Daniel Lohrmann - Cyber Mayday and the Day After

New York's comprehensive whole-of-state cyber response protocol ensured coordinated state response efforts across state agencies. Emergency management alerted and assisted state agencies, such as the Department of Health, with connected systems and business processes and the impact on vital records. Routine executive briefings and the rapid exchange of information assured updates and sharing of available cyber threat intelligence with executives and participating agencies, including the New York State Intelligence Center, Division of Homeland and Emergency Security Services, and the Multi-State Information and Analysis Center (MS-ISAC).

While the attack temporarily disabled some city systems, backups of critical systems enabled recovery, and no ransom was paid. Reportedly, costs associated with remediation and recovery were roughly $300,000, for hardware, software, insurance, and other measures to increase the security and resiliency of the city's systems. 2

In August 2019, the New York Times reported that more than 40 municipalities were victims of cyberattacks – from major cities such as Baltimore, Albany, and Laredo, Texas, to smaller towns including Lake City, Florida, one of the few cities to pay the ransom demand – about $460,000 in Bitcoin – because it determined that rebuilding its systems would be even more costly. 3

It was Thursday, July 25, 2019, the day after Louisiana's governor declared a state of emergency following ransomware attacks on multiple public school districts in their state. 4 It was near the end of a particularly busy week, when the CYCOM hotline rang – never a good thing, as it generally meant that summer weekend plans would be replaced with handling an active incident.

New York's CIRT team responded to a call from the IT director of Lansing High School in Ithaca, reporting the presence of Ryuk ransomware on the school's IT infrastructure. The next call came from the school district in Watertown. They too had suffered a ransomware attack. A similar attack crippled the Syracuse city school district's computer system. Over the next days and weeks, calls were fielded from multiple school districts across New York State.

The Rockville Centre school district on Long Island was hit with Ryuk ransomware. They later paid almost $100,000 in ransom to restore their data; the school's insurance policy covered the payment. The same ransomware hit a neighboring school district in Mineola. They were able to restore data from backups taken offline over the summer and to rebuild the network.

The New York State Education Department notified all districts about the cyberattacks and coordinated the response to the incidents in affected educational agencies with the assistance of the State Office of Information Technology Services, CYCOM, and other state cybersecurity teams, including the State Intelligence Center, Division of Homeland and Emergency Security Services, and the Multi-State Information and Analysis Center (MS-ISAC). Briefings with the New York State Department of Education and 11 Regional Information Centers (RICs) ensured that everyone had current information and focused support. The attacks were investigated, and the affected agencies recovered and implemented processes to mitigate recurrence.

All told, the New York State Department of Education reported that 16 school districts and one Board of Cooperative Educational Services (BOCES) had been compromised with ransomware. 5 As a precaution, the Education Department directed its regional information centers and big five school systems – Buffalo, Rochester, Syracuse, Yonkers, and New York City – to take the state's data warehouse offline to scan for malware and vulnerabilities.

The state's cohesive cyber disruption and incident response protocols worked well, enabling coordinated analysis and reporting and communications – essential in dealing with multiple and fast-moving attacks. A big win in this particular situation was a tool the CYCOM team developed to identify compromised domain controllers. Based on intelligence and high-confidence observations drawn from onsite and forensics analysis across multiple incidents, the team identified a consistent step in the multiphase attack taxonomy – how attacks unfold and work. Detection and intervention at this critical point in the sequence effectively disrupted the launch of damaging ransomware. The tool was shared with the Education Department, RICs, state universities, and other government entities to help proactively detect and defend against further attacks.

In 2021, adversaries upped their game with more sophisticated tactics and ambitious targets. As government organizations reeled from the impact of a global pandemic, the timing was ripe for another banner year for well-resourced cyber criminals and ransomware. One industry report, “The State of Ransomware in the US: Report and Statistics 2020,” noted that 2,354 local governments, healthcare facilities, and schools were impacted by ransomware attacks in 2020. 6 For cyber criminals, government organizations pose an attractive target because they are often resource-constrained and maintain lots of valuable information such as Social Security numbers, birth and medical records, and financial account details. Faced with disruption of essential services to the public, government agencies are often faced with a tough decision – pay or try to restore their systems on their own.

On Christmas Day, 2020, the Albany (NY) International Airport was subject to a ransomware attack, and later paid a ransom to restore access to their data. The ransomware, attributed to a Russian threat actor, had spread to the airport's servers and backup servers from a managed service provider's systems. While the incident reportedly did not impact airport operations, TSA or airline computers, or expose sensitive data, it illustrated the need for organizations to exercise vigilance in protecting against such attacks and manage third-party/supply chain cyber risk exposure.

Some of the top takeaways from these New York State incidents include the importance of good cyber hygiene, due diligence, vigilance, and resilience. Keeping systems patched/current, secure design and configurations, access management – strong identity verification, authentication, and tightly managed privileged accounts, security awareness training to help users recognize phishing emails and other forms of social engineering, continuous monitoring and detection capabilities, solid backup and recovery platforms that assure rapid restoration of critical systems, and other protections can dramatically reduce the likelihood that ransomware will impact your organization's operations.

Shao Fei Huang, CISO of Singapore Land Transport Authority, highlighted his top three takeaways for business owners, board directors, and executives, and the stories from Mark Weatherford and Deb Snyder inspired the last two.

Organizations and businesses need to ensure that their cybersecurity strategies are centered on people, process, and technology. Traditionally, the focus has been on IT, and even CISO appointments have been given to the IT staff, reporting to the CIO. Aside from this reporting line, which would result in a conflict of interest, it is key for CISOs to carry a large responsibility in the organization and to be given the authority to raise the alarm if something is not right, even if this relates to the actions of their executives or their decisions.

In appointing CISOs, CEOs and boards should ensure that the individual is equipped with qualities such as strong technical expertise in cybersecurity, business acumen, crisis management skills, and a soft skill that has been often neglected: a flair for public speaking, especially to senior executives and stakeholders.