Together with federal authorities and other partners, the state government has stepped in to help municipalities ailing from the large, coordinated attack that left town data locked up by malware.
Texas is still recovering after nearly two dozen jurisdictions there were hit by ransomware attacks in recent weeks, with the state government stepping in to help mitigate the aftermath.
The attacks — which took place Aug. 16 — affected 22 different towns and are believed to have been the work of a single threat actor. It has been called one of the "largest coordinated attacks" of its kind ever seen in the U.S.
Former state CISO Edward Block said that he never encountered such a large-scale "coordinated attack-— especially against municipalities" during his term, but that the state's Department of Information Resources is equipped to respond to such events. Block, who served with the DIR from 2015 to 2017, said that, in this case, the systems that DIR runs — including the Network Security Operations Center — would likely be crucial to response.
Since the attack, the DIR has been in charge of implementing response operations, and it has coordinated with a cadre of federal and state authorities — including the FBI, DHS, and the state's divisions of emergency management and the military — on information sharing, investigation and IT deployment to affected communities.
State response was initiated by the governor's declaration of a "Level 2 Escalated Response" — the second highest level of the state's four-step emergency response protocol. According to the state's emergency management guide, local officials may reach out to the Governor's Office for aid through the state Security Operations Center in such cases, requesting support through resources and manpower.
Block noted that many of the jurisdictions involved were smaller communities, lacking their own dedicated IT security people. In some cases, cities like those outsource their entire IT system, and it's not a given that third-party IT providers have security staff either, at least not staff that is capable of responding to this sort of event.
One affected community is Keene — a small city with a population of some 6,000 people. The attack knocked out part of the city's financial system that processes credit card payments, which means transactions have to be performed via check or cash. The ransomware attack did not affect other areas of service delivery, said Landis Adams, Keane's economic development director.
"It’s just hindered us — we’ve had to go old school,” he said. “Back to analog.”
The state reached out to Keene and notified officials that what had occurred was a ransomware attack, said Adams. They subsequently sent teams of IT professionals to investigate and assist with recovery, he added.
The first step of the state process in cases like this is response and assessment. Block noted that this involves determing if the culprit is ransomware or "a new type of attack." Fortunately, federal partners provide assistance on determinations like that, having a broader perspective and deeper knowledge base of cyberattacks. The next step is to assess the data that is involved.
After that, officials will buckle down trying to help communities recover what they've lost.
In Keene, Adams said state authorities have also been a big help, describing them as "a very good asset to the city."
Like Keene, Lubbock County was also targeted. Unlike many other communities, however, Lubbock's IT department was able to effectively locate and isolate the ransomware before it spread — making it a case of an infected computer instead of a whole network.
“We got activity of malicious code on our system and basically at that time we didn’t know where it came from or what it was,” said Isaac Badu, the county’s IT director. When confronted with potential malicious activity on a county computer, staff have been educated to both contact the IT department and turn off the suspicious computer, which "stops any additional spread," Badu said.
Still, state authorities reached out to Lubbock to investigate and confirm that what had occurred was a ransomware attack. Files from the affected computer were scanned and uploaded to a state system for analysis, said Badu. They found that the problem stemmed from "something implanted in the user's profile." That likely means it involved downloading something problematic.
Block said he believes that increased information sharing between federal, independent and state and local agencies could help to avert attacks in the future, though he noted it will be an uphill battle for smaller communities.
"Unfortunately, I don't think we've seen the peak of it yet. It is painfully easy for the attacker to execute. ...The market is very lucrative for those attacks. As long as people are still paying, they will continue to happen," he said.