6/10/2024

ITDRC Offers Lifeline for Virtual Disasters

“Your office of emergency management prepares for a tornado or a flood or earthquake, and we need to think about ransomware the same way…It can have as big of an impact as a tornado ripping up the middle of your town,” said Brandon Uselton, Interim IT Manager at City of Texarkana Texas and City of Texarkana Arkansas.

You may have seen it on the news or you may have suffered from the online invasion yourself, but lately there’s no escaping ransomware. Stolen data and personal information have come with ransomware price tags upwards of 70 million in the past year.

It’s no longer if an attack will occur, it’s when.

“Ransomware impacts on key critical resources like public safety and utility infrastructure can be catastrophic, and commands the same sense of urgency as a physical disaster” said Joe Hillis, Operations Director of the Information Technology Disaster Resource Center. The nonprofit has seen a spike in requests for assistance from local government and education agencies in the last two years, including Texarkana.

The Encryption Works Fast

On December 6, 2020 an encryption event started to take hold of the twin Texarkana cities, located on the Texas-Arkansas border.

The cities share many things — including an IT department, and a common network.

It started with a phone call from a city employee, who notified IT that something didn’t seem right.

“The IT technician figured out what was happening pretty quickly, and called the on-call technician who in turn called the rest of the department” said Uselton. “We did a total department recall, that’s the first time in 30 years of my department that we’ve done a total department recall.”

Every staff member was brought back into the department on Sunday morning while Brandon and his team went to each data center in the city’s environment. The technicians “started jerking cables to bring stuff down,” in hopes of mitigating damage from the attack.

What is Ransomware?

Ransomware is a type of malicious malware that infects hardware, taking systems and data hostage. Cybercriminals will typically demand a ransom payment with a deadline before files will be deleted or permanently locked. Certain attacks are designed to spread rapidly across the entire network. This is exactly the type of attack that occurred in the 2020 Texarkana encryption event.

Attacks are not only becoming more frequent, but increasingly aggressive in nature. Encryptions are targeting critical data with the ability to quickly spread across the entire enterprise. With money on the line, attackers want to make recovery as difficult as possible, often employing tactics such as deleting system backups.

According to Trend Micro’s security roundup report, there were over 61 million ransomware attacks detected in 2019.

The Texarkana technicians attempted to isolate the attack but by the time they arrived, the encryption had spread throughout the enterprise. However, the mass unplugging was somewhat successful; and helped stop the attack from encrypting all of the city’s data.

“We need to plan, we need to have the plan in place, we need to have the understanding that it’s going to happen again but what can we do to mitigate the attack when it does hit” said Uselton. “It’s really brought cybersecurity to the forefront of the mind of our users.”

A ransomware attack, regardless of how small, will always have a significant impact on a local government’s ability to provide services to its citizens. Particularly if they are able to get into and damage 911 systems, water production and treatment systems.

How does the Hardware Become Infected?

The most common way ransomware can infect your computer is through phishing emails that contain malware links. Emails will appear to come from a reliable source. Once the user has opened and clicked on the link, the malware will self-install and begin spreading to other computers throughout the network. Malware can be delivered through email, online messaging, texts, or through downloaded attachments.

“It can be completely catastrophic” Uselton explained, “So December through February, ITDRC was basically running our city.”

With its mission focused on disaster response, ITDRC offers a lifeline to municipalities hit with ransomware. The organization’s cyber incident support includes providing temporary internet connectivity and an isolated network infrastructure, temporary computer hardware, and technical assistance to assess damage and help with re-imaging computers.

Texarkana Municipal Utilities Facility

ITDRC responded to Texarkana the day after the ransomware attack, providing more than 200 laptop computers, a server, and an expert team of volunteer technical professionals to support Uselton’s department.

“The aid from ITDRC did two huge things for us, ITDRC was not only able to send some warm bodies to help us rebuild, but ITDRC also managed to send some technicians that were familiar with the kind of solutions that I had in my environment” said Uselton.

Texarkana city employees were able to use the temporary computers to continue work from home, while the IT department worked towards recovery.

The incident occurred during an already difficult time for the cities, which were facing COVID-19 spikes along with the rest of the state. Working in close proximity for 14–18 hours a day, all but two team members were sidelined by the virus.

Recovery from the attack essentially stopped for 2 weeks after the positive tests among the team members. Yet Uselton and his team still say the ransomware attack yielded some positive change, “as much as I hate to say it.”

Six months after the attack, the IT department was still sorting unencrypted data from drives full of encrypted data. But security is now forefront in the minds of the users.

Would it have just been easier to pay the ransom? Answers may vary depending on what information has been compromised, and whether it can be recovered from backups. But it’s a decision that is best made with the organization’s leadership and legal counsel.

Law enforcement and industry security experts discourage paying any ransom. Ransomware is not a contract that ends when the money is received, and there is no guarantee the stolen information can be retrieved. In fact, paying ransom after an attack has occurred could make you a target for future attacks.

According to the Texas Department of Information Resources office of the Chief Information Security Officer, in 2020 there was a 300% increase in the amount of ransoms paid, compared to the previous year.

“I worked in military intelligence originally, so for me it’s very black and white” said Uselton “It’s we don’t pay the ransom because the funds would go to support the criminal organizations or the terrorist organizations doing this to somebody else.”

Develop a Ransomware Recovery Plan

Once malware has attacked, the first step towards recovery is to isolate the infection to prevent further encryption of important data across the network. An Incident Response Team should be established with key business stakeholders to collaborate and support the Recovery efforts.

ITDRC volunteer and Region 6 Director Andrew White’s Cyber Incident Recovery Plan

Since the attack, the IT department has significantly increased their network and information segmentation. They’ve implemented new security products, hardened protection, made spam filters more aggressive, and purchased intrusion protection systems that the city didn’t have in place before.

“No matter your size, you are not safe from ransomware,” said Uselton, “You need to think about the way you do a natural disaster.”

Plan for the next Ransomware Attack

According to Programming Manager and professor of Engineering at Texas A&M, AJ Jarrett, you’re going to spend a lot more time and money on recovery if you aren’t spending the proper amount of time in cyber preparedness now. New positions have to be created for IT professionals to invest in protection plans before an event happens. The first step a department can take is to install the latest software and maintain security updates. After ransomware attacks, many organizations are hesitant to disclose response and recovery details. Sharing your cyber preparedness plan with others can help prevent future encryptions.

Texarkana continues their recovery months after their attack, but have taken the bad with the good. “We still have a long way to go but it’s a lot better than it was in December” said Uselton, “The ransomware ended up being a good thing because we are transforming to a stronger, more resilient enterprise because of it and we hope our story prevents another attack.”