The Virginia state legislature’s IT division was struck by a successful ransomware attack this week, less than two weeks after Maryland’s Department of Health was hit by cybercriminals.
In Virginia, the attack occurred as lawmakers and staff were preparing for the upcoming legislative session in January. The incident knocked a number of services offline, including the state budgeting portal and the legislative branch’s voicemail system. The attack also blocked legislators and staff from the electronic system used for drafting and modifying bills at the busiest time of the year, The Washington Post reported. The Virginia Capitol Police’s website was impacted as well.
Gov. Ralph Northam directed executive branch agencies to help in “assessing and responding to this ongoing situation,” according to an email sent to news outlets.
Jake Williams, chief technology officer at the cybersecurity firm BreachQuest, said it’s unlikely that the recent attacks on Virginia and neighboring Maryland are related.
“These are high-interest stories, but operationally speaking, it doesn’t make much sense for ransomware threat actors to target state or local governments and agencies in a coordinated effort,” Williams said.
While agencies generally have security vulnerabilities, he added, they also tend to be less likely to pay ransoms compared to businesses. Williams said that most hackers probably know that targeting government organizations, particularly at the state level, “would draw the wrong kind of attention” to the ransomware groups involved.
Even so, he did not rule out the possibility of a coordinated assault in the future.
The ransom note in Virginia didn’t specify an amount of money that the cyberattackers were seeking, or a deadline to pay. The incident followed a successful ransomware attack on Maryland’s Department of Health that for at least nine days left employees unable to access computer files, while parts of the agency’s network were shut down.
A range of department services and resources in Maryland were unavailable, according to The Washington Post, including Medicaid forms, nursing home safety data, and orders for free at-home testing for sexually transmitted infections. (Route Fifty contacted the department for an update, but did not hear back as of publication.)
When the breach was initially disclosed, The Baltimore Sun reported that the Maryland department said there was “no evidence” of any data compromised, although the agency did take its website offline.
When asked for key takeaways that state and local agencies could learn from these attacks, Williams, the cybersecurity expert, emphasized that large-scale ransomware attacks usually depend on “lateral movement,” where cyber-criminals get access to computer systems due to an employee error, like clicking on a malicious email link, and then jump to other computers.
“Organizations wishing to detect an attack early should focus on detecting lateral movement,” he said.