Ransomware attacks are expensive threats to city and state governments
Upon learning that Riviera Beach's computer systems were being held hostage earlier this summer, KaShamba Miller-Anderson's first instinct was to assume it was a joke. Her four years on the South Florida city's council made her its longest-serving member, but in no way did her tenure prepare her for the ransomware attack that locked up the city's emails, phones and scores of public records.
"I had to do research on my own to see where everyone was coming from and what my options were," she said. "Really, there were only two."
The council could either agree to pay the $600,000 ransom or brace for the fallout - at any cost.
Suddenly, the seaside city of 35,000 had become one of the more than 200 state and local governments broadsided by a ransomware attack in recent years. Just last weekend, officials in Texas discovered 23 local municipalities had been targeted, extending a summer run in which hackers have swiped through a public school system in Oklahoma, a courts database in Georgia, a fire department in Rhode Island, and locales in Tennessee, West Virginia, North Carolina and more.
The hacks have potentially deadly consequences, as many of the targeted cities have had to scramble to get police, 911 systems and fire departments back online.
These expensive, disruptive and increasingly frequent attacks have exposed the soft underside of the nation's cybersecurity preparedness as criminal hackers snarl basic services for millions of Americans - attacking from anywhere in the world while operating with virtual impunity. Security experts say there's no sign of reprieve.
Resolving the problems quickly often means paying hackers a hefty ransom. But analysts and law enforcers worry that that approach will galvanize hackers, worsening the problem in the long run and setting up the next slate of vulnerable cities.
"Every time this gets publicized, every time somebody pays hundreds of thousands in ransom, it emboldens [the hackers] to keep going," said Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike. "That's the reason they're going after [governments], which need to have emergency services up and running. When the city has to say, 'Don't call 911, call this guy's cellphone number,' that's when the citizenry starts saying, 'Why?' "
- - -
Experts worry that many local governments are sitting ducks; municipalities often lack the funding to keep their security systems up to date. Their lawmakers and employees are not experts in cyber crime. Plus, their IT systems are often wired in ways that make it easy to spill from one department to the next. A hacker who happens to infiltrate the city's accounting department, for example, can easily slip through to the water management unit, the court system, and so on.
It's an emergency situation that takes all victims off guard, and often without a clear road map for how to respond. The FBI can investigate ransomware attacks that get reported to it, but victims aren't required to notify the agency. Investigators worry that too few victims come forward on their own.
These forces coalesced for Miller-Anderson this summer. In February, Riviera Beach's interim IT manager had warned that the security system for the city's computers was dangerously out of date, making it "more susceptible to security concerns and ransomware viruses."
The city council approved the purchase of a new system for $798,419, but it was never installed, The Palm Beach Post reported. Then came the ransomware attack - and the decision for Miller-Anderson and her colleagues to pay or not.
For victims, deciding whether to pay the ransom is a Catch-22. Handing over the money is often viewed as the fastest way to regain control of a computer system, but there's no guarantee that the hackers will follow through. (Some of the more "reputable" hackers have actually offered victims tips on how to avoid future attacks, experts say.) And the ransom is typically far below what it would cost a city to handle the repairs on its own - sometimes a few thousand dollars versus millions.
But victims don't want to be seen as negotiating with, let alone paying, extortionists. The FBI also discourages victims from paying.
"As important as it is to get services back online quickly, there's a big incentive not to pay," said Allan Liska, an intelligence analyst at the internet security company Recorded Future. For cities, "unlike a bank or a hospital, it's not your money. It's the taxpayers' money."
Riviera Beach had a cyber insurance policy that put officials in touch with cyber experts who helped negotiate the ransom, Miller-Anderson said. The policy covered the $600,000 payment, and the city paid its $25,000 deductible.
Shortly afterward, the North Florida town of Lake City committed to paying hackers a $460,000 ransom, almost all of which was covered by insurance. Still, some of the most high-profile ransomware attacks involved those that refused to negotiate.
Last year, Atlanta declined to pay $51,000 to hackers. The mayor recently testified before Congress that the cleanup had cost the city $7.2 million. A May cyberattack in Baltimore has cost the city an estimated $18 million. Hackers had initially asked for about $75,000, but officials worried that even if the city had paid, its systems would still have been vulnerable. Officials in Texas are not yet naming the municipalities that were recently hacked or releasing any information about ransom amounts.
Section Chief Herbert Stapleton of the FBI's Cyber Division said ransomware attacks are a "very high priority because of how widespread they are, and because of the damage and costs they cause for victims." Once they've been hit, victims can contact a local FBI field office and file a complaint with the agency's Internet Crime Complaint Center, called IC3. (The FBI encourages both.)
The IC3 portal received 1,493 ransomware reports in 2018, and that count does not necessarily include direct reports to FBI field offices. (The agency said it could not provide a breakdown of attacks on cities or states.) Victims - including individuals, cities and private entities - reported losses in excess of $3.6 million, which includes money paid to hackers. That figure doesn't necessarily include estimates for lost business, time, wages or services from a third party.
Stapleton said he worries that victims shy away from reporting ransomware attacks on their own.
"The negative publicity, or even just a negative perception, that can be associated with being a victim of ransomware acts as a deterrent to reporting it to law enforcement," Stapleton said. "That's one of the major challenges we face."
- - -
Analysts fear that because these attacks are probably underreported, law enforcement's efforts may only go so far. That's what drove Liska to mine media coverage for ransomware attacks on local and state governments. His report found 169 attacks from November 2013 to April 2019 - and he's since identified at least 30 more. By Liska's count, ransomware attacks in 2019 are on track to surpass those from last year.
Not all cyberattacks are on the scale of Atlanta, Baltimore or Riviera Beach - some targeted smaller entities like public school districts, library systems or housing authorities. Liska found one small area of Alaska that had its computers down so long, employees had to pull typewriters from closets to do their work.
But Liska fears that even his tally is an undercount because local news can only surface so much.
"I don't know if we have 50 percent or 10 percent of the total number of incidents," Liska said. "Why aren't we cataloging these somewhere?"
Miller-Anderson said some of the delay in installing Riviera Beach's security upgrades was caused by customized equipment that was slow to get to town. But even if the systems had been installed, she doubts that her government would have been impervious.
"The way things change so rapidly, I don't know that it's something we could have avoided," she said.
This month, Riviera Beach's city manager said the city had recovered 90 percent of its data. For weeks, dispatchers had to write down 911 call information using pen and paper.
"You want to be fiscally responsible, but at the same time you have a decision to make," Miller-Anderson said. "Sometimes it's not always well received, but [you do it] as long as it's a decision you can live with and know you did it to the best of your ability."