Sophos published a new sectoral survey report, The State of Ransomware in State and Local Government 2022, which found that 72% of state and local government organizations attacked by ransomware had their data encrypted—7% more than the cross-sector average.
Only 20% of state and local government organizations were able to stop the ransomware attack before data could be encrypted —significantly less than the cross-sector average of 31% (8% had their data held for ransom but not encrypted). However, at the same time, the government sector had one of the lowest attack rates with only 58% hit by ransomware in 2021.
“Traditionally, government organizations haven’t been prime targets for ransomware attackers, since they don’t have as much money as traditional businesses, and criminal groups are reticent to attract attention from law enforcement. However, when these organizations do get hit, they have little in the way of protection because they don’t have the budget for additional, in-depth cybersecurity support, including threat hunting teams or security operations centers.” said Chester Wisniewski, principal research scientist, Sophos.
Wisniewski added that there are a few reasons why government organization can’t protect their data. They collect large quantities of data which also need to be handy and easy to access. Budget expenditure is done with the premise that most of it will be done for the area or the location as taxpayers can see if streets are being built or schools are reaching education goals but a cyberattack is not visible hence a little harder to explain why a Managed Detection and Response (MDR) provider might be necessary to defeat ransomware
In addition to experiencing a high encryption rate, the government sector also experienced a significant drop in the amount of encrypted data recovered after paying the ransom when compared to 2020—58% in 2021 versus 70% in 2020; this was also lower than the cross-sector average of 61%.
Ransomware attacks against local government entities increased by 70% in 2021; 58% were targeted compared to 34% in 2020. The average ransom paid by the private sector was three times what it cost government entities to respond to an attack.
“If we look at what happened with the city of Atlanta, Georgia, back in 2018, they ultimately ended up paying $17 million to recover from an attack that asked for $50,000 dollars in ransom. This is often the case with local and state government organizations—they spend far more on recovering and catching up with current security practices than they do on the actual ransom demand, should they choose to pay it. While getting the initial buy-in may be hard, in the long term, preemptive cybersecurity measures are a far better alternative than bolstering defenses after an attack,” said Wisniewski.
Experts from Sophos recommends a few practices that organizations should follow like install and maintain high-quality defenses across all points in the environment. Review security controls regularly and make sure they continue to meet the organization’s needs. Organizations should Identify and halt adversaries before they can launch assaults by actively searching for threats. If the team lacks the time or expertise to carry out this task internally, they should outsource it to a Managed Detection and Response (MDR) team. Security gaps should be closed as soon as possible by IT teams. Extended Detection and Response (XDR) solutions are ideal for this purpose. Backups should be made along with restoring them to ensure minimize disruption and recovery time. Last but not least, prepare for the worst-case scenario and have an updated plan.