Texas Ransomware Attack Presents Opportunity for MSSPs, Other Providers
The attackers are demanding a collective ransom of $2.5 million.
Ransonware attacks hit 22 Texas cities last weekend with evidence pointing to a single threat actor as the impacted entities struggle to return to normal operations.
According to the Texas Department of Information Resources (DIR), as of Tuesday, more than 25% of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number back to operations as usual. Most of those targeted by the ransomware attacks were smaller local governments.
Because this is an ongoing federal investigation, DIR said it can’t provide additional details about the attack.
According to NPR, those responsible are demanding a collective ransom of $2.5 million, and so far there are no indications that the amount has been paid.
Imperva’s Terry Ray
Terry Ray, senior vice president and fellow at Imperva, tells us there already have been at least 23 reported cyberattacks on the public sector in 2019, from Fisher County, Texas, to Flint, Michigan, to Albany and Baltimore, and now towns all across Texas. It’s only a matter of time before cities realize they can’t afford these infections and dedicate the resources needed to improve their security posture, he said.
“MSSPs and cybersecurity providers can help by making advanced data security solutions available, accessible and easy to implement for city governments,” he said. “These attacks should present an opportunity to MSSPs and providers. Like any cyberincident, the victims should execute a remediation plan, as well as a risk-based review of all critical assets, especially data, and how it’s accessed and stored. Security service organizations are almost always going to be equipped to provide enterprise level security for any size organization. Though, I’ll add, that no security is 100%. Organizations simply work to reduce risk to an appropriate level based on the asset.”
Chet Wisniewski, principal research scientist at Sophos, said starting with his company’s research from 2018 on the SamSam ransomware crew, “we began to see a shift in the threatscape to a new generation of ransom attacks.”
Sophos’s Chet Wisniewski
“As we dove deeper, we predicted the convergence of bespoke ransomware attacks into what we are now calling automated, active attacks (AAA),” he said. “These attacks netted larger and larger ransoms, but at a much smaller volume than previous ransom schemes. Recently, we began seeing a rise in supply chain compromise as a method of increasing the scale of attacks without increasing the workload on the criminal’s resources. Sadly, our prediction that this would likely escalate has proven true as we observed with the Texas municipality attacks this week.”
Shared/managed services are critical to improving security at many organizations, especially municipalities that cannot afford enough full-time security staff and need top expertise, Wisniewski said. However, they must be held to account for the privileged access they have been granted, he said.
“Too often, shared service providers have shared credentials for staff to obtain remote access to systems, exposed remote access services for convenience and one set of administrative credentials that are the keys to not just their own kingdom, but to all who have placed their trust in them,” he said. “This makes them ideal targets for criminals as we have seen previously with cloud service providers and payment services firms.”
All shared service providers should be required to use multifactor authentication (MFA) in combination with VPNs for remote access to systems for administrative purposes, Wisniewski said. Don’t let shared services turn into …
… shared susceptibility, he added.
David Dufour, Webroot‘s vice president of engineering, said cities need to stop being such easy targets. They can do this by maintaining a better understanding of their risks and threats, improving internal security awareness training, hiring dedicated personnel to enforce proper security procedures and implementing regular audits, he said.
“Cities also need to ensure they’re locking down their remote desktop protocol (RDP) terminals,” he said. “But the most important thing they can do is back up their data and ensure they can restore that backup in the case of a ransomware infection.”
Many cities are only one small step ahead of consumers in terms of security, so they will continue to be targeted heavily, Dufour said.
“Cities often say they can’t afford more security, but as the ransomware infections continue, they will eventually realize they actually can’t afford not to improve their security,” he said. “MSSPs can help by providing advanced security monitoring tools, endpoint protection solutions, and security awareness training programs.”
Read more about:
MSPsAbout the Author
You May Also Like