(TNS) — Last week's cyberattack on Louisiana ITI College in Baton Rouge — which followed similar attacks in New Orleans and elsewhere in the state — suggests that hackers have no intention of leaving Louisiana alone.
If that's the case, the state is in good company. More than 110 local and state governments across the country have faced similar problems, as cybersecurity, once a low priority for many jurisdictions, has become a top concern in the last year.
The attack method of choice is ransomware: malicious software that locks up computers and demands payment from its victims to allow them access. While it is not a new phenomenon, it has boomed as some governments, overwhelmed by sophisticated technology, have paid out big sums that have kept the thieves coming.
"Last year saw more publicly reported ransomware attacks against state and local entities than any other year ... and that's just the ones that were publicly reported," said Allan Liska, of Recorded Future, a Massachusetts cybersecurity firm.
Louisiana leaders have largely refused ransom requests so as not to fuel future attacks. But they have nevertheless paid big money to strengthen networks that hackers targeted this winter. The cost so far is in the millions and rising, officials at various city and state agencies said.
Other states and cities are paying similar sums to cure system vulnerabilities, which have opened the door to attacks that make it all but impossible to provide basic public services. Still others have simply caved to ransom demands, which, according to the chief of the FBI's New Orleans office, is one reason the attacks keep coming.
"With the exponential growth we’ve seen in malicious cyberattacks over the last five years, there’s no reason to expect that it’s going to change," Bryan Vorndran said.
The wave of publicly reported attacks against Louisiana in the last several months does not necessarily point to a specific problem with the state's systems. Officials note that the state has a more formal process for governments to report cybersecurity issues than many other areas, where such attacks may fly under the radar.
"I think we’re falling victim to having a more formalized process, a more aware government," said Dustin Glover, the state's chief information security officer. "These things are happening across the country and aren’t getting reported or aren’t getting called in."
Though so far no government in Louisiana has admitted to paying a ransom, others in the state may also find themselves on a target list for no other reason than the fact that one hack draws the interest of other attackers, Liska said.
International Bad Guys
Though finding the hackers can be difficult, many FBI investigations have traced attacks to organized crime syndicates in Iran, China, North Korea and Russia. Vorndran said these international mobsters were behind most of the more than 40 attacks on Louisiana agencies since last July.
Their motives are "purely financial," he said, adding that ransomware has become to mobsters these days what bank heists were to their predecessors decades ago.
Other attacks involve hackers-for-hire, who can be tapped by anyone from business owners seeking to harm their competitors to ex-employees seeking revenge on former bosses. The middlemen often complicate efforts to find the true culprit.
Ransomware attacks are up across all types of organizations, but there has been a particularly noticeable increase in attacks on local governments, Liska said. In part that's because local governments are more likely than private industry to publicly admit when they've been compromised, and those reports become used in advertising for various malicious software schemes, he said.
Local governments also may appear to be juicy targets because they can't simply give up on reclaiming the data that's been maliciously encrypted, potentially making them more likely to pay a ransom.
Last year, officials participating in the U.S. Conference of Mayors agreed that their cities would not pay ransoms. "But when you’re faced with the possibility that if you don’t pay the ransom you’re going to lose access to things that you’re legally required to hold onto, what do you do?" Liska asked.
Ryuk, the malware used in recent attacks on Mayor LaToya Cantrell's and Gov. John Bel Edwards' administrations, is believed to have originated from an organized crime group in Russia. Ryuk often works with secondary programs like Emotet or Trickbot to infiltrate a system, in a process described by the cybersecurity firm Cyberreason as a "triple threat."
When someone in city government or another target organization clicks on a phishing email, it enables Emotet, a program whose job is to collect information about a network, to go to work and drop Trickbot. Trickbot can then give a criminal thousands of miles away control of one victim's computer, steal system credentials for multiple users and spread to other network devices.
When given control of the targeted device, a human hacker checks to see if that machine is a good candidate for ransom. If it is, he or she will employ Ryuk, which uses the credentials Trickbot stole to move through the system, lock up files and leave ransom notes.
