Dragos’ Vice President of Threat Intelligence, Sergio Caltagirone, spoke with WAMU radio on the recent attacks ransomware against US municipalities. This blog serves as a sister post to that radio interview.
Ransomware has recently affected the services of several cities including Baltimore. Modern technology infrastructure runs water, sewer, power, and other critical services and is as important as roads and bridges. However, most municipal governments run very tight fiscal margins and don’t have the resources to secure their information services sufficiently which leads to unmitigated faults and vulnerabilities in the technology infrastructure. But that doesn’t mean they shouldn’t be protecting themselves.
Ransomware is malicious software which locks access or reduces usability of computer system until the victim or target satisfies a demand (usually monetary). The first ransomware attack occurred in 1989 but, research at Columbia University in 1996 defined the modern implementation. Cybercriminals began to widely use ransomware in 2012 and rose to prominence in 2015. It is now one of the most widely used methods of profit for cybercriminals – and a major cause of computer disruptions.
In 2017 someone notified Microsoft of a critical error/vulnerability in their software, Server Message Block v1 (SMBv1), which runs on almost all Microsoft computers. About a month later, someone posted stolen NSA code which gave instructions on how to exploit this error/vulnerability codenamed ETERNALBLUE and named by Microsoft as MS17-010. Criminals quickly began to use this vulnerability to send their ransomware into victim networks to extort money.
While the vulnerability was fixed by Microsoft and urged administrator to apply immediately, some systems remain unpatched. Recently, the Microsoft vulnerability MS17-010 has been used to install ransomware on US municipal governments limiting critical services to citizens. This would have not happened had these systems been patched years ago. Furthermore, proper recovery plans can mitigate ransomware damage and restore services quickly.
What Can a Government Do?
- When a critical fix is issued by a software vendor it must be applied efficiently.
- Recover. Assume ransomware attacks and develop, test, and operationalize recovery plans to limit downtime.
- Prioritize. Increase the priority of protecting information systems which deliver critical services.
- Community. Cybersecurity is a team sport and governments need to work together to pool their resources in protecting infrastructure like IT networks and industrial control such as water, power, sewer, etc.
Are Industrial Control Systems and Critical Infrastructure at Risk?
Yes. Ransomware can disrupt the information flow within critical infrastructure necessary for plants to process and deliver water, power, etc. Ransomware attacks will affect all industries indiscriminately. Local governing officials, municipalities, and other governments need to take this risk seriously. See previous blog: Implications of IT Ransomware for ICS Environments
Is NSA at fault for this activity?
No. The stolen and leaked NSA code was the original source of public knowledge and useful more than two years ago to teach people how to attack computers in this way. But, by now that knowledge is widely available including from Microsoft’s own patch.
Furthermore, the actual malware being used to attack is not government related but instead sourced directly from criminals. Therefore, the causal chain is now too far removed from NSA to link them to this event.
Is the City of Baltimore and Other Municipalities at Fault?
No. The criminals who launched these attacks are at fault and must shoulder all the blame. Did the City of Baltimore do everything they could? No. Things need to get better to prevent such events in the future. But we must resist blaming the victim and also recognize that we can’t treat cybersecurity like a bubble where everyone is alone and out defend themselves against the world. Cybersecurity is a team sport and organizations must band together to share resources to solve this problem.
Are There Risks of This Happening Again?
Yes. All the time. New vulnerabilities are constantly being released, such as the recent RDP vulnerability, which threaten most computers in the world.