City IT ‘Onion Strategy’ Neutralizes Ransomware

onion strategy State Cyber Resiliency Act

An onion strategy for cybersecurity and employee education reduces what happens to cities when ransomware strikes.

WESTLAND, MICH. — When a Westland public safety employee received an email from what he thought was the city’s human resources department, he innocently clicked on the attachment. Luckily a multi-pronged mode of action known as an onion strategy protected the city from this ransomware attack.

According to a State Tech report, Westland’s Chief Information Officer Dan Bourdeau said what looked like a routine HR form unleashed ransomware on the employee’s computer. It locked up the machine and easily made it’s way to a network server.

The hackers wanted $25,000 per device — and Westland reportedly has about 350. Bourdeau said the IT team’s onion strategy neutralized the threat.

As a result, Westland’s servers were not shutdown — and no ransom was paid.

Westland’s onion strategy is:

  • Isolation
  • Assessment
  • Reporting
  • Evidence preservation
  • Recovery
  • Forensics

The First Layer in Action

Westland’s IT department uses email whitelisting, strong anti-virus and malware protection, backup and recovery technologies and some human processes that meet threats like ransomware head-on.

When the first level of email security did not catch the phishing email, endpoint protection detected that it was amiss and sent an alert to isolate affected devices.

The city’s system never went down with two infected devices isolated in six minutes. Then, backup made it possible to wipe them before restoring all lost files, minimizing the impact.

Filtering & Restoring Files

Although anti-virus programs and firewalls are considered first line cybersecurity, ransomeware can get by when phishing emails are shared.

When an employee of Janesville, Wis., received a branded letter from a legal vendor, it was forwarded to several colleagues. Luckily the launched ransomware never encrypted because of a packet-filtering device and fast response by the IT department.

Janesville’s Gordy LaChance, IT Director, said his team needed to work quickly to delete several ­million affected files in order to contain the cybersecurity threat.

“We moved those files and, out of an abundance of caution, air-gapped our network for six hours. We then pulled all of the files from the location and deleted them,” said LaChance.

All Janesville’s lost files were restored from a recent backup.

In Westland’s incident, all files were back within eight hours with a backup solution that replicates to three secure locations in the United States and one overseas.

No Tears for Employees

Bordeau’s team was also notified by the Westland employee who made the mistake.

“We don’t want employees to hide anything. I want them to feel comfortable calling IT if they have any problems. I want them to know they are going to be received and helped,” he explained.

Westland makes it a policy not to embarrass staff for being a victim to a socially-engineered attack like ransomware.

After the cybersecurity incident, the city implemented quarterly evaluation of permissions inside its Active Directory and reinvigorated the education process, reasserting that the city would not discipline any employee for opening ransomware.

IT now engages Westland’s staff on cybersecurity two to three times per month and is creating training videos.

“You have to use education and show people how to use critical-thinking skills to make the best choices they can make, but don’t punish someone if they make a mistake. And that’s what it is. It’s a mistake,” said Michael Kaiser, executive director of the National Cyber Security Alliance.

Read the original story on the StateTech website.

About the author

Andrea Fox

Andrea Fox

Andrea Fox is Editor of EfficientGov.com and Senior Editor at Praetorian Digital. She is based in Massachusetts.