When the process is over, hackers will have obtained every piece of financial, personal or business data on a network. "You can never guarantee that they will never sell your data, or release your intellectual property of design," said Vince Gremillion, of ResTech, a cybersecurity consulting firm based in Metairie.
To Pay Or Not To Pay?
Local officials have said systems fell prey to Ryuk and to malicious emails. But it hasn't been made clear precisely who was behind the attacks or how deeply into government systems hackers were able to go.
Officials did say they disconnected computers to stop Ryuk in its tracks. They also said they refused to pay ransom and instead shelled out millions of dollars to rid their computers of malware and make other fixes.
Because ransoms are usually set low enough to encourage payment, many victims in other states have bowed to that pressure. Lake City, Florida, paid out a $460,000 ransom in June because recovering backed-up data that attackers had deleted could have cost three times that amount, city leaders told ProPublica. La Porte County, Indiana, paid a ransom of $130,000 in July.
Still, New Orleans' $7 million cost of recovery without a ransom paid was less than the $18.2 million Baltimore spent when it declined to pay ransom in May. It was also less than the $17 million Atlanta was projected to spend to fully recover after a 2018 hit, the Atlanta-Journal Constitution reported.
Gremillion said an attack's severity can depend on how many outdated operating systems were in a government's network.
Agencies that don't back up important data to external hard drives, the internet or the cloud are more at risk, Vorndran said. And any organization can be compromised if it doesn't train its employees to avoid dubious emails, the most common trigger of such attacks.
Governments don't often prioritize those precautions. "The city manager says, 'I have a huge opioid problem in my city. I can spend $2 million saving lives, or I can spend it on (preventing) an attack that may or may not happen,'” said Liska, the intelligence analyst.
Though New Orleans expects to spend $7 million to improve its systems after December’s attack, the city’s Information Technology & Innovation Office received only $15.8 million in 2019 — just over 2% of the city's $702 million budget that year, records show.
Some of the city's cost comes from the time city workers have spent wiping drives to ensure they are not still vulnerable and reinstalling and upgrading their software. But many of the city's costs are associated with purchasing new or improved software and replacing equipment that is too old to handle the upgrades, officials have said.
Before the attack, 1 out of every 5 city computers was too old to support a Windows 10 operating system, the latest Windows standard. New Orleans is now spending $1 million to replace those devices.
The cost to state government has been significantly lower. It has spent about $1.5 million responding to the attack on its systems, and most of that is for the salaries and benefits of the employees responding to the attack, said Jacques Berry, a spokesman for the Division of Administration. Another half-million dollars was spent on National Guardsmen who assisted in responding to both the state attack and those on local governments.
The lower costs borne by the state are largely because of an effort over the past five years to upgrade its equipment and software, which meant it needed to spend less money specifically to respond to the attack, said Glover, the state's information security officer.
In theory, that should have meant that most equipment simply needed to be wiped and restored, resulting in a relatively quick and cheap response for the state. However, equipment failures not directly related to the cyberattack were discovered during that process, leading to, for example, extended downtime for the Office of Motor Vehicles, Glover said.
The city has a $3 million cybersecurity insurance policy with AIG, and it is weighing whether to raise the amount. The state has a policy as well, though officials would not say how much it covers.
Such insurance can provide reimbursement for expenses related to attacks. But it can be problematic if word gets out of its existence, as enterprising criminals may see such policies as easy opportunities to get paid, Vorndran said.
That's a concern that is already weighing on city officials as they think about future attacks. While Cantrell has floated the idea of a $10 million insurance policy, members of her administration have declined to say exactly how much coverage is under consideration, for fear of making the city a more enticing target.
Because many state and local governments have insurance, "the attackers know that they can get money out of them, which means they are attacking that sector more than another sector," Vorndran said.
But Tim Francis, a vice president at Travelers Insurance, which insures the Ernest N. Morial Convention Center, said it's not that simple. While Travelers may negotiate with hackers to lower a ransom demand, the decision to pay or not is up to their client. The Convention Center, attacked Jan. 16, decided against it, officials have said.
"Certainly, it's not the first course of action to pay the ransom," Francis said.
©2020 The Times-Picayune | The New Orleans Advocate. Distributed by Tribune Content Agency, LLC.