Media Center

Ransomware Attacks Targeting Cities and Municipalities

June 24, 2019
Publications

by Devin Chwastyk and Chase Wright

On May 7, 2019, the City of Baltimore discovered that its integral systems were the subject of a ransomware attack, breaching the City’s phone systems, emails, documents and critical operational databases, affecting roughly 10,000 City computers. The City notified the F.B.I. and took offline as many other systems as possible to prevent the spread of the cyberattack, but not before the malicious software locked and encrypted many of the City’s systems. The hackers responsible for the attack demanded thirteen bitcoins (approximately $100,000), as ransom, to release the City’s inaccessible databases and operational tools. In a move intended to disincentive future attacks, Baltimore rejected hackers’ demands and did not pay the ransom.

Shortly after the Baltimore attack, City officials announced that they were the victim of a RobinHood ransomware attack. A “ransomware” attack involves malicious software infecting a computer, which then encrypts a victim’s data and demands a ransom to restore access (usually within a short timeframe). RobinHood is a new variant of ransomware that uses a sophisticated attack method and has mainly targeted municipalities.

Today, over a month since discovery of the attack in Baltimore, the City has still not fully recovered, and central City data remains inaccessible, seemingly in perpetuity. The lasting damage that the ransomware attack will have on the City is already one for the history books, as the mounting costs continue to multiply. The City’s budget office estimates that the attack will cost over $18.2 million in costs and lost revenue, with an even larger impact on the local economy due to the City’s lack of communication and operation in many departments. The City’s Finance Director, Henry Raymond, estimates that the City has already spent $10 million in recovery and forensic expenses, and the City is expected to lose over $8 million more in lost revenue.

In the weeks following the Baltimore attack, the City’s head of information security acknowledged and apologized for the City’s slow response. In Baltimore, out-of-date computer systems and lack of experience and resources helped create a more susceptible environment to this type of attack.

Although newer to the public eye, ransomware attacks on municipalities are no longer an outlier. Recent studies show that over 170 ransomware attacks have hit U.S. cities and local governments in the past six years. In 2018 alone, over 50 ransomware attacks have targeted local governments, and at least 21 similar incidents have already occurred this year.

One of the most recent attacks hit the Palm Beach suburb of Riviera Beach, which resulted in the Florida city agreeing to pay sixty-five bitcoins (approximately $600,000) in ransom to retrieve the city’s encrypted records. Counter to the approach taken in the cities of Baltimore and Atlanta, the Riviera Beach City Council decided to pay the ransom outright, as opposed to ignoring the hackers and attempting to retrieve the records themselves. Following the attack, the council has already approved spending approximately $1 million on new computers and hardware.

The recent increase in these attacks can be attributed to multiple factors. For one, unlike large corporations that have deep pockets to invest in comprehensive cyber protection programs, local governments often lack those fiscal resources to devote to proactive measures. This lack of financial resources limits municipalities’ ability to obtain and retain high-talent IT professionals and invest in the latest technology. And with the rise of cryptocurrencies, like Bitcoin, payment of cyber-ransom is virtually impossible to track.

Municipalities around the U.S. can learn from the events in Baltimore, Atlanta, and Riviera Beach and should take proactive steps to patch similar vulnerabilities. Such measures include increasing IT budgets, consulting with data security professionals, investing in cybersecurity programs, properly training staff to detect malicious content, updating computer systems, and implementing policies and procedures to prevent slow responses in the event of such an attack. Additionally, all municipalities should consider whether they have adequate cyber insurance policies to cover for direct and indirect costs in the event of such an incident.

These are just some of the latest examples of the threat facing municipalities around the country. Preparation is the key to building safeguards to fend off a similar attack in your local government, and the McNees Privacy & Data Security team can help you plan for disaster-and respond when it strikes.


Devin Chwastyk is Chair of the Privacy & Data Security Group, and Chase J. Wright practices in the Privacy & Data Security and Corporate & Tax Groups at McNees Wallace & Nurick LLC.


© 2019 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.