before it affects interconnected systems. If you see a message claiming to have encrypted your files, or you think you’ve been breached, shut down your computer immediately and unplug it from all Internet connections and local networks. If needed, a cybersecurity expert can help you modify your company’s public IP address so that any information shared on the dark web is no longer connected to your current system settings.
CMIT Solutions is committed to helping clients of all sizes to prepare for and protect against data breaches and ransomware infections. We work with local governments, mom-and-pop shops, and multinational corporations alike to defend data, secure networks, and empower employees to work productively and efficiently.
Are you concerned about rising threats or worried that your information has been compromised? Are you unsure about your company’s level of cybersecurity protection or proactive planning? Contact CMIT Solutions today.