Ransomware attacks against local governments and cities are repeatedly making headlines, with crippling results on city operations and budgets.
Last month, the Florida city of Riviera Beach paid hackers $600,000 after being hit by a ransomware attack that downed its computer systems for three weeks. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. And The city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, demanding a $76,000 ransom.
Why do cities appear to be a low hanging fruit when it comes to ransomware attacks? What hurdles do state and local governments face when securing their systems and responding to attacks?
In the first of a two-part series, Threatpost talks to Shawn Taylor, the senior systems engineer at Forescout who covers state and local governments across the country. Taylor was in the trenches during the infamous 2018 Atlanta ransomware attack and recounts what the experience taught him about remediation and recovery efforts when it comes to cyberattacks.
[
](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/10470995/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)
Click here for direct download of the podcast. Below is a lightly-edited transcript from the podcast.
Lindsey OâDonnell: Welcome to the Threatpost podcast. This is Lindsey OâDonnell with Threatpost here. And Iâm speaking today with Shawn Taylor, the senior systems engineer at Forescout who covers state and local governments across the country. Sean, thanks so much for coming onto the show. How are you doing today?
Shawn Taylor:Iâm doing great. Lindsey, thanks so much appreciate you having me on today.
LO: I wanted to talk about a topic that keeps coming up again, and again, not just this year, but over the past few years. And that is ransomware attacks, specifically targeting cities, towns and municipalities. So you know, starting last year, we saw the big Atlanta ransomware attack. And then, you know, we also saw Baltimore, and some other towns and cities as well, over the past few years. I feel like this is just an issue thatâs continued on over the years. And, Shawn, I know that you mentioned you were kind of up front and center with the Atlanta ransomware attack too.
ST: I was, I was fortunate enough to be able to get Forescout on site, sort of parachuted in, in the immediate hours afterwards to help with the triage and sort of troubleshooting activities. Unfortunately for the city when they got hit last March, they had become incredibly debilitated. The ability of the city of Atlanta to provide basic fundamental services was significantly compromised. Basic operational capability from an IT perspective was lost, you know, so what Forescout was very uniquely able to do in, in helping them, was really trying to achieve some level of visibility, and really provide a system of record to help them. But, you know, that was one of, as you had pointed out, multiples that sort of keep coming up. And it is sort of like a broken record that these entities continue to go through, right. And I think what the city of Atlanta sort of suffered through was really sort of the collection of legacy infrastructures, legacy networks, combined with thereâs probably some other misconfigured technologies or those kinds of things that ultimately, that when youâre dealing with ultimately, overworked, potentially understaffed organizations, the problem seems to sort of precipitate itself more and more so that these types of events are going to continue to occur. And as you had said, they have.
LO: Right, yeah, I mean, even just in the past month, weâve seen the big headlines have been about to Florida cities that were targeted as well, which is Riviera Beach, and Lake City. And then, you know, a couple of other towns too. So itâs clear, this is ongoing. And Iâm really interested, you being at the forefront of the aftermath, these types of attacks. Can you walk us through kind of what takes place from the get-go, starting with the initial injection for certain infection for certain attacks, all the way through remediation and recovery? How does that kind of play out once a ransomware attack occurs?
ST: Yeah, I love that question. Because it is something that I didnât necessarily appreciate firsthand until I was able, I sort of was thrust into it being onsite in Atlanta. But there is a point of inception, where the breach occurs for one of the cities and I want to say it was it was Lake City, Iâm not positive. But I know that I read an article recently where there was an IT administrator who was fired because he ended up clicking a link, right, so there was a phishing attack, where there was a link clicked, where an exploit occurred, an exploit was exploited, there was a vulnerability that was exploited. And ultimately, there were multiple steps in the process, the Emotet was installed, and then there was the Ryuk ransomware, was ultimately then installed and sort of propagates right. And each of these sort of take on different flavors, different shapes, but there is a vulnerability, thereâs a weak link in the process. And whether it is a human, that has not gone through adequate cybersecurity training, or has weak moment, right, or just isnât necessarily as well-articulated in looking at an email or looking at a document, right, that they ended up clicking a link right, that ultimately exploits that vulnerability that exists in that system.
