Ransomware has hit 23 local government entities in Texas. The details of the attack emerged via a post from the Texas Department of Information Resources (DIR). It first published limited details about the attack on its website on Friday. This was followed by a tweet on Saturday and another update at 5pm on Saturday. The DIR has not, at present, listed the local government entities that have been affected.
The DIR has stated: “On the morning of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments. Later that morning, the State Operations Center (SOC) was activated with a day and night shift.
“The Texas Division of Emergency Management is assisting by coordinating state agency support through the Texas State Operations Center.
“Currently, DIR, the Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions. Further resources will be deployed as they are requested.”
What else do we know?
Initial information from the DIR claims that this are the actions of a single threat actor. It describes those affected as smaller local government entities. Whether they were sharing a single information system or using a common IT provider is not yet clear. As the attack affected so many organisations in one go, this is the most likely cause.
The DIR has also stated: “Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time. Responders are actively working with these entities to bring their systems back online.”
Interestingly, the DIR also said: “The State of Texas systems and networks have not been impacted.”
Given that the DIR sets the rules and guidance for Texas public authorities when it comes to cyber security, this raised some questions. What auditing is done across the state? What does the DIR need to do to improve cyber security? Is this a supplier failure?
For now we will have to wait and see how long before this is resolved. The one thing that is missing here is whether any of the affected local authorities have, or are planning to, pay the ransomware. It is an approach that several US public bodies have admitted to in order to get systems back on line. The current indication is that this is not happening here, or at least not yet.
Enterprise Times: What does this mean
Another week, another successful ransomware attack on public bodies in the US. As with many countries, the underfunding of public bodies can have unexpected consequences. So many affected so quickly points to a shared system or supplier being infected. This would provide the ransomware with an easy way of spreading across multiple entities.
The timing of the attack will raise questions over the wider cyber security of US public bodies. It came just before a system outage for the US Customs and Border Protection agency. That attack brought many airports to a virtual standstill as CBP officers were forced to resort to manual processing of all travellers.
Reports from travellers on Twitter and other mediums claim some travellers took over five hours from disembarking aircraft to getting to the baggage area. CBP has so far downplayed the incident saying there was no malicious attack. However, it has yet to provide a coherent explanation for what happened.
The US continues to see more ransomware attacks on its public bodies than any other major country. While it is easy to point the finger at hostile nation states, there is rarely any viable evidence of who the actors are. It will be interesting to see if there is any public statement on who the single malicious actor is that the DIR claims to have identified. With a major election coming up next year, this is the sort of activity that will worry security teams.