ArchiveOODA Original

DHS Worried About Ransomware Attacks for 2020 Election

According to an intelligence report issued by the Department of Homeland Security, one of the top 2020 election security concerns is ransomware. A report entitled “Cybercriminals and Criminal Hackers Capable of Disrupting Election Infrastructure”, echos concerns CISA head Chris Krebs articulate at the Black Hat security conference in early August. According to the report, the weeks leading up to the election are likely to be the highest risk for ransomware attacks:

“We assess that cybercriminals likely would have the greatest impact on election infrastructure by using ransomware to prevent access to state and local networks up to two weeks before the election, potentially disrupting election-related computers connected to affected networks. We base this assessment on the impact of ransomware on election-related local networks, the average network downtime caused by this malware, and the increase in such attacks against state and local government networks. Due to the interconnectedness of many state and local government networks, cybercriminals also may inadvertently disrupt portions of the elections infrastructure while targeting other areas of a network.

  • Unidentified cyber actors in April 2020 used ransomware to compromise and exfiltrate over 2GB of data from the computers of a Virginia county administrator and voter registrar, requiring 30 bitcoin (~ $277,000 as of July 2020) to decrypt the files, according to FBI reporting.
  • A ransomware attack against an Oregon county in January 2020 infected 45 servers and 50 workstations on its computer network, impacting the main file share server as well as the county’s short-term backup, according to FBI case information. The attack prevented voter registration personnel from conducting any actions requiring access because the internal network was taken offline for remediation.
  • Ransomware caused an average downtime for impacted networks of 16.2 days in the fourth quarter of 2019, an increase from 12.1 days for the third quarter of 2019, according to an online article from a cyber company that tracks ransomware attacks. Atlanta’s government network still had a third of its 424 software programs offline or potentially inoperable three months after a March 2018 ransomware attack, according to a news site.
  • Ransomware attacks in 2019 against state and local governments increased 153 percent compared to 2018, according to a Multi-State Information Sharing and Analysis Center report.”

The report further establishes Russia as a potential top adversary for the election.

The US Government in December 2019 indicted and imposed sanctions on a Russian and a Ukrainian national for ransomware attacks against US entities, according to a Department of Justice indictment and a Department of Treasury press statement. The Department of the Treasury identified the Russian national as having worked for the Russian Federal Security Service (FSB). The Department of Justice in 2017 indicated two FSB officers and their criminal conspirators for compromising millions of Yahoo e-mail accounts, according to the same sources.”

On the day of the election, DHS highlights that DDOS attacks are most likely:

“We assess that a distributed denial-of-service (DDoS) attack is the most likely tactic that ideologically or politically motivated criminal hackers would use to disrupt election infrastructure on election day. We base this assessment on the low cost of DDoS attacks and criminal hacker use of this tactic against state and local government networks with varying scales of disruptions. A DDoS attack on election websites can prevent accurate and timely results from being shared with the public. We assume criminal hackers are responsible for the DDoS attacks against state and local networks during the protests over the death of George Floyd, and the attacks against the New Mexico Secretary of State’s website.

  • DDoS attacks are among the cheapest cyber tools that are effective in disrupting computer systems, interrupting the actual casting and auditing of votes once the election is complete, according to a company that provides commercial encryption protection. The low cost and the numerous places to purchase DDoS-as-a-service, with an average one hour/month DDoS package costing $38, make this malicious tool popular among criminal hackers, according to a cybersecurity company.
  • Unidentified malicious cyber actors between 28 May and 3 June 2020 following the death of George Floyd conducted DDoS attacks against networks of an Upper Midwestern state, degrading network services and impacting the ability of essential services to receive and respond to emergency reporting, according to a state government employee with direct and indirect access.
  • A server belonging to the New Mexico Secretary of State from at least 2 to 24 May 2019 experienced anomalous activity that resembled a DDoS attack, according to a New Mexico cyber awareness alert.”

The attacks could also extend to MSPs supporting state and local governments as well.

We considered the alternative that the most impactful disruption on election infrastructure by cybercriminals likely is denial of service attacks on managed service providers (MSP) used by state and local governments. We considered this alternative because a single MSP can host numerous state and local government networks, providing an avenue to disrupt a range of targets. We deemed this alternative less likely because the coordination required to target several MSPs simultaneously to create a national-level disruption would require extensive preparation but not result in financial profit.”

Ransomware continues to be a critical threat with numerous commercial companies having been succumbed to multi-million dollar ransom payments in recent weeks.  Any targeting of election-related systems is likely to have significant bleed-over into other municipal systems given the imprecise nature of ransomware targeting, including systems operated by private sector partners.



Matt Devost

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see