Now, rewind a bit, there needs to be a vulnerability on that system, right? So that goes to fundamental core cyber security practices of an organization to ensure that one, first and foremost, youâve got visibility to all of those connected devices in your landscape. What is connected, are they all domain members, should they be on the network in the first place, and ensure that whatever mechanisms you put in place to try and ensure that they are adequately patched, whether youâre leveraging what Microsoft provides, or youâve brought in a third-party product, but ensure that those products are in fact doing their job and patching properly, to mitigate and remediate inner vulnerabilities, so that when that link is clicked, there is no â unless itâs ultimately a zero day ⊠you know, those are going to be very hard to stop â but ensuring that you can keep that adversarial script from executing on that endpoint is the first step. So ensuring that youâve got someone whoâs trained, knows not to click a link and verify URL and hyperlink and all of those things, but then to make sure that the endpoints that that personâs on, as well as the endpoints around the enterprise are, in fact, properly patched. And youâre aware of them, right, because ultimately, what ends up happening, and what happened in the case of Atlanta, which was really interesting, when they came into the network, they penetrated the network and the ransomware used in Atlanta was different than what was used in Riviera Beach and Lake City, it was known as the SamSam ransomware, and it tended to use a specific port protocol combination of RDP, right, Windows Remote Desktop, to use it as a communication mechanism. So once they gained access, they were able to brute force, hijack credentials, gain access to the network. And then by harvesting credentials, using tools that exist, unfortunately, all over the dark web, they were able to leverage credentials, then they were able to elevate those privileges, and now starts to deploy that payload that they were then going to execute at a later date around the network. And thereâs no way because they are going over standard ports and protocols, theyâre not doing anything that would raise any alarms of any anomalous behavior, because theyâre just traversing the network.
Similarly, the others, the Lake City and the Riviera Beach, are essentially doing the same types of things. Theyâre going system to system. And ultimately deploying and leveraging the vulnerabilities that exist and whether itâs the EternalBlue. Thank you, Edward Snowden, and the NSA, right? But theyâre deploying those payloads out to be executed, and ultimately are going to kick off the ransomware. Right? And then once that occurs, then you know, you say, âOkay, let me figure out where patient zero is. Let me cauterize, let me stop the bleeding, minimize the east west, how much of my network has been compromised, right?â So once it occurs, itâs all about âOkay, you know, stop the bleeding, try to identify, minimize the damage, and then try to understand what the compromised landscape is.â Because systems could be touched, and not necessarily be encrypted, the payload could have been deployed but not executed. Right, those kinds of things. So theyâre dirty, but theyâre still usable. So obviously, the systems that have been encrypted, your data is gone, youâre going to have to rely upon backups at that point.
LO: Great. Yeah, thatâs a really good point.
ST: So then you end up with a situation where youâre, youâre looking to try and understand, âOkay, now that weâve been able to identify the extent of the damage the extent of the compromise, and across the landscape in the enterprise. How can I recover? Right?
Do I have adequate backups? Do I have off site backups?â Because a lot of these, and you know, letâs think about ransomware attacks, the vast majority of the time they attack Windows systems, salvaging those Windows-based vulnerabilities. And oftentimes, youâve got storage and backup and database mechanisms that are underlying applications and those types of things running on SQL server, running on Windows based environments, right. So your backups that are stored on Windows based environments are all of a sudden, unless theyâre offline, in an off-site facility, all of a sudden have become compromised themselves, then when you go to recover, you donât have a backup to recover to.
LO: It always kind of surprises me that, you know, a lot of these types of local governments donât have backups in place or donât have kind of these precautionary methods. Is that something that youâre seeing? Is that something that governments are becoming increasingly aware of?
ST: So that thatâs an interesting question: Shortly after, probably midway through last year, I went and delivered a message on ransomware, to a consortium of state IT leaders across all of the state agencies for large state down in the south. And it was sort of a lessons learned, right, it was âthis is my experience, as a vendor, as an OEM, but this is my experience in seeing it firsthand,â right? Because we very rarely are provided those opportunities to be in the front lines, as you had said earlier, right to sort of be in the thick of it, and to see the value that you can provide. So I was able to sort of relay this message to the state agencies, CIOs and CISOs. And one of the things that came out of it, they said, as I had wrapped up, or it was a Q-and-A, they said, one thing that I noticed that you didnât really mention in here, around lessons learned, is governance. And I said, âYou know, I come from a very long history in the in the service management in the IT SIM space, and service desks and those types of things.â And I said, âYou know what, thatâs a great question.â And that was something that was totally out of sight, out of mind for me, because I was so much in the incident response activities, that I wasnât thinking about the stuff that was having to take place to keep the lights on right behind the scenes. And one of the things that I really went back and sort of re-analyzed what I had been delivering to audiences was, you know, governance is a huge problem and a huge need. And not just disaster recovery plans and those kinds of things, but their reliance upon service desks. So the fact that youâve got a disaster recovery plan and backups, or you donât, that becomes hugely problematic, right? So thereâs this sort of building block effect that takes place that you start to peel back. And if you donât have a foundation of some of these underlying technologies and processes, your ability to recover is significantly impacted, if not totally negated. So when I talked to customers, when I talked to prospects I talked about definitely the need to ensure that there is a disaster recovery plan, that there are off site backups, you know, these kinds of things that are ultimately reliant upon ensuring that youâve got an understanding of all your critical systems in your assets and your resources and all of that stuff. But yeah, the message of ensuring that there are backups, ensuring that there are off site backups and those kinds of things, very much becomes a topic that everybody says, âyep, we know we need it.â And unfortunately, that was something that I think probably, if I remember correctly, both Riviera Beach and Lake City paid the ransom, correct?
