A new review by Recorded Future, current through April 2019, offers a valuable dataset highlighting the targets, frequency, and outcome of ransomware attacks on state and local governments. The Review notes that the first ransomware attack occurred 30 years ago, but it focuses mostly on what has happened over the past six years when ransom attacks began in earnest.
State and local governments in the United States have been struck at least 169 times since 2013. The City of Baltimore recently fell prey to the RobbinHood virus. It stymied the city’s ability to process real estate transactions, process water bills, and carry out various routine functions. Atlanta suffered a high-profile attack in March 2017 that has since been traced to a pair of Iranian hackers.
The RecordedFuture research finds that state and local governments are unlikely to pay ransom demands; just 17.1% did, compared with an average of 38% of victims in other sectors. If state and local agencies have robust backup systems that would allow them to restore operations quickly, without needing to pay ransom. Unfortunately, many cities haven’t been able to put backups in place, and their unwillingness to pay modest ransoms has set them back many millions of dollars.
Public agencies are afraid to accede to ransom demands. Elected leaders don’t want to be seen as succumbing to ransomware. Public agencies may also refuse to pay on moral grounds, picking up the national governments mantra of never negotiating with or rewarding terrorists. Indeed, this is the official guidance from the FBI, which is often called in in the face of these attacks.
Still other cities have reported that they did not yield to ransom demands– but, in fact, paid a third party ‘decryption firm’ to recover their data. As a recent ProPublica feature reported, most often these firms pay the ransom since regaining possession of data taken hostage is almost impossible.
The RecordedFuture report finds that there were ransomware attacks in 48 states. While the number of attacks on public agencies has fluctuated each year, it has surged in recent years for state and local governments. Small towns are particularly vulnerable. They usually lack the expertise to fend off cyberattacks.
While the Report is detailed and valuable, it is non-exhaustive. One reason is that official reports on the scope and impact of ransomware attacks are lacking. Most of what is known comes from local news outlets. In some cases, cities may not even know when they have been compromised since malware often waits for weeks or months to strike after infiltrating a system.
What is known is that state and local governments cannot rely on technological fixes to protect them from cyberattack. They need to be proactive and deploy defensive social engineering approaches. Hackers can get around the most sophisticated encryption if employees are not trained to ignore phishing emails. There are lots of relatively inexpensive moves that public agencies can make to reduce the risks of cyberattack and protect themselves from ransomware intrusions when they do occur.