In New York, a Municipal Ransomware Attack Is Crippling the Real Estate Industry

What happens when a local government refuses to pay after a ransomware attack? In Suffolk County, New York, it means lost real estate sales and frustration for agents and home buyers.

CBS New York has been tracking the fallout from the Suffolk County ransomware attack,  which took down payment systems, 911 services and property title searches, among other county functions. The county owes vendors $140 million due to the cyber attack and apparently has been trying to rebuild its services instead of paying the ransom.

That’s bad news for people looking to buy homes in the county. With some systems still offline and a backlog of transactions to process, closings in the county now take 3 to 4 months, according to one local real estate agent.

That delay is hitting buyers in two ways. Some are backing out of deals amid rising interest rates; the U.S. Federal Reserve pushed rates up by .75% in September, and a further 75-basis-point hike is expected at their November meeting. Other buyers see their preapproved mortgages expire when interest rates rise.

Ransomware Attack Reveals Avoidable Vulnerabilities

The ransomware attack in Suffolk County shows that county officials were unprepared to deal with cyber crime in some key ways.

1. Multiple systems were vulnerable to a single point of attack, including payments, 911, Registry and court systems. Critical systems like these must be compartmentalized so that an attack on one does not bring down additional essential services. Cyber criminals see systems like this as particularly ripe targets because of the disruption they can cause with a single attack.
2. No backup systems were in place. Suffolk County officials told CBS News that they had a data backup and that the systems themselves remain secure, but those backups are worthless without working servers. Both data and operating systems must be backed up with the ability to restore operations at daily intervals for at least 2 weeks and at monthly intervals for at least 3 months. Cyber criminals may drop ransomware onto a network weeks or months before they carry out an attack, because they know that most organizations only have a day or two of backup data. Attempting to restore the previous day’s data does not stop the attack, because the ransomware was already there.
3. The response plan was insufficient. Organizations need to have an emergency response plan in place that includes protocols for contacting law enforcement as well as IT and ransomware specialists on call to identify the scope of the attack and begin recovery. Suffolk County had to contact outside agencies for assistance. That can be part of a response, but the impression from CBS New York’s reporting is that county staff lacked the support to restart their systems and had to reach out after the breach. That is a far more cumbersome and time-consuming process than having a Virtual CISO or cyber security firm who knows your systems and can take action as soon as a breach occurs.

How Did the Suffolk Ransomware Attack Happen?

County officials have not shared details about the nature of the attack, or how hackers were able to place ransomware on county systems. The widespread nature of the attack may be a sign that a senior employee’s credentials were compromised. Malware may also have been used to target known server vulnerabilities. In cases like this, online forms or web-to-server communications are potential attack vectors.

The county may have also fallen victim to a phishing attack. Even the most robust security systems can be brought down by employees with low phishing awareness, stressing the importance of ongoing training and evaluation.

The attack on Suffolk County is a stark reminder that local government systems are vulnerable. Every municipal and county government needs to evaluate its readiness against professional cyber criminals as well as state-sponsored hackers. Protect Now can help you do this with training and technical support that complements and completes your existing programs. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.