Ransomware attacks are targeting local governments in a big way this year, resulting in hundreds of thousands of dollars in ransom payments and tens of millions of dollars in financial impacts. These attacks have evolved of late to be much more effective in taking over critical information systems and to demand significantly higher ransoms than in previous years.
All county, municipal, and other local government agencies should be alert to this trending threat. A comprehensive security risk assessment, coupled with ongoing risk management activity, is the best way for agencies to understand the risks to their information systems, prevent attacks like these from being successful, and mitigate the financial and operational impacts if an attack does take place.
Ransomware has been a major cybersecurity concern over the last few years, but, as a recent Wired article notes, “For local governments, this past year has been a particularly brutal reminder of the threat.” The article continues:
“Following a 2018 attack that paralyzed the city of Atlanta for weeks, more than half a dozen cities and public services across the country have fallen to ransomware so far in 2019, on a near monthly basis; the Administrative Office of the Georgia Courts became the latest victim this Saturday, when an attack knocked its systems offline.”
The FBI discourages ransom payments, noting that “paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.” However, some organizations don’t see any other option.
Notable Local Government Ransomware Attacks:
- The City of Atlanta municipal government suffered an extensive ransomware attack in March 2018 which was described at the time as “one of the most sustained and consequential cyberattacks ever mounted against a major American city” (The New York Times). City officials refused to pay the $51,000 ransom, opting instead to spend $2.6 million to recover from the crippling malware infection. The total economic impact of the attack is estimated at $17 million (VICE News).
- Earlier this year, the City of Baltimore was infected with ransomware, leaving the city unable to produce water bills and property tax bills and shutting out city employees from their computers and email (CBS Baltimore). The hacker demanded $100,000 in bitcoin, which the city refused to pay. Baltimore is still trying to recover two months after the attack. Estimates put total losses at over $18 million (Bloomberg).
- In Florida, two different city governments were infected by ransomware within a two week time span. Both city government decided to pay the ransom amounts — $600,000 and $460,000, respectively — to unfreeze their files, presumably aware of the enormous recovery costs experienced by Atlanta and Baltimore. The Lake City, FL, mayor was quoted as saying, “I would’ve never dreamed this could’ve happened, especially in a small town like this” (CBS News).
- Last week, a third Florida local government, Key Biscayne, was struck by similar ransomware. As of this writing, the city had not ruled out paying the hacker (CBS News). All three Florida incidents started when an employee clicked a malicious link in a phishing email.
- Closer to home, the government of Fayette County, Ohio, was also attacked by ransomware last week. Numerous county systems were infected, including property tax and employee payroll systems. The agency’s employees have been working around the clock to restore their servers and data. Fortunately, the county government was more prepared than most others on this list and had comprehensive risk management services in place to assist with the attack’s aftermath (Record Herald).
- Over the weekend, the Administrative Office of Georgia Courts was infected by ransomware, taking them offline (Wired). Systems are still down as of this writing.
Why Are These Attacks So Bad?
These attacks appear to be an evolution from much of what we’ve seen before in a few different ways. First, attackers seem to be targeting county and local government agencies. Previous ransomware attacks have generally been either completely random or targeted at major corporations and infrastructure.
Second, attackers are growing more sophisticated. Rather than encrypting whatever they touch, the attacks seem to have multiple phases: gaining a foothold in a network, often through phishing; moving deeper to gain access to critical systems; then finally triggering the ransomware to take over the “crown jewels” and inflict the most damage.
Third, the ransom amounts are increasing from hundreds of dollars a couple years ago to hundreds of thousands of dollars now.
Protect Your Agency
The Fayette County, Ohio attack shows that Ohio county government agencies, even small ones, are at risk of being targeted with these attacks. This is not a theoretical threat!
Effective risk assessment and ongoing risk management are key for agencies to address this threat. Through risk assessment and management, agencies can identify their vulnerability to an attack like this, ensure appropriate protections are in place, and implement the needed backup and recovery capabilities to mitigate the damage should an attack be successful.
The Fayette County government is in better shape than most others we’ve discussed because they appear to have taken at least some of these risk management actions. Eagle reached out to Fayette County Commissioner Dan Dean who said that, although the investigation won’t be complete for a few weeks, it appears that nothing was stolen. All of their primary systems were backed up, and they are using this attack as a way to help them make focused changes in the application of their risk management processes.
We don’t want you to be caught unprepared! If your agency is concerned about this growing threat or is unsure of your risks and security protections, contact us to discuss how Eagle Consulting Partners can help.