An April 2 ransomware attack confirmed by Jackson County officials in Missouri demonstrates how state and local governments are still ripe targets for cybercriminals.
According to Jackson County officials, early indications suggest operational inconsistencies across the county’s digital infrastructure and certain systems were rendered inoperative, while others continue to function normally.
The officials said systems impacted so far include tax payments and online property, marriage license, and inmate searches. As a result of the attack, the assessment, collection and recorder of deeds offices at all county locations are closed until further notice.
Rebecca Moody, head of data research at Comparitech, said 18 such ransomware incidents on state and local governments have already been confirmed so far in 2024.
Moody said while the county doesn't believe any data was stolen, as the industry has observed recently with the LockBit attack on the city of Jacksonville Beach, Florida, hackers often steal data as well as encrypting systems. Moody said this gives the attackers something else to ransom or sell on the dark web if negotiations fail. Jacksonville Beach recently confirmed that nearly 50,000 records were impacted in its January ransomware attack.
“With 18 attacks confirmed so far this year compared to 21 in the same period of 2023, government organizations appear to remain a key target for ransomware gangs,” said Moody. “And with Washington County, Pennsylvania, paying nearly $350,000 to hackers following its January 2024 attack, they're a potentially lucrative target, too.”
Morgan Wright, chief security advisor at SentinelOne and an SC Media columnist, said this attack on Jackson County is likely not directly attributable to a nation-state actor, but there’s a good chance we can tie the ransomware strain to Russia. Wright said in 2021, Chainalysis observed that" roughly 74% of ransomware revenue in 2021 — over $400 million worth of cryptocurrency — went to strains we can say are highly likely to be affiliated with Russia in some way.”
“Transnational ransomware groups continue to target state and local governments, exploiting aging IT infrastructures and a declining number of cybersecurity practitioners working in government,” said Wright. “The groups are after money, but they serve a bigger purpose for Russia in terms of continued attacks and destabilization of government services.”
Ngoc Bui, cybersecurity expert at Menlo Security, said we can trace the alarming rise in ransomware attacks on local governments to several critical factors: the prevailing belief that government agencies, particularly at the local and state levels, often operate with outdated or insufficiently protected IT infrastructures.
Adding to the complexity, Bui said there’s concern over a growing skills gap, exacerbated by government contracts often awarded to the lowest bidders, a practice that often lead to a reliance on talent that, while more cost-effective, may lack the necessary skills, training, or experience.
“Contractors and fed/state/local employees are often overworked, underfunded, and lacking reliable resources if even given appropriate resources,” said Bui. “Even when adequate resources are technically available, systemic limitations often obstruct their effective deployment.
"This widespread challenge is illustrated by the voices of former government and military personnel on social media and other platforms," Bui continued. "A common statement among them is that 'military grade' more often means 'lowest bid won' rather than the highest quality.”
Bui said the decision of Jackson County to pay a ransom in a previous incident in 2019 might have inadvertently signaled to cybercriminals that the county could be a lucrative target for future ransomware attacks. Paying ransoms can sometimes lead to repeat targeting by the same or different ransomware operators, as it demonstrates a willingness to comply with their demands, said Bui.
