Online Exclusive

Municipalities become new focus of ransomware attacks

In August, the FBI began investigating a ransomware attack that struck 22 small local governments in Texas. Within these mostly rural municipalities, inhabitants have been unable to access birth and death certificates online, pay utility bills or engage in any city business or financial operations.

Mayor Gary Heinrich of Keene, a town of nearly 6,000 residents outside of Fort Worth, told NPR that hackers had demanded $2.5 million to unlock the hacked files. Heinrich explained that the hackers targeted an outsourced company that manages Keene’s information technology software. “A lot of folks in Texas use providers to do that because we don’t have a staff big enough to have IT in house,” Heinrich said. Elliott Sprehe, a spokesman for the Texas Department of Information Resources, told NPR that, as far as he was aware, none of the 23 cities affected had paid the ransom demanded by “one single threat actor,” as the department speculates.

This type of digital attack perpetrated by one single actor represents a relatively recent and virulent strain of ransomware assaults that target outsourced companies as a means of putting multiple municipalities out of commission simultaneously. Attacks on government agencies have been on the rise within the past few years, according to a report released by the research firm Recorded Future. The report found at least 169 incidences of government systems targeted by hackers since 2013, and Allan Liska, a threat intelligence analyst from the agency, has already identified more than 60 in 2019.

Liska told NPR that the attack on Texas “absolutely is the largest coordinated attack we’ve seen,” though he notes that the number of computers affected is yet unknown. “Hitting 23 towns at once was bad, but we don’t know how much damage was done,” said Liska. “One computer in each town versus 100 computers in each town is a big difference.”

According to the NPR article, a variety of incredibly malicious ransomware programs exist, but they all operate based on the same procedure. First, a seemingly normal email arrives in the inbox of a government employee. The email contains links or attachments that infect the victim organization’s database as soon as the recipient of the email engages with the infected attachments. A program called “RobinHood” then requires a digital key to access any of the server’s data, and only the hackers are able to provide this key.

According to Johns Hopkins computer science professor and cybersecurity expert Avi Rubin, “[RobinHood is] believed by the cryptographic community, both the theoreticians as well as the practitioners, to be unbreakable by today’s technologies.” (See Ransomware Cyberattacks Knock Baltimore’s City Services Offline, by Emily Sullivan, May 21, NPR.)

Some programs have died out after the hackers were tracked down and indicted. However, experts believe that skilled ransomware hackers have begun using their cyberattack profits to continue researching and developing even stronger, more precise ransomware programs. The ransomware market operates akin to a criminal syndicate — conglomerates of hackers sell malware to anyone willing to buy on the black market, so various programs are in wide criminal circulation.

This broad circulation of ransomware programs has enabled the surge in attacks on municipal governments. When cyberattacks became more common a few years ago, hackers tended to target hospital servers, assuming that the institutions would pay the ransom to quickly regain access to private, time-sensitive medical records. Hospitals were quick to bolster their security systems, so hackers turned to municipalities with out-of-date hardware and servers that likely hadn’t been backed up.

In March 2018, hackers hit the city of Atlanta with a “SamSam” software ransomware attack. The ransom note demanded a balance of six bitcoin, or about $40,000 to $50,000. A year after refusing to pay the ransom, Atlanta reports that it has to spend up to $17 million to restore their operating systems and revamp their security measures. Not only has the city pledged a continuing multimillion-dollar effort to prevent against future attacks, but the municipal government also has hired a new chief information officer.

The attack on Atlanta was followed by a breach of similar magnitude this past May when hackers took advantage of vulnerable software and hardware used by the city of Baltimore. Hackers insisted on receiving 13 bitcoins, about $100,000, to release the ransomware key. Baltimore Mayor Jack Young refused to pay, thus kicking off the slow process of rebuilding servers and restoring as much data as possible.

In the meantime, government emails, online payments and real-estate transactions remained out of commission, taking nearly two months to get back online. As of July 25, Baltimore City Council has approved a $10 million spending package to aid in the recovery from the cyberattack. Of this $10 million, nearly half has already been depleted to cover the cost of staff overtime, new hardware and cybersecurity specialists. Analysts predict that the total cost of the ransomware recovery will come to around $18 million once the revenue lost during the attack is factored in.

A majority of cyberattacks have plagued smaller, more vulnerable municipalities like those recently affected in Texas. This past January, hackers hit the Texas town of Del Rio, forcing the city government to take to Facebook to keep their constituents informed and to process transactions manually with pen and paper.

In April, Greenville, North Carolina, and Albany, New York, both fell victim to ransomware. The city of Albany was strategically attacked on a Saturday, when security command centers were not as highly staffed as on a weekday. In Greenville, city officials also took to Facebook, posting a message of assurance to their citizens: “It is important to note that computers don’t run cities. People do. All of our operations are continuing, although we are having to adjust some of the ways that we do things in some areas.”

Other municipalities and government systems that have suffered from attacks include the Jackson County Court System in Georgia; Key Biscayne, Florida; Lake City, Florida; Riviera Beach, Florida; Cleveland Hopkins International Airport; and Philadelphia Courts First Judicial District.

When the city of Baltimore refused to pay the demanded ransom, a fact sheet on the city’s website explained its decision: “First, we were advised by both the FBI and Secret Service not to pay the ransom. Second, that is not how the City of Baltimore operates; we do not reward criminal behavior. Also, paying the ransom does not make the recovery process cheaper or faster. Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment.”

In the case of Lake City, a town of approximately 12,000 citizens, the government assumed reconstructing its servers would be more costly than paying the ransom, so they paid $460,000 in bitcoin. They used insurance to pay, but taxpayers still bore the burden of a $10,000 deductible. Riviera Beach is one of the only other cities to pay the ransom, delivering 65 bitcoin, about $600,000, to its hackers.

The research firm CyberEdge discovered that 45% of organizations attacked by ransomware do end up paying the ransom because they don’t believe they can recover any other way. In state and local governments, however, Recorded Future found that only about 17% of local agencies pay the ransoms. This discrepancy in ransom payment is in large part because federal law enforcement officials discourage government agencies from paying so as to not incentivize other cyberattacks. Government agencies also are more likely to receive heightened media coverage and to call in the FBI to assist with their investigations, so many cybercriminals view municipal attacks as an opportunity to aggrandize their profile within the hacker community.

In a statement to WIRED, the FBI dissuaded agencies from paying ransoms. “The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes,” said the statement. “Additionally, paying a ransom does not guarantee the victim will regain access to their data. … The main thrust of the FBI’s ransomware outreach program is to inform the public that most ransomware can be prevented.”

Training and awareness are key

Municipal offices now are hustling to revamp their security systems and train their employees to not click on malware. Jake Williams, founder of the security firm Rendition Infosec, noted, “While the size of recent payouts are certainly not groundbreaking, publicly reporting on them is. There are tons of targets out there, and most of them don’t realize they have the exposure. I’ve never worked a ransomware case where a victim said ‘we realized this could happen to us but were playing the odds it wouldn’t.’ Most of them have heard of ransomware but fail to realize they have an exposure.”

Alan Shark in StateTech Magazine offers a slew of measures that local governments can take to combat ransomware attacks:

  • Have a third-party organization execute a risk assessment.
  • Hire a chief information security officer to maintain security full-time.
  • Obtain cyber insurance.
  • Offer cyber awareness training with the municipal workforce.
  • Backup data daily, weekly and monthly.
  • Isolate data backups from application backups.

For localities that don’t have budgets robust enough to take all these steps, Cory Fleming, a senior technical specialist for the International City/County Management Association, emphasizes cybersecurity training for as many people as possible. “Governments can’t leave cybersecurity just to the IT staff — it’s everyone’s job.”

Hallie Ayres is a freelance writer and guest contributor for