Pensacola officials confirmed that an ongoing cyberattack that began early Saturday morning is a ransomware attack.
While the city did not release any additional details, the Pensacola News Journal said city spokeswoman Kaycee Lagarde confirmed the attack included a ransom, something that Mayor Grover Robinson initially declined to discuss.
Jeff Bergosh, District 1 Commissioner on the Escambia Board of County Commissioners, posted a letter from the City of Pensacola IT department, describing actions taken in the wake of the attack, including notifying its SOC and increasing its alert activity as well as notifying DHS and monitoring firewall and antivirus logs.
The city realized it was under attack Saturday morning not even 24 hours after a Saudi airman shot and killed three members of the U.S. military at the Pensacola Naval Air Station.
Other Florida cities have fallen victim to ransomware attacks this year, with attackers hitting up Lake City for a $460,000 ransom, which it paid. Lake City’s move mirrored one made earlier by Riviera Beach, Fla., when it opted to pay $600,000 to its attackers.
Municipalities have become a target for ransomware attacks, given the necessity of keeping systems up and running and the propensity to pay up. “Hackers clearly believe they have found a productive business venture in hitting municipal governments with ransomware,” said Aaron Branson, vice president at Netsurion. The combination of decentralized systems, lackluster network monitoring making an attack feasible and the pressure of angry citizens making payout more probable, 2019 has been the year of municipal ransomware.”
The attacks are sometimes direct while others are done “via hacking a managed IT service provider servicing multiple municipalities,” Branson said.
Steve Moore, chief security strategist at Exabeam, said organizations can take several steps “to increase their chances of detecting and disrupting motivated adversaries”
Noting that “ransomware attacks are simple in delivery yet difficult to prevent– especially since infections usually disguise themselves as innocent attachments or email links,” Moore said, “companies can educate their staff, but there’s no guarantee someone won’t slip up eventually – it only takes one.”
Ransomware also presents challenges because it “updates continuously—at least once every 24 hours,” he said. “Interestingly, these attacks are often entirely successful on fully patched systems with industry-leading anti-malware software installed.”
Moore said organizations need to reduce “undocumented business processes that hide within the inbound email” and add greater capabilities for the defender. “For the defender, there must be improvements in their time to ask (TTA) questions, such as ‘which account or asset is associated with this alert?,’ ‘what happened before?,’ ‘has anyone from accounting ever signed into this business application before?’ and ‘did any other executive receive an email from this account yesterday?’” he said.