Election Security Spotlight – Ransomware Attacks

What Is Ransomware?

Ransomware is a type of malicious software (malware) that limits or blocks access to a system or data. Attackers who use ransomware will demand some form of payment (in the form of cryptocurrency, often Bitcoin) to remove the malware and restore access. This type of attack will typically display a ransom note on the victim’s computer, telling them what is locked, and giving instructions on how to pay. Attackers most commonly gain initial access through phishing campaigns or vulnerable remote access tools such as a Remote Desktop Protocol (RDP) or VPN service.

What You Need To Know about Ransomware

Recent high-impact, high-profile ransomware attacks demonstrate the potential impacts of attacks on critical infrastructure systems. Critical infrastructure is a key target of attackers because the sensitivity of the information they can acquire and critical operations they disrupt increases the likelihood of payment.

  • Imagine the theft, encryption (locking), or deletion of a voter registration database just days before populating poll books. Losing access to vital election information during a critical period, such as the beginning of early voting, could slow down or stop election operations.
  • Similar to attacks in the private sector moving throughout a company, election offices are at risk of ransomware from attackers moving across the networks they connect to (also known as “moving laterally”). For example, attackers could infect a system in the sheriff’s office and the malware can then spread to computers in the county clerk’s office across their shared connections.
  • Actions by an attacker could create the perception that an election has been compromised by publicly announcing the attack, or displaying a ransom note on a public-facing website (such as an election night reporting website). Recognizing that these attacks may occur, and having a plan to respond and communicate, is critical for public perception.

The Colonial Pipeline incident renewed focus on the decision to pay, or not pay, ransoms. It is important to note that the payment of a ransom, or removal of ransomware from a system, does not mean the impact of the attack is over. An attacker could still sell or release information they accessed, or they could return to lock up data if the system has not been properly patched.

What You Can Do To Protect Yourself from Ransomware

Work with your technical staff to review the documents below and ensure policies are in place to protect your networks against ransomware. If you do not have the assistance of technical staff or are unsure where to start, contact us at [email protected].

For Election Officials

  • Develop a plan to respond to a ransomware infection, including identifying key points of contact.
  • Do not click on suspicious emails. Forward them to your IT department and contact the EI-ISAC.
  • Explore the Malicious Domain Blocking and Reporting (MDBR) tool, which can help prevent websites known to carry ransomware from interacting with your system.

For Technical Staff

  • Maintain up-to-date, offline, data backups.
  • Review the joint CISA/MS-ISAC Ransomware Guide, which includes prevention best practices and a response checklist.
  • Sign up for MDBR.

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to [email protected] to request a topic.