Security news that informs and inspires

Money for Nothing: Ransomware Plagues Local Governments

The string of ransomware attacks against state and local government agencies that began to ramp up a couple years ago is continuing unabated, and the attackers in some incidents are becoming quite aggressive with their ransom demands.

In July, municipal workers in New Bedford, Mass., returning from the Independence Day holiday found that some of the city’s computers were infected with the Ryuk ransomware. It wasn’t immediately clear how the infection happened or how far it had spread, but this week the mayor revealed that four percent of the city’s systems were affected and that some of those computers were still unusable. The number of infected machines is on the lower side as these attacks go, but the ransom demand certainly was not. The attackers wanted $5.3 million.

That would be a significant payout for a large enterprise, let alone a mid-sized city government. Which is the same conclusion the New Bedford government came to, so the city offered the attackers $400,000 instead, to be paid from an insurance fund. A $400,000 payoff from someone opening your malicious attachment is a tidy wage, but the attackers saw it differently and rejected the offer. And then a funny thing happened: the attackers went dark. There were no further communications from them, so the New Bedford IT teams set about recovering from backups, a process that’s still ongoing.

City officials said that a total of 158 machines were infected by Ryuk and the IT team has completely rebuilt the city’s server network and replaced all of the computers that were hit by Ryuk.

“We live in a world now that is so interconnected that simply pulling up the proverbial drawbridge is unrealistic,” New Bedford Mayor Jon Mitchell said.

The New Bedford situation is unusual with regard to the ransom demand, but it’s increasingly common for ransomware to not only infect but cripple the systems in state, city, and local governments. Last month, more than 20 government agencies in Texas were hit with ransomware in a coordinated attack attributed to a single adversary. The City of Baltimore also was hit by a significant ransomware infection in May, an attack that brought down much of the city’s computer infrastructure for several weeks and prevented residents from paying city bills and completing many other transactions. As with the New Bedford attack, Baltimore’s city leaders refused to pay the ransom demand--about $100,000 in this case--and opted to try to recover from backups.

Data collected by security firm Barracuda on ransomware attacks shows that there were 55 attacks on governments through the end of August (excluding the Texas agencies, which had not been confirmed yet), and 38 of the attacks were on local governments and 14 were on county governments. About 45 percent of the municipalities hit by ransomware have fewer than 50,000 residents. This is likely not by chance. Smaller cities and counties have smaller budgets and fewer resources to devote to IT in general and security specifically. New Bedford is on the higher end of that population scale, with close to 100,000 residents, but the city still faced a tough challenge in dealing with the ransomware infection.

The costs of running ransomware operations are vanishingly small for attackers and the returns can be quite high.

“Going forward we’re going to have to spend some money on perhaps adding some personnel to MIS and perhaps a person with a security focus,” Mitchell said in a press conference Wednesday.

This week also saw a ransomware attack on the network of the Flagstaff Unified School District in Arizona that forced the city to close schools on Thursday and Friday. School officials haven’t said what strain of ransomware was involved and have not paid the ransom at this point.

“All Flagstaff Unified School District schools will be closed on Friday, September 6, 2019 due to the continuing work to respond to the cyber security attack. Progress was made today in securing critical FUSD systems, but unfortunately, work will need to continue through the weekend to ensure that students can return to school on Monday,” the school district said.

Although officials in many municipalities have refused to pay the ransom, some others have shelled out significant amounts of money to recover their data. Lake City, Fla., recently paid around $500,000 to ransomware attackers and Riviera Beach, Fla., paid almost $600,000 to get encrypted data back. Baltimore officials declined to pay a $100,000 ransom but has incurred recovery costs of more than $18 million to clean up the ransomware infection and last year officials in Atlanta committed more than $8 million to recovery efforts after refusing to pay a $51,000 ransom demand.

Though the costs of recovering without paying the ransom can be exponentially higher, depending on the city’s backups and incident response plan, a new survey by IBM Security found that most people would rather their governments not use tax revenue to pay ransoms. Nearly 60 percent of people did not want their government paying ransoms with tax dollars, while more than 60 percent said they would rather see higher recovery costs than use tax dollars to pay ransomware demands.

The costs of running ransomware operations are vanishingly small for attackers and the returns can be quite high, so as long as that economic imbalance exists, the attacks will persist.