Ransomware’s Election Threat

The US Presidential Election draws the attention of the entire globe for a variety of reasons. Politics, economics, and the climate are affected by the nation’s choice of who will next sit in the White House. As November 2020 draws closer coverage of the election will dominate the news and debates around the dinner table. Currently, most of the coverage is political there is another aspect of the election that is gaining increased attention. That being how secure these elections will be to cyber threats, and in particular ransomware. Various ransomware gangs are notching up major corporations as victims and in the past, a number of state institutions and government departments have suffered ransomware infections, who is to say that the next elections will be free from such an incident.

A recent report by Recorded Future takes a deep dive into the threat posed by ransomware in the upcoming US election. It is not only security firms that have noted the existence of a threat. US state officials noted the existence of the threat posed by ransomware as well as the private sector. The threat posed is also not without real-world incidents. In 2016, the Palm Beach County Supervisor of Elections Office was hit with a ransomware attack which in turn was not reported to the relevant authorities at the time and only came to light recently. While the threat to election centers exists, the question remains can ransomware, even a highly co-ordinated campaign, disrupt the 2020 elections?

Researchers noted there is a difference in gaining access to a network belonging to an election office and disrupting an entire election. Viewed in this light it is unlikely that elections can be disrupted to an extent that would render the outcome null and void. However, it is still possible to disrupt the state and local levels. A successful attack then would have to target the right state at the right time, meaning that the so-called swing states could be highly prized targets for ransomware gangs as any disruption to the release of votes could be further weaponized in the form of disinformation campaigns. These in turn could be used to turn public opinion against the legitimacy of the election and the legitimacy of democracy as a whole.

ransomware election threat

This is already an issue faced in the US as only 45% of Americans are confident the election will be counted accurately. Given that ransomware offers attackers a low-cost effective method at compromising networks it is an attractive option for those looking to place increased pressure on election officials to pay larger ransoms or groups looking to apply political pressure via disinformation campaigns.

Likely Scenarios

Researchers noted that there are three likely attack scenarios that could play out in the wild. Those include:

  • Ransomware attacks against voter registration databases
  • Ransomware attacks against voting results databases
  • Attacks against poll books

The first scenario is likely to generate the most attention which does not bode well for the integrity of the election, of which a large portion of Americans is already in doubt. A well-timed attack on voter registration databases could prevent voters from voting. It is not only voting disruption that may be a result but given how ransomware gangs now release sensitive information if ransoms are not paid in time is another threat. The database would contain a wealth of information deemed sensitive and personally identifiable. An attack targeting this database is unlikely to occur on the election day as the database is not widely used on this day but rather on other occasions, like the first-day ballots are opened for early voters, as an example. Other days that may be targeted include:

  • A day or two before poll books being pushed out
  • With the expected rise of mail-in voting this election, a ransomware attack on the VRDB 45-60 days before the election could disrupt the ability of a state to disseminate mail-in ballots
  • An attack the day after the election could prevent polling officials from verifying mail-in ballots.

The report issued by Recorded Future goes into great detail regarding the potential for attacks on the voter registration databases as well as suggestions on how to secure these databases. The other two attack scenarios are not dealt with as much, this is perhaps due to the challenges facing securing the voter registration databases. One of these challenges resides in the fact that there is not one singular database. Rather, every state has their database, which implies that the 50 states are responsible for maintaining its voter registration, as is the District of Columbia, American Samoa, Guam, Northern Mariana Islands, Puerto Rico, and the U.S. Virgin Islands, for a total of 56 separate voter registration databases. Further, there is no standardization as to what type of database is used meaning each state either has a top-down, bottom-up, or hybrid database.

While there are different types of databases, their infrastructure also has not been standardized. Some states have developed their infrastructure while others include several other third-party offerings. Recorded Future noted,

“It appears the majority of VRDBs are running on Oracle or Microsoft SQL databases and are often administered by traditional remote administration tools such as Remote Desktop Protocol (which Recorded Future found indications that at least seven EMS are using) and Citrix (which appears to be used by at least six VRDB). Microsoft’s .NET and Sharepoint were also mentioned as being in use across multiple states’ voting infrastructure. In addition, as recently as July of 2019 there were as many as 10,000 Windows 7 systems, currently unsupported by Microsoft, being used to administer voting systems, all of which are systems potentially vulnerable to ransomware attacks.”

Citrix and RDP Flaws Center Stage

It is not only the wide variety of infrastructures and three main types of databases used by the numerous states but also how ransomware gangs compromise networks. Remote Desktop Protocol (RDP) connections have long been a favored exploitation vector for years now. In recent months Citrix vulnerabilities have also become one of the favored attack vectors. As many states use Citrix as an infrastructure provider care most certainly needs to be taken when securing these databases. Another factor opening up the possibility of attack through both Citrix and RDP avenues is that many employees now work remotely and use the tools both provide. This had led to further security issues as often these tools go without critical updates.

To defend these databases and prevent election disruption Recorded Future states that employees need to be trained to detect exploitation. Many of the states focus on training staff to detect phishing emails, however, more needs to be done to educate staff as to the potential of RDP connections and Citrix tools being used as avenues for attack. Further researchers discovered that, in addition to the lack of discussion around remote ransomware attacks there was no discussion on internal training about ransomware and the exfiltration of data combined with subsequent extortion demands to avoid making that data public. In 2018, 35 million voter records from 19 states were found for sale for 42,200 USD in an underground forum.

This is just regarding ransomware's threat to the 2020 elections posed by ransomware. Election officials still have to worry about the predations of nation-state groups, who are now also using ransomware, along with disinformation campaigns and wipers. The use of wipers can also be seen as a similar threat to elections with similar results, as wipers completely remove data from hard drives and network devices, or encrypt it with no hope of recovery.

In highlighting the entire threat posed Recorded Future concluded,

“Ransomware attacks against VRDBs are a real threat and there will likely be both nation-state and cybercriminals targeting election infrastructure this election season. In fact, the targeting has most likely started. There was already a shortfall in election security funding that has been exacerbated by the COVID-19 pandemic and staff furloughs.

In addition to budget shortfalls, the training that election officials receive appears to be inadequate and missing a number of important ransomware attack scenarios that should be considered in allocating defenses against ransomware attacks.

And, ransomware is just one of many threats faced by election officials during the 2020 election. The combination of the pandemic, challenges with the Post Office, and nation state and cybercriminal groups targeting election infrastructure is an overwhelming security challenge. The ransomware threat is only a small piece of the threat landscape, but it is an important one.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps..

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal