During the first eight months of last year alone, ransomware attacks on local and state governments in the U.S. grew by 51% over the same period in 2022, according to the Center for Internet Security’s 2022 National Cybersecurity Review, which surveyed more than 3,600 state, local, and other regional governments.
In Cleveland, city officials are still working with federal and state authorities to determine the type and scope of the threat to City Hall’s computer systems, which was first flagged on Sunday.
Bibb on Monday cited that ongoing investigation as the reason why officials aren’t saying much at all about the threat, including whether it’s a ransomware attack, and whether the city has its data sufficiently backed up, so it isn’t forced to pay a ransom to regain access to it.
If it is a ransomware attack, Cleveland would join Baltimore, Atlanta, Dallas, New Orleans and scores of smaller cities and public institutions across the U.S., and globally, that have been hit by ransomware gangs. While ransomware attacks happen to all types of organizations — and big businesses have often found themselves on the receiving end — local and state governments are particularly vulnerable, according to several studies and news reports.
Municipalities are known to be understaffed, underfunded, and not properly trained in cybersecurity, making them an ideal target, according to a December report from cybersecurity news website Dark Reading.
“When ransomware groups seek out their targets, they know that municipalities will be unprepared to handle their attacks, which will either lead to success and potential notoriety or, even better, an easy ransom payment,” the article stated.
Bibb wouldn’t say whether he would consider paying a ransom if one were demanded. But broadly, the FBI advises organizations against paying.
Those organizations that pay ransoms may be able to get their systems back online quicker than those who don’t, according to Lisa Plaggemier, executive director at the National Cybersecurity Alliance.
In cases where the ransom isn’t paid, organizations must rely on their own clean back-ups to restore each system one-by-one. That can take time. Meanwhile, some city workers are left to complete their jobs without access to the computer systems they normally rely on. And if the backed-up data isn’t sufficient or is poorly maintained, organizations can suffer even more consequences.
Take Baltimore’s run-in with ransomware in May 2019, when hackers demanded about $76,000 to unlock the city systems they’d encrypted. The hackers warned that if the city didn’t pay within a few days, the price tag would increase. After 10 days, they said they’d wipe the city’s files completely.
Similar to what Cleveland did on Sunday, Baltimore responded by shutting down all servers, save those needed for essential services. Baltimore officials ultimately refused to pay up. They initially estimated it would take them weeks to recover, but the restoration process ended up taking five months. For weeks, the city’s online payment systems were offline, city bills weren’t getting paid, and email and phone systems were down, according to news reports. Some databases and applications were offline for months.
Even without paying the ransom, Baltimore faced a tab of over $18 million in recovery expenses, the Baltimore Sun reported. The city did not have insurance that covered cyber attacks, so taxpayers were completely on the hook.
Cleveland does not have a specific cyber attack insurance policy either, according to a city spokeswoman. The city is largely self-insured, meaning it usually pays for insurance costs directly out of its bank account.
Another big municipal attack occurred in Dallas in May 2023, when police, utility and court systems, among others, were affected. The city similarly shut down its servers to prevent the ransomware from spreading further. About three weeks after problems were detected, a ransomware group threatened to release sensitive information it had accessed, including employee information, medical information, and detailed court records.
It wasn’t until August that Texas authorities disclosed that more than 30,000 people’s personal information had been compromised, including Social Security numbers.
It’s unclear whether Dallas agreed to pay a ransom. But the Dallas City Council later signed off on an $8.5 million bill, including money for vendors who helped in the recovery process. A local news report from August said Dallas officials declined to say whether a ransom payment was included in that bill.
New Orleans, too, refused to pay a ransom after an attack in late 2019. It took the city one year, and more than $5 million, to recover, though it did have a $3 million ransomware insurance policy, the Washington Post reported.
Ransom demands have increased massively over the past few years, because hackers have found ransomware to be lucrative, said Alex Hamerstone, director of advisory solutions for Fairlawn-based TrustedSec.
While some refuse to pay ransoms, other public entities have chosen to pay them, likely because they determine it would be quicker and cost less than recovering data from back-ups or rebuilding the entire system.
In 2020, for example, the University of California at San Francisco shelled out $1.14 million to ransomers, and Delaware County, Pennsylvania agreed to pay $500,000.
In fact, a recent report from cybersecurity company Sophos — reflecting ransomware attacks in a variety of private and public organizations, across 14 different countries — found that just 4% of ransom demands in 2022 exceeded $5 million. By 2024, that figure had grown by nearly eight times, with 31% of ransom demands now exceeding $5 million.
More organizations are paying them, or relying on a combined approach that relies on both back-ups and paying a ransom.
According to Sophos’ 2024 report, 65% of organizations that are roughly Cleveland’s size used back-ups to recover from a ransomware attack, and 56% paid all or part of the ransom demanded.
©2024 Advance Local Media LLC, Distributed by Tribune Content Agency, LLC.
