Ransomware attacks have become a scourge for local governments, robbing millions of dollars in ransom payments to hackers and recovery costs from the government entities that can least afford to pay them.
Public reports show more than 400 such attacks have hit city and county governments in the United States since 2016, impeding emergency responders, stalling tax payments, and forcing government offices back to pen-and-paper operations for weeks on end. That’s probably only a fraction of the true number of such attacks, in which hackers lock up computers and demand payments to unlock them, because many attacks are thought to go unreported.
The recovery process can drag on for months or more than a year, diverting time and resources from other city and county priorities.
Even cities and entities that pay hackers' ransom demands to unlock their computers can spend weeks restoring and replacing equipment to ensure they aren't hacked again, as were the Colorado Department of Transportation in 2018 and the state of Louisiana in 2019.
The coronavirus pandemic has also supersized the problem, forcing employees to return to potentially unsafe working conditions when they can no longer work remotely.
The Colonial Pipeline attack in May and other infrastructure attacks threatening national security have sucked up much of Washington’s attention. But private companies like Colonial Pipeline can typically recover in days or weeks from such attacks with little damage to their bottom lines. For under-resourced cities and counties, the recovery is far more grueling.
"Cities are vulnerable to attacks because we don't have resources in the same way that the private sector does. That makes us more attractive targets," Kim LaGrue, chief information officer for the city of New Orleans, said.
When New Orleans was hit with a ransomware attack in December 2019, LaGrue said her staff worked seven days a week through February to ensure police communications and other city services were sufficiently restored to maintain public safety during Mardi Gras. They’d planned to slow the pace after that. But when the coronavirus struck in force days later, the seven-day weeks returned as IT staff struggled to manage a string of COVID-related crises using technology that was still hobbled.
"We'd established a cadence with the cyberattack that allowed us to roll into the pandemic cadence so we could deliver what the city needed at the time," LaGrue said.
It would take roughly one year and more than $5 million before New Orleans was fully recovered from the attack and confident the city wasn't vulnerable to reinfection. The city is still waiting to see how much money it can recoup from a $3 million ransomware insurance policy.
The pace of ransomware attacks has surged in recent years, hitting cities and other targets. The increase is driven by the rise of cryptocurrency, which makes ransoms far easier to pay and tougher to track, and by an explosion in the value of ransoms that some organizations are willing to pay to get back online.
When ransomware hackers hit Atlanta in 2018, they demanded the bitcoin equivalent of about $51,000 to unlock the city's computer systems. The ransom demand for Baltimore in 2019 was about $76,000. Neither city paid. It cost Atlanta about $17 million to recover from the attack and it cost Baltimore about $18 million.
Such ransom demands are almost quaint these days.
Hackers that hit Pensacola, Fla., in late 2019 demanded a $1 million ransom to unlock those systems. Hackers that compromised Delaware County, Pa., in November 2020 demanded $500,000. Pensacola didn't pay up, but Delaware County did. In the private sector, ransom demands have soared even higher. Colonial Pipeline paid $4.4 million to unlock its computers in May. The meat processor JBS paid an $11 million ransom in June.
The FBI urges victims not to pay ransoms because those payments can be used to launch additional ransomware attacks or to fund other international crimes. It acknowledges, however, that some victims without good digital backups of their systems and data may have little choice but to pay.
The past few years have also seen a rise in ransomware-for-hire gangs based mostly in Russia that have made it far easier for other cybercriminals to conduct ransomware attacks with only minimal skills.
“Right now, ransomware is by far the most profitable cybercriminal activity and that’s attracted a lot of cybercriminals that want to make money,,” said Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, who tracks ransomware trends.
Cities are particularly easy targets for ransomware attackers because their information technology has often been underfunded for years or decades, constantly losing out to seemingly more immediate priorities such as policing, social services, and road repairs. Cities also struggle to retain people with top-shelf IT talent who can attract far higher salaries in the private sector.
"The money just isn't there and even if the money is there, the people aren't," Liska said.
Cities also tend to be more interconnected than other organizations. Hackers who worm their way into computers for the tax office, for example, can hop from there to computers in the police and fire departments or the courts and marriage bureaus until the entire city is locked down.
In some cases, the damage goes beyond lost money and city services.
A ransomware gang called Babuk released troves of information from the D.C. police into the dark regions of the internet in May after negotiations about paying a ransom broke down. The information included raw intelligence about threats following the Jan. 6 attack on the U.S. Capitol.
In other cases, cities that paid ransoms were still unable to recover some large digital files, such as footage from police body and dashboard cameras. Cities have also had to drop prosecutions because digital evidence was corrupted by ransomware attacks or when they can't prove the hackers didn't tamper with the data.
Tulsa was hit with a ransomware attack in June and has mostly recovered. But when it refused to pay the ransom, hackers released about 18,000 city files onto the portion of the internet known as the “dark web.” The information included personal information such as the names, birth dates, and driver’s license numbers of residents, which could make them more vulnerable to identity theft.
There's some reason for hope.
The $1 trillion bipartisan infrastructure bill that passed the Senate in August included $1 billion to help states and cities upgrade cybersecurity. That would be by far the biggest cash infusion for municipal cybersecurity in history. It could go a long way toward making cities more resilient against ransomware. The House is scheduled to consider the bill in September.
The federal government has also increased the resources it provides to cities. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency conducts free cybersecurity assessments for city governments. The Center for Internet Security also provides a suite of free cybersecurity tools for cities under a grant with DHS.
But with millions of dollars at stake, ransomware attackers are likely to find ways to hack into cities even as they improve their protections.
“Groups like this, they’re doing it for profit and you can never be 100% protected,” Dellinger said.