LO: Yes, I think it was Lake City paid $500,000 and Riviera Beach paid $600,000.
ST: And the only reason in my mind that I could think that they paid those ransoms, was the fact that they did not have reliable backups that they could point to, right. They were like, âwell, we had to because otherwise we would not have been able to provide services to our citizens.â
LO: And I wanted to talk briefly about the pay versus not pay issue. Because like you said, Lake City and Riviera Beach both paid and both were criticized by the security community for this decision. But then, but when you look at Atlanta, I think they ended up spending $2.6 million and Baltimore dished out $18.2 million. And I mean, what are the pros and cons of going one way or the other? And what kind of decisions go into paying versus not paying from the standpoint?
ST: So I think, certainly from the governmentâs perspective, from US-CERT and FBI and Secret Service, I think, pretty much their mentality is donât pay the ransom. Now, you know, it kind of comes down to one of those, the ransom that that Atlanta was originally asked was 50 some odd thousand dollars in Bitcoin. But I think when at the time, they sort of looked at it, and it was a⊠so I think thereâs multiple parts to the decision making process. Each of these to varying degrees, each of these entities have a have a cybersecurity insurance provider. The larger metropolitan areas have larger policies, Iâm sure. And there are underwriters in those policies and whether it is, Deloitte, or an insurance underwriter, I think a lot of shots are called by them. I think Atlanta probably said, âlook, weâve got a legacy network and old legacy network. You know, weâre going to take advantage of this opportunity, weâre not gonna pay it. And weâre gonna take advantage of the opportunity. And we are going to, weâre going to build this sucker from the ground up, the right way.â So if you hear Gary Brantley, the new CIO, and actually, Ty Hayes, the CTO and even the CISO, you hear each of them sort of talk about, you know, going forward, itâs there is itâs all about sort of the new and really sort of building out best from the word go. So I think part of it is attributable from a decision making process to the cybersecurity insurance provider, I think part of the decision making goes into, do we have, can we not pay the ransom? Can we just say you got back up? So weâre good, right? Because you here, Iâve heard less that have not paid then I paid. But then when you when you deal with the those that have theyâve got the backups, right, theyâve got the good hygiene, from an operational perspective, maybe there was a negligent events that occurred that a opened up the breach, but they could, clean the environment, they could recover to the cloud, or recover from the cloud, and all of a sudden, theyâre up and running and no worse for the wear, and they could patch the hole relatively quickly. I think thereâs, just thereâs various schools of thought that the challenge that that the state and local government entities, unfortunately, face is if there wasnât a market for it, the adversaries wouldnât be trying to do it.
LO: Yeah. Right. It almost plays into what the bad actors want, and then also incentivizes other bad actors to do the same.
ST: Right. And honestly, one of the interesting things I have the luxury of being able to speak to, to regionalized industry professionals, security professionals, and was down in Florida recently and spoke to a group of folks down, down in Tallahassee, when I went to talk about sort of talking about the ransomware, there are things that are available, ransomware for hire, you could, you could go to the dark web, and request a hack for, you know, whatever, and you pay for it, somebodyâs going to give it to you, right. So ultimately, it makes it so easy. And 10 or so years ago, there was a study done that looked at the maturity level of adversaries. And, maturity level of the bad actors from a hacking perspective, has declined, right, rather steadily. But their ability to penetrate and to hack into the networks, and all of those kinds of things, has continued to increase. And thatâs because of the pervasiveness of whatâs out there, and whatâs on the dark web and all that stuff. Right. And itâs just one of those things, that the more the problems exists, the more people pay, the more people pay the more the problems going to exist. So itâs this evil cycle, it just continues to spiral.
LO: This concludes part one of a two-part series on ransomware threats for local governments. Stay tuned for part two next week.
_Donât miss our free live _Threatpost webinar, â_Streamlining Patch Management,â on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _Register and Learn More
iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/10470995/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe
traffic.libsyn.com/digitalunderground/SHAWN_FORESCOUT_PART_1_PODCAST.mp3
attendee.gotowebinar.com/register/1579496132196807171?source=ART
attendee.gotowebinar.com/register/1579496132196807171?source=ART
threatpost.com/emotet-evasion-tactic-xml/141862/
threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/
threatpost.com/ransomware-attack-cripples-several-atlanta-city-systems/130739/
threatpost.com/ransomware-attack-cripples-several-atlanta-city-systems/130739/
threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/
threatpost.com/samsam-ransomware-evolves-its-tactics-towards-targeting-whole-companies/131519/
threatpost.com/second-florida-city-pays-hackers-500k-post-ransomware-attack/146018/
threatpost.com/tag/eternalblue/page/3/
www.baltimoresun.com/maryland/baltimore-city/bs-md-baltimore-ransomware-update-20190610-story.html