Bad actors are targeting governments, schools, and other public institutions with extra venom. Ransomware is proving to be such a problem for the public sector primarily because of the rise of third-party cloud channels: social media tools, messaging apps, and collaboration platforms.
Bad actors are targeting governments, schools, and other public institutions with extra venom. Ransomware is proving to be such a problem for the public sector primarily because of the rise of third-party cloud channels: social media tools, messaging apps, and collaboration platforms.

Guest Editorial by Otavio Freire, President, CTO and Co-Founder, SafeGuard Cyber

Most organizations will suffer at least one ransomware attack in any given year. The average attack creates costs of over $730,000. The overall annual cost of ransomware attacks is at minimum around $6bn, and could be as high as $170bn.

The primary victims of this devastating cyber threat? Public sector organizations.

Bad actors are targeting governments, schools, and other public institutions with extra venom.

Ransomware is proving to be such a problem for the public sector primarily because of the rise of third-party cloud channels: social media tools, messaging apps, and collaboration platforms.

Therefore, public sector security leaders must recognize that ransomware is no longer only an email issue, and properly protect themselves.

(The Clark County School District announced that the “data security incident” on Aug. 27 was a ransomware attack. Courtesy of FOX5 Las Vegas and YouTube. Posted on Sept 8, 2020.)

An Expanding Attack Surface for Ransomware 

Local government bodies are more likely to be targets for ransomware attacks than any other type of organization.

In 2019, attacks against 966 US government, healthcare and educational entities cost $7.5bn. In 2020, 44% of all ransomware attacks have been aimed at municipalities.

Why is the ransomware epidemic getting worse, and why are public sector organizations struggling to protect themselves?

As with any complex cybersecurity trend, the causes are complex. Email gateways are overwhelmed. Encryption and malware technologies are simultaneously better and more accessible than ever.

Organizations are becoming interconnected, meaning threats can spread easily. 

However, the main reason the ransomware epidemic is worsening is the rise of third-party cloud channels.

Email security is a $3bn industry. Comparatively, social media platforms and collaboration tools are woefully unprotected.

Despite an explosion in the use of cloud channels, especially collaboration platforms, the corresponding security layer has been lagging behind. 

The consequence is an expanded attack surface, without corresponding protections. A dangerous gap, and cybercriminals know it.

This is why they are increasingly focussing on third-party cloud channels. Ransomware attacks occurring through social media (rather than email) account for an ever-increasing proportion of attacks.

Social media ransomware attacks typically mimic their email counterpart: bad actors send a malicious link via a direct message.
Social media ransomware attacks typically mimic their email counterpart: bad actors send a malicious link via a direct message.

Facebook is experiencing a massive 176% year-on-year growth in phishing URLs, many of which contained ransomware.

Like private companies, public sector institutions increasingly rely on social media to communicate with external individuals.

Just recently, LA County schools needed to leverag Instagram to communicate with parents after suffering a ransomware attack.

They also rely on collaboration tools to drive internal processes.

As these cloud channels become central to daily operations, the likelihood of a damaging ransomware attack rises. 

Disrupting the Ransomware Kill Chain

Social media ransomware attacks typically mimic their email counterpart: bad actors send a malicious link via a direct message.

They often impersonate a known individual; with government employees, they might pose as recruiters, conference organizers, or another suitable role. 

Usually, this link will spoof a real login page and steal credentials. From there, the bad actor can unleash whatever they like: crypto-malware, doxware, a locker, or some other form of ransomware.

Alternatively, if they have a longer term objective, the attacker may wait, and effect lateral movement. This offers long term persistence, and the establishment of command and control for data exfiltration and a more severe form of ransomware deployment.

The malicious messages that transport ransomware are typically the sharp point of a spear-phishing attack. The attack will have been developed using an element of social engineering.

It is frighteningly easy to perform research on an individual, especially one associated with a public body. The information gleaned here can be all a bad actor needs to develop a convincing way to convince and manipulate the target so that they click on the malicious link, once sent. 

What’s more, ransomware is often delivered as part of a multi-stage attack process, and may occur across several attack surfaces, including cloud channels, email, and remote access management tools.

Attackers are always on the hunt for vulnerabilities that can be exploited. IT professionals need to be equally rigorous. Constantly updating systems and patching software helps reduce exposure to vulnerabilities.
Attackers are always on the hunt for vulnerabilities that can be exploited. IT professionals need to be equally rigorous. Constantly updating systems and patching software helps reduce exposure to vulnerabilities.

It therefore becomes important to coordinate defensive counter-measures across all of these vectors. Threats need be halted in the cloud before they can transit into networks.

It’s crucial for enterprises to gain visibility into these channels.

Public sector bodies need software solutions that leverage machine learning to detect both known and unknown forms of ransomware.

These tools must be able to keep up with the volume and velocity of modern digital communications, immediately scan all messages, proactively monitor all digital communications, and immediately detect and quarantine anything problematic.

Finally, a solution that confers these powers should also combine with other tools that offer effective endpoint detection and response (EDR). 

This up-to-date form of digital risk protection is key.

Once this is in place, CISOs at public sector bodies can implement other, more bread-and-butter anti-ransomware policies:

Back Up and Test Restoring.

  • Public sector organizations must perform data backups as regularly as possible. These should be combined with backup-and-restore drills. 

Educate Employees on Cybersecurity Best Practices.

  • A recent study by Kaspersky reveals nearly half of employees don’t know how to respond to ransomware attacks. This has to change. Employees should gain a basic understanding of ransomware, and what to do if they encounter it. 

Constantly Update and Patch Operating Systems and Software.

  • Attackers are always on the hunt for vulnerabilities that can be exploited. IT professionals need to be equally rigorous. Constantly updating systems and patching software helps reduce exposure to vulnerabilities.

Ransomware is not going anywhere anytime soon.

But with sophisticated digital risk protection, public sector organizations can detect and neutralize ransomware threats before they become a major issue.

ABOUT THE AUTHOR

Otavio Freire, President, CTO, and Co-Founder of SafeGuard Cyber
Otavio Freire, President, CTO, and Co-Founder of SafeGuard Cyber

As the President, CTO, and Co-Founder of SafeGuard Cyber, Otavio Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform, which enables global enterprise customers to extend cyber protection to social media and digital channels.

He has rich experience in social media applications, Internet commerce, and IT serving the pharmaceutical, financial services, high-tech, and government verticals.

Mr. Freire has a BS in Civil Engineering, an MS in Management Information Systems, and an MBA from the University of Virginia Darden School of Business, where he currently serves as a visiting executive lecturer.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.