Government Sector Top 3 Ransomware Victims of 2022

Our 2022 State of Ransomware report recorded 61 publicly reported ransomware attacks on the government sector, making it the second highest targeted sector after education. While it might have been moved out of the top spot in 2022, it’s worth noting that the sector saw a 45% increase over 2020. When it came to variants, LockBit topped the list with 11 publicized attacks, followed by BlackCat with 6 and a further 31 which have yet to be claimed by a criminal gang.

Government organizations and entities are responsible for a massive volume of important, and often, confidential data so it’s not surprising that 25 of the 61 incidents recorded involved data exfiltration. Government documents, plans, legal records, and personal data relating to residents were the target of criminal gangs, with some incidents causing more concern than others.

LockBit targeted the City of Westmount and held it to ransom, stealing around 14TB of data from them. Suffolk Countyin the US had 4TB of data exfiltrated which included huge databases of citizen and court records along with government contracts. Financial documents are not often the target in government attacks, but an incident with the California Department of Finance saw nearly 76GB of files including confidential and financial documents stolen by LockBit.

It is often said that the motivation behind ransomware attacks is financial gain for the cybercriminals. Ransom demands made to government entities last year ranged from $50,000 to recover systems and data belonging to the City of Tomball, to $5M Bitcoin demanded by BlackCat during an attack on the Austrian State of Carinthia.

Refusal to meet ransom demands is common in the heavily regulated government sector, but what happens if you decide to negotiate with the ransomware groups? When an unknown hacker demanded $93,000 from Brooks Countyin the US, county commissioners felt they had no choice but to pay the attackers, the alternative was six to twelve months work to reconstruct the hacked software program. After making the decision to pay the hackers, negotiations managed to decrease the ransom to $37,000, less than half the original amount demanded.

When it comes to attacks on the government sector, there can be motives other than financial gain driving them, namely political motives. When Belarus Railways fell victim to an attack, their attackers, the Belarusian Cyber-Partisans, made their demands clear, requesting release of political prisoners and the prevention of Russian troops in Belarus. This attack was in protest of Belarusian President and the Russian troop movement into the country.

All ransomware attacks cause some level of disruption to their victims but depending on the organization and their capabilities to recover, the fallout can be catastrophic. 2022 saw an attack on Vanuatu Island cripple the government and bring the nation to a standstill. While the Italian city of Palermo experienced large -scale service outages, impacting 1.3 million people within the city and the many visiting tourists.

Costa Rica saw their government and health agency targeted in the same year. Conti orchestrated the attack against the Costa Rican government in April causing chaos for tax collection and import and export customs. During their attack Conti stated “we are determined to overthrow the government by means of a cyberattack. We have already shown you all the strength and power.” This incident was closely followed by  the Hive ransomware group who targeted their public health agency less than one month later. Following these attacks, Costa Rica’s President, Rodrigo Chaves declared a state of emergency, the first national leader to ever invoke this measure which is usually reserved to deal with natural disasters or war.

Although government entities are responsible for highly sensitive and confidential data, it does not always mean they have good cybersecurity policies and procedures in place to ensure their data is not compromised. Poor standards in cybersecurity were mentioned in multiple incidents over the year, making the sector low hanging fruit for criminal gangs.

In the attack on the Bosnia and Herzegovina parliament, delegates were critical of the government’s cybersecurity experts saying” they must understand that the field of security requires investment. There is no security without equipment. Those technical means are expensive, but we must inevitably acquire them.” Others expressed concerns about data dating back nearly 20 years being available on government devices.

The human element of any organization is often seen as one of the weakest links in cybersecurity, so it is essential to educate all employees sufficiently on the risks and prevention of cyberattacks. Plainfield Town Hall suffered an attack which forced them to look at their workers “minimal cybersecurity knowledge” and make changes to include more stringent safety protocols and education for employees.

After an attack on the Ecuador Joint Command and Air Force by BlackCat, many started to question the cyber defenses of South American countries. After a string of attacks researchers felt that these countries were “low hanging fruit” for cybercriminals due to their inability to invest sufficiently in cybersecurity. Interpol addressed this issue and put together a working group to help countries in this region tackle the problem.

Due to the sensitive nature of the data, the continued reliance on antiquated technology, the probable chaos and resulting publicity that surrounds these incidents, it is unlikely that cybercriminals will stop targeting government entities any time soon. It is therefore essential for governments to invest in newer cybersecurity defenses capable of protecting their data from these threat actors. Smaller countries around the world will often not have the luxury of large budgets, but they still have the responsibility to implement tools and procedures to prevent these attacks. Newer technologies that focus on preventing data exfiltration will ensure they stay one step ahead of cybercriminals waiting to extort them.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.