The cities of Albuquerque, Los Ranchos, and Tijeras were shut down Wednesday by a ransomware attack. In a press release on Wednesday, officials in Bernalillo County disclosed the attack, saying they had taken affected systems offline and severed network connections. Most county buildings had to shut down and employees are working remotely to attempt to maintain services during the system outage. However, as employees cannot access the public databases, there is little they can do for now. The name and type of the ransomware used in the attack is unknown. The disruption is thought to have occurred between Midnight and 5:30 a.m. on Jan. 5.
<p>Despite widespread deployment of traditional SIEM, endpoint solutions and now Endpoint-based XDR, what has been lacking within most organizations that are victims of successful ransomware attacks is true behavioral-based modeling and detection within the infrastructure. The ability to characterize proper behaviors and user and application access with the right modeling and machine learning can lead to high-fidelity detection of deviations in \"normal\" behaviors and unusual access to systems that are often tell-tale signs of ransomware infections. The ability to bubble these types of alerts as high-priority when appropriate empowers security teams to investigate and detect ransomware much earlier to then respond and thwart a successful attack.</p>
<p>No company, county or organization is too obscure or too off-the-beaten path for the attackers. To the hackers – the sites are simply targets of opportunity. The automatic scanning they are doing is looking for vulnerabilities – regardless where the target will eventually end up. The Palo Alto Networks Cortex Xpanse team has researched the scanning and has showed the hackers are scanning withing 15 minutes of a known vulnerability – where most companies are not patching and updating for 12 hours. </p>
<p>The solution is a proactive approach to security such as zero trust networks and active identity governance – knowing who has what and triggering on identity changes.</p>
<p>It is unfortunate, but cities will continue to be a big target for ransomware. Many available statistics show that municipalities have a high hit of ransomware. As for the root cause, I would think that a contributing factor is the lack of resources and the use of stale technologies, which collectively make municipalities an attractive target. This is exacerbated with work from home when an already weak security infrastructure needs to support remote work, which now makes the attack surface even bigger.</p>