A Florida town pays $600,000 to hackers who seized control of the city’s computer systems, a breach that began in the police department.
Computer screens at a dispatch center go dark, jail cell doors can’t be opened remotely and sheriff’s deputies can’t look up license plates as a cyberattack hits Jackson County, Ga.
An airport in Albany County, NY, pays a “less than six-figure” ransom to restore data that was encrypted by a virus spread on the airport authority’s servers and backup servers.
These are just a few examples of the fast-growing threat of ransomware attacks on local governments and public safety agencies. The U.S. Conference of Mayors cites at least 22 major ransomware attacks against local governments in 2019, causing service disruptions and costing millions of dollars in ransoms and repairs. Experts say the actual number of attacks is probably much higher than reported, because many agencies that have paid ransoms do not want their names released for fear of becoming a repeat target.
While ransomware is a key concern for any business, such attacks on local government and public safety agencies threaten lives, not just the bottom line. Why are public safety agencies a target for ransomware attacks, and why are these attacks growing? Perhaps most important, how can local governments protect themselves?
Why Ransomware Targets Public Safety
Cyber criminals have forced U.S. hospitals, schools and cities to pay hundreds of millions in ransom to regain access to critical files. In the most widely reported case, two individuals from Iran were indicted after allegedly collecting over $6 million in ransom payments from municipalities and other victims. The ransomware they developed was known as “SamSam” and the attackers specifically targeted public entities, hospitals and municipalities.
But why? In the SamSam case, then-Deputy Attorney General Rod Rosenstein stated, “They knew that shutting down those computer systems could cause significant harm to innocent victims.”
So the first thing to consider is that public safety agencies and local governments make good targets for ransomware because hurting them has a multiplier effect, with potentially life-threatening consequences.
Media accounts of how ransomware has hurt public safety agencies can also lead to an increase in attacks. In many communities, negative publicity surrounding law enforcement has generated anger, which can in turn make agencies more vulnerable to ransomware attacks. Local governments are also an easy target because they often rely on aging computer systems that are easier to access and damage.
When ransomware attacks first started hitting public safety agencies, it was not common to pay ransoms. After all, law enforcement agencies aren’t typically inclined to allow criminals to dictate the terms of engagement. But when those payments were refused, files were never seen again. Now, the increasing number of attacks are, more often, forcing agencies to pay.
Anatomy of an Attack
Much of the ransomware affecting the United States originates in Russia and other parts of Eastern Europe. The FBI is investigating actively, but it has been difficult to find details on the members of the “ransom gangs.” Because all that’s needed is some computer equipment, technological expertise and access, hackers can live almost anywhere, connecting virtually across the world and evading detection for years.
A typical ransomware attack goes like this: An email is received with what appears to be an important link to click on or an attachment to open. When the recipient dutifully clicks or opens, their files become encrypted. This encryption can spread through the agency’s or municipality’s networks until everything gets locked.
The user will usually see a message indicating their files are being held hostage; they may see a clock ticking with a countdown to the deadline for paying the ransom. The ransom is normally demanded to be paid via Bitcoin, an untraceable digital currency. The message will also often provide instructions on how to access Bitcoin. When the ransom is paid, the agency will get an emailed “decryption key” that unlocks the system. If the agency won’t pay, the hackers threaten to delete the files.
It can be tempting to quickly pay a ