2019: The Year Ransomware Targeted State & Local Governments

Another eventful year online, with more data breaches, malware battles and identity thefts. But the surge in successful, targeted ransomware attacks against governments and hospitals is the top 2019 cybersecurity story.

by / December 23, 2019
Shutterstock/JMiks

As 2019 winds to a close, the top cybersecurity story was clearly the targeted ransomware that caused major disruptions and operational and financial impacts for state and local governments and hospitals throughout the USA.   

Here is a sampling of the state and local government ransomware stories from 2019:   

And the overall ransomware trouble list goes on and on — and also includes hospitals and more. Here is a list of some of the top medical facilities hit by ransomware in 2019.

Some governments and hospitals paid the bad actors (criminals), others did not. Nevertheless, all of them suffered operational downtime, citizen frustration for lack of services, financial impact and much more — including the political embarrassment of being a victim of cybercrime.

And the 2019 ransomware impact is actually larger than we know. Many other ransomware stories remained hidden from public eyes and are not even reported on these lists of ransomware incidents. (That is, the number of public and private ransomware cases is certainly higher than what was reported.)

Why did so many targeted cyberattacks hit counties, cities, townships, school districts, hospitals and other smaller government or nonprofit entities? 

Some say these organizations were ill-prepared to defend themselves. The bad guys saw this as “low-hanging fruit” when compared to attacking large banks, or taking on the U.S. Department of Defense (DoD) or some three-letter agency in Washington, D.C.

Others say governments (and hospitals and some nonprofit organizations) have no choice but to resolve the operational crisis as quickly as possible given the nature of their businesses and customer demands. This makes receiving payments more likely, with very public news stories adding fuel to the fire.    

CNN reported in October that in the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks. Here’s an excerpt:

“The attacks have targeted schools, local government offices and hospitals. One recent victim was a network of Alabama hospitals that had to stop accepting new patients because of a ransomware attack.

Last year, the firm tracked 85 attacks. That's a rise of nearly 65%, an average of nearly three attacks each week.

Complicating officials' abilities to track these attacks, many organizations choose not to report these incidents, hoping to avoid news coverage of the attack and resulting payout.

That means the total number is largely unknown.”

State Governments Join the Rescue

But why are state governments in this 2019 headline?

In addition to the state governments that were hit like Louisiana state government agencies, more and more states are working with local governments when they are hit with ransomware. For example, Texas opened its emergency operations center to assist local governments in responding to the incidents.  

Maryland also helped Baltimore respond to their ransomware attack, even though the city initially did not want help.  

“Initially, for the first week or so, it was very hard to actually get people in there to work with them, and I think that’s because there wasn’t this working, trusted relationship happening prior to the event,” said John Evans, the state’s chief information security officer, according to a transcript of the May 22 council meeting obtained by The Baltimore Sun. “We almost felt a little bit like being kept at arm’s length. …”

Evans told the cybersecurity panel that the state’s help would have been accepted “much faster” if a pre-existing “cohesive relationship” had existed between state and city information technology staff.

“Since my guys have been there, I think there’s been some — they’ve contributed to some really significant work, and I think we could have been getting through things faster had that already been in place,” he said, according to the transcript.

Back in July 2019, CISA, MS-ISAC, NGA & NASCIO recommended immediate action to safeguard against ransomware attacks.

New (Scary) Ransomware Developments

A review of the top cybersecurity prediction lists for 2020 shows that most security industry experts expect even more targeted ransomware in 2020 and beyond. The surge in these predictions — with a special emphasis on new targets, is another indication of how bad things got in late 2019.   

For example, Krebs on Security reported in December that nonpaying ransomware victims are facing new challenges.

“As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

“For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released,” said Lawrence Abrams, founder of the computer security blog and victim assistance site BleepingComputer.com. “While it has been a well-known secret that ransomware actors snoop through victim’s data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it.”

It is also worth noting that 2019 did not start off with ransomware appearing to be the top story, with this eWeek article describing a drop in ransomware at the start of 2019.

Review of Top Cybersecurity Stories in each of the Past Five Years

As a reminder, here are the top cybersecurity story year-end summary headlines since 2014:

2014: The year cyber danger doubled

2015: The year data breaches became intimate

2016: The year hackers stole the show with a cause

2017: The year hurricanes devastated land, data and trust

2018: The year privacy took center stage

Other Top Cyberstories For 2019

As is the case every year, there were numerous large and consequential data breaches all of the world, with the top data breaches chronicled here.

“And it's not just manic media coverage. The total number of breaches was up 33% over last year, according to research from Risk Based Security, with medical services, retailers and public entities most affected. That's a whopping 5,183 data breaches for a total of 7.9 billion exposed records. 

In November, the research firm called 2019 ‘the worst year on record’ for breaches.”

And yet, as I say every year, I resist the urge to call this the year of the data breach. (If I did, every year would be the year of the data breach.)

I also think that this perspective on data breaches is helpful, as we think about what year data breaches actually happen (or get recorded).

This list from Tech Republic of top cybersecurity stories of 2019 is also helpful — especially the first three items. Here’s No. 3:

“Continued threat of Android malware. According to IDC, global Android market share rose to 87% in 2019. With over 2.5 billion active Android devices, logic dictates that it is the biggest target for attacks, and logic is correct. Attacks like xHelper and Joker, as well as the adware attacks found in Google Play Store apps, prove that Android has a way to go before it can claim to be a fully secure platform. 

Fortunately, Google is always working to harden the operating system; only recently, it announced that it is looking into moving toward the Linux mainline kernel. If that happens, the Android kernel could be updated in a timely fashion, giving it a much-needed security boost.”

Privacy (in many forms) was a top five story again (after being the No. 1 story last year). Mary Meeker’s Internet trends report shows this with her facts like: “As privacy becomes a bigger selling point, expect more options to make your online communications safe. In Q1, 87 percent of global web traffic was encrypted, up from 53 percent three years ago.”

Other 2019 highlights from Mary Meeker include:

  • The internet will become more of a cesspool: Getting rid of problematic content becomes more difficult on a large scale, and the very nature of internet communication allows that content to be amplified much more than before. Some issues: 42 percent of US teens have experienced offensive name-calling online, terrorists are being radicalized on sites like YouTube, and social media has encouraged increased political polarization.
  • Health care is steadily becoming more digitized. Expect more telemedicine and on-demand consultations.
  • Internet use — China 21%, India 12%, USA 8%
  • Mobile killing PCs

All of these have cybersecurity implications, as does the rise of deepfakes, which may well become the top story next year, if cybersecurity industry experts are correct in their new year predictions.   

2019 Wrap-up

Is there a single biggest root-cause or challenge that we faced in 2019 that enabled these issues to become so huge?

According to Michael Dent, CISO in Fairfax County, Va., it is a lack of leadership.

“Cyber breaches have reached a record 5+ billion records thus far in 2019, and the year isn’t over yet. Financial, entertainment, healthcare, education and government industries or businesses have had data breaches in 2019. I am not sure there is an industry that hasn’t suffered a breach or exposure and I’m left to wonder how many more have suffered incidents and have not reported them.

When I peel back the onion, there is one commonality among all of them – LEADERSHIP FAILURE. This is where we turn-on the light and the roaches disperse, hide, build excuses, start pointing fingers and ultimately punish those that warned leadership in the first place. …”

Others talk about a lack of cyber talent overall and/or the fact that the criminal actors are staying one step ahead of the good actors.

There are many other online developments for good and bad this year — from new Internet of Things (IoT) inventions, including smart city advances and vulnerabilities, to robots and 5G. Also, the rise in importance of AI continued on schedule in 2019.  

But, I will end this year-end summary with a quote from Martin Luther King Jr.

"We are not makers of history. We are made by history."

Platforms & Programs