Ransomware attacks prompt tough question for local officials: To pay or not to pay?

 

Connecting state and local government leaders

Some local governments pay ransoms because they need their data back quickly and might not have the expertise or resources to do it themselves. Others say they refuse to be extorted, and some municipalities wind up in the middle.

When cybercriminals struck Lake City, Florida, last June, city officials had to make a tough choice: Pay the hackers or restore systems on their own.

A ransomware attack had hijacked the government’s computer network and held it hostage for several weeks. While the attack didn’t affect the police, fire or financial departments, it wreaked havoc on phone lines, email, utility records and many other services.

The hackers first demanded about $750,000 in bitcoin, a cryptocurrency, from the small, rural city to give it back control of its network.

The city tried to recover the data on its own, City Manager Joseph Helfenberger recalled, but that failed. Its insurance company negotiated with the hackers and got the ransom down to about $470,000. It recommended paying, and officials figured that was the best option because the city would have to cover only the $10,000 deductible.

“This is not a rich community. They can’t afford to spend money they don’t have,” Helfenberger said. “You have to look at what is going to serve the community the best.”

There were at least 113 successful ransomware attacks on state and local governments last year, according to global cybersecurity company Emsisoft, and in each case, officials had to figure out how to respond.

Some states have passed laws to target cybercriminals who deploy ransomware, but prosecutors have rarely used them. And local officials often are left vulnerable.

In Baltimore last May, hackers crippled thousands of computers, then demanded a ransom of about $76,000 in bitcoin. Democratic Mayor Bernard C. “Jack” Young refused to pay. Workers were unable to access online accounts and payment systems for weeks.

The attack ended up costing the city at least $18 million -- a combination of lost or delayed revenue and the expense of restoring systems. Young said in a statement last June that the FBI advised the city not to pay, and that it was “just not the way we operate,” adding, “We won’t reward criminal behavior.” The mayor’s office did not respond to Stateline requests for comment.

Baltimore and Lake City aren’t alone. The majority of publicized ransomware attacks in the United States last year targeted local governments, according to a recent report by the National Governors Association and the National Association of State Chief Information Officers.

Yet no one knows how many local and state governments have been hit by a ransomware attack. There is no national clearinghouse that collects all that information. Nor is every attack publicly reported. The FBI, which tracks national crime data, couldn’t be reached for comment before publication. 

Sophisticated hackers and cybercriminals zero in on local and state governments because their networks contain lots of valuable information, such as Social Security numbers, birth certificates, bank account details and credit card numbers.

For cybercriminals, local governments can be easy prey, with fewer resources to protect themselves than state governments. They also provide essential services to residents, which means they must have access to their data to function effectively day-to-day.

“Ransomware attacks against state and local governments were the top cybersecurity industry story in 2019, and it will continue to get worse in 2020, with new forms of ransomware,” said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.

Threats also are evolving. Rather than just encrypting data and demanding ransom in exchange for providing a decryption key, experts say some cybercriminals will threaten to make public sensitive information if they don’t get their money.

That’s already happened in Pensacola, Fla. Hackers in December threatened to release files if the city didn’t pay a $1 million ransom. When it didn’t, they posted what they claimed was a 2 gigabyte archive of city files on a public website.

City spokeswoman Kaycee Lagarde said there is still an active FBI investigation, but city officials don’t think the hackers accessed any personal data, such as Social Security and driver’s license numbers, from employees or residents.

The city had backup for its major systems and was able to recover totally within two weeks without needing outside help, she said. But it ended up spending a total of about $372,000 to hire a company to do a cyber assessment and for another company to provide identity protection for 57,000 employees and residents, out of “an abundance of caution.”

“In the past, ransomware incidents were simply a very expensive inconvenience. Now they are becoming data breaches that can result in a lot of very sensitive information being posted online,” said Brett Callow, a threat analyst for cybersecurity company Emsisoft. “A government can find itself in a situation in which data has been stolen and it has no good options.”

Costly attacks

It’s hard to know how much state and local governments have spent dealing with ransomware attacks.

“It’s embarrassing for them to have to admit that,” said Tom Holt, a criminal justice professor at Michigan State University who specializes in cybersecurity. “They don’t want to announce the breadth of cyber insurance coverage and what they’ve had to pay.”

While state governments apparently haven’t paid ransom, a review of media reports shows that local governments shelled out at least $1.9 million in 2019, from the city of Washington, Pa., which paid $21,250 to hackers, to Riviera Beach, Fla., which authorized its insurer to pay $600,000.

Washington’s mayor did not respond to calls requesting comment. Riviera Beach City Manager Jonathan Evans wrote in an email that the FBI had advised officials there not to comment because it is still an active investigation.

And it cost local and state governments that refused to pay ransom at least $27.1 million to restore their systems and upgrade cybersecurity protection, media reports show. That includes lost revenue while services were put on hold.

To pay or not to pay

Some local governments pay ransom because they feel it’s the best option. They need their data back quickly and might not have the expertise or resources to do it themselves, or the money it would take to restore the system.

Other local governments say “No way” to ransom demands, declaring that they refuse to be extorted.

And some governments wind up in the middle.

In New Bedford, Mass., which was attacked in July, cybercriminals demanded more than $5 million in ransom. Mayor Jon Mitchell made a counteroffer of $400,000, using insurance proceeds. The hackers didn’t agree, so the city opted to restore its system from backups.  

New Bedford spokesman Jonathan Carvalho said in an email that the city doesn’t have an estimate of the cost because much of the restoration was done in-house, and consultants were paid through an insurance policy.

“The reality is that municipalities, corporations, and even private individuals are in an arms race with cybercriminals who operate in far flung places across the globe,” Mitchell said in a statement in September. “Every advance in anti-viral technology is effective until the criminals figure out how to get around it.”

Lohrmann, of Security Mentor, said there isn’t an easy answer for local governments to the question of whether to pay ransom.

“This is the $6 million question. It’s nuanced. It depends on the circumstances,” he said. “If it’s ‘pay $30,000 or it’s going to cost me $5 million to restore all my systems,’ I can see why they want to pay.”

The FBI cautioned in an October online alert that paying ransom only encourages more criminal behavior and emboldens cybercriminals, and it doesn’t guarantee the victim will regain access to the data.

But the agency noted that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

CyberEdge, a cybersecurity research and consulting firm, found in 2019 that about 39% of public and private entities around the world that were hit with ransomware attacks over a 12-month period paid ransoms and lost their data anyway.

In July, the U.S. Conference of Mayors adopted a resolution urging local governments not to pay ransom to hackers.

That’s the right position, said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides training and other support to local government information technology executives.

“The danger is you pay, and they decide to walk away and still don’t unlock the files,” Shark said. “And your system may be so infected that if you pay, maybe they’ll come back again.”

But for Lake City official Helfenberger, that was a risk that officials had to take.

“It’s easier for more affluent communities to not pay ransom,” he said. “For communities that are poor like us and don’t have resources it’s much more of a struggle.”

And it would have cost “a whole lot more” than what the insurance company paid the hackers to try to restore everything, the city manager added. “There is no way we would have been able to recreate all the utility maps, the [meeting] minutes from the beginning of creation and all the other records. It’s just not possible.”

Legislative action

All 50 states have computer crime laws, and most address unauthorized access or computer trespass, according to Pam Greenberg, a senior fellow at the National Conference of State Legislatures. Ransomware potentially could be prosecuted under those statutes or extortion laws, she said.

But at least five states -- California, Connecticut, Michigan, Texas and Wyoming -- have made the use of ransomware or other forms of computer extortion a crime.

This year, Greenberg said, at least seven states are considering measures related specifically to ransomware.

Legislation proposed in Maryland, for example, would create criminal penalties for possessing ransomware with the intent to use it without authorization. Violators could face up to 10 years in prison and a $10,000 fine.

“The state attorneys want it. They want to be able to charge people if they can find them,” said Maryland Democratic state Sen. Susan Lee, who sponsored the measure. “At least there would be a law on the books. If it’s not there as a criminal offense, it’s not a deterrent.”

But some technology experts say ransomware could be covered under existing computer crime laws. And most ransomware attacks come from overseas countries such as Russia, Iran and China. That means finding and prosecuting perpetrators on the state level would be difficult, if not impossible, they say.

“I think it is a waste of time,” said Shark of the Public Technology Institute. “It sounds terrific, but most of these actors are in other countries. The money is going to bitcoin, and it’s untraceable.”

Legislators in Iowa and New York are considering another way to deal with ransomware: They’ve introduced bills that would prohibit local and state governments from paying ransom.

“We will only continue to see these attacks increase if we don’t put this policy in place. We have to cut off the money supply,” said New York Democratic state Sen. David Carlucci, the bill’s sponsor. “For years, the U.S. has had policies of not negotiating with terrorists or kidnappers. A similar idea should prevail about paying ransom for cyberattacks.”

Daniel Castro, vice president of the Information Technology and Innovation Foundation, a nonprofit think tank in Washington, D.C., agrees.

“I think it’s the right kind of strategy,” he said. “If you take away the option of them paying, the attackers are going to look for someone who can pay. They’re a for-profit enterprise.”

But others argue that barring government officials from paying ransom won’t eliminate the problem.

“I think it’s not going to work,” said Security Mentor’s Lohrmann, “although the intentions are good.”

There’s no way right now to stop cybercriminals from launching ransomware attacks on local and state government, he said, so the best approach is to be prepared.

“Is there a perfect solution, a silver bullet? No,” Lohrmann said. “But if you’ve got great backups and a really good restore system and staff training and other protections in place, you can dramatically reduce the likelihood that ransomware is going to have a major impact on you.”

That’s what Lake City ended up doing.

After the attack, Helfenberger said, the city immediately started staff cybersecurity training, and it has spent about $300,000 doing multiple system upgrades and continues to do more.

“You’ve got to consider that cybercriminals are gaining knowledge constantly,” he said. “If you stay the same, you’re going to get behind and it’s not going to work.”

This article was first posted to Stateline, an initiative of The Pew Charitable Trusts.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.