Services, Intelligence Center, and Division of Homeland and Emergency Security Services – enabled better defenses against cyber threats, protected citizens and government assets, and assured a coordinated, whole-of-state response to cyber incidents.
LIKE A BAD PENNY
From 2018 through 2019, ransomware attacks continued to accelerate in number and sophistication across the United States, targeting hospitals, state and local governments, and schools, causing major operational disruptions and financial impact. New York was not exempt.
On Saturday, March 30, 2019, the government cyber response team received a call from the City of Albany, which had experienced a major ransomware attack. Servers and workstations had been encrypted, resulting in significant operational impact across multiple systems and services. The attackers were demanding payment in Bitcoin to unlock systems. The City had engaged law enforcement, and FBI investigators were onsite. Within 30 minutes, the Cyber Command Center CIRT team members were onsite, helping City IT staff and the FBI with critical response actions and forensics.
City officials coordinated response and communications as the investigation and recovery efforts unfolded. The complex interdependencies between systems, data, critical functions, and services that incidents reveal never fail to amaze. Fully understanding these connections and program touchpoints in advance is critical, including linkages to county and state agencies' systems, potential collateral impact on program services, and related third-party dependencies.
New York's comprehensive whole-of-state cyber response protocol ensured coordinated state response efforts across state agencies. Emergency management alerted and assisted state agencies, such as the Department of Health, with connected systems and business processes and the impact on vital records. Routine executive briefings and the rapid exchange of information assured updates and sharing of available cyber threat intelligence with executives and participating agencies, including the New York State Intelligence Center, Division of Homeland and Emergency Security Services, and the Multi-State Information and Analysis Center (MS-ISAC).
While the attack temporarily disabled some city systems, backups of critical systems enabled recovery, and no ransom was paid. Reportedly, costs associated with remediation and recovery were roughly $300,000, for hardware, software, insurance, and other measures to increase the security and resiliency of the city's systems.2
In August 2019, the New York Times reported that more than 40 municipalities were victims of cyberattacks – from major cities such as Baltimore, Albany, and Laredo, Texas, to smaller towns including Lake City, Florida, one of the few cities to pay the ransom demand – about $460,000 in Bitcoin – because it determined that rebuilding its systems would be even more costly.3
EDUCATION SECTOR TARGETED BY CYBERCRIMINALS
It was Thursday, July 25, 2019, the day after Louisiana's governor declared a state of emergency following ransomware attacks on multiple public school districts in their state.4 It was near the end of a particularly busy week, when the CYCOM hotline rang – never a good thing, as it generally meant that summer weekend plans would be replaced with handling an active incident.
New York's CIRT team responded to a call from the IT director of Lansing High School in Ithaca, reporting the presence of Ryuk ransomware on the school's IT infrastructure. The next call came from the school district in Watertown. They too had suffered a ransomware attack. A similar attack crippled the Syracuse city school district's computer system. Over the next days and weeks, calls were fielded from multiple school districts across New York State.
The Rockville Centre school district on Long Island was hit with Ryuk ransomware. They later paid almost $100,000 in ransom to restore their data; the school's insurance policy covered the payment. The same ransomware hit a neighboring school district in Mineola. They were able to restore data from backups taken offline over the summer and to rebuild the network.
The New York State Education Department notified all districts about the cyberattacks and coordinated the response to the incidents in affected educational agencies with the assistance of the State Office of Information Technology Services, CYCOM, and other state cybersecurity teams, including the State Intelligence Center, Division of Homeland and Emergency Security Services, and the Multi-State Information and Analysis Center (MS-ISAC). Briefings with the New York State Department of Education and 11 Regional Information Centers (RICs) ensured that everyone had current information and focused support. The attacks were investigated, and the affected agencies recovered and implemented processes to mitigate recurrence.
All told, the New York State Department of Education reported that 16 school districts and one Board of Cooperative Educational Services (BOCES) had been compromised with ransomware.5 As a precaution, the Education Department directed its regional information centers and big five school systems – Buffalo, Rochester, Syracuse, Yonkers, and New York City – to take the state's data warehouse offline to scan for malware and vulnerabilities.
The state's cohesive cyber disruption and incident response protocols worked well, enabling coordinated analysis and reporting and communications – essential in dealing with multiple and fast-moving attacks. A big win in this particular situation was a tool the CYCOM team developed to identify compromised domain controllers. Based on intelligence and high-confidence observations drawn from onsite and forensics analysis across multiple incidents, the team identified a consistent step in the multiphase attack taxonomy – how attacks unfold and work. Detection and intervention at this critical point in the sequence effectively disrupted the launch of damaging ransomware. The tool was shared with the Education Department, RICs, state universities, and other government entities to help proactively detect and defend against further attacks.
THE BATTLE CONTINUES
In 2021, adversaries upped their game with more sophisticated tactics and ambitious targets. As government organizations reeled from the impact of a global pandemic, the timing was ripe for another banner year for well-resourced cyber criminals and ransomware. One industry report, “The State of Ransomware in the US: Report and Statistics 2020,” noted that 2,354 local governments, healthcare facilities, and schools were impacted by ransomware attacks in 2020.6 For cyber criminals, government organizations pose an attractive target because they are often resource-constrained and maintain lots of valuable information such as Social Security numbers, birth and medical records, and financial account details. Faced with disruption of essential services to the public, government agencies are often faced with a tough decision – pay or try to restore their systems on their own.
On Christmas Day, 2020, the Albany (NY) International Airport was subject to a ransomware attack, and later paid a ransom to restore access to their data. The ransomware, attributed to a Russian threat actor, had spread to the airport's servers and backup servers from a managed service provider's systems. While the incident reportedly did not impact airport operations, TSA or airline computers, or expose sensitive data, it illustrated the need for organizations to exercise vigilance in protecting against such attacks and manage third-party/supply chain cyber risk exposure.
Some of the top takeaways from these New York State incidents include the importance of good cyber hygiene, due diligence, vigilance, and resilience. Keeping systems patched/current, secure design and configurations, access management – strong identity verification, authentication, and tightly managed privileged accounts, security awareness training to help users recognize phishing emails and other forms of social engineering, continuous
