Hackers used a phishing attack to infiltrate the city’s network and then deployed ransomware.
On May 26, 2020, after receiving a tip from a dark web specialist, cybersecurity blogger Brian Krebs alerted the city of Florence, Alabama that hackers with a history of deploying ransomware had infiltrated the city’s network by stealing the credentials for the city’s IT manager in a May 6 phishing attack.
Grateful for the tip, the city’s system administrator informed Krebs that the city took action to isolate the computer and network account that was purportedly hacked. The city also took steps to fend off a ransomware attack. Unfortunately, the city’s efforts were not enough to deter the hackers. On June 5, while a request for funds to conduct a detailed investigation and remediation was pending before Florence’s city council, the hackers unleashed ransomware on the city’s network.
With the risk that residents’ personal information would be released by the hackers, the city had to decide whether to pay the ransom. The city hired an outside security firm that negotiated the bitcoin ransom down to a value of approximately $291K. Backed in a corner, city officials indicated on June 9 that they intended to pay the ransom, with the hope that the hackers would not place city residents’ personal information on the internet.
What can your organization learn from the cyberattack on Florence, Alabama?
Lesson No. 1: The question is not if your organization will be the subject of a cyberattack, but when. Human error plays a huge role in cyberattacks. In this instance, the hacker successfully targeted an IT manager with a phishing attack.
Lesson No. 2: Hackers may invade a victim’s network and remain undetected for days, weeks, or even months before deploying malware like ransomware. According to CNBC, “digital threats tend to go an average of 101 days before being detected by business operators.” Here, the hacker purportedly accessed the network on May 6, was detected by May 26, and deployed ransomware on June 5.
Lesson No. 3: If the hackers still have control over your information system, a cyberattack can go from bad to worse while your organization is in the process of shutting down the attack. In this instance, ransomware was deployed on June 5—ten days after the city learned of the cyberattack, and while a request for funds to conduct further investigation and remediation was before the city council.
Lesson No. 4: Once ransomware is deployed, there is no guarantee that paying the ransom will ensure that the bad actors will uphold their end of the ‘bargain’. It is reported that Florence has chosen to pay the ransom with the hope that payment will deter the bad actors from releasing citizens’ private information on the internet.
What are some recommended practices that your organization can adopt to reduce the risk of becoming the next cyberattack headline?
Best Practice No. 1: Ensure that the chief information security officer (CISO) for your organization has a seat at the table and is involved in developing your organization’s cybersecurity policy.
Best Practice No. 2: Reduce the possibility of a cyberattack by implementing cybersecurity training for all employees, including training all employees on your organization’s cybersecurity policies and procedures.
Best Practice No. 3: Detect cyberattacks, data breaches and other cyber incidents sooner by implementing detection processes and by continuously monitoring your organization’s network.
Best Practice No. 4: Engage legal counsel and cybersecurity forensic specialists to help your organization develop an incident response plan before your organization is attacked. Among other things, the plan should establish the process your organization will use to shut down a cyberattack and identify the persons or team with authority to take swift action if a cyberattack or data breach were to occur.
Best Practice No. 5: As soon as a cyberattack or data breach is detected, engage legal counsel, who can assist your organization with retaining cybersecurity forensic specialists to help your organization shut down the attack quickly and determine your legal obligations and duties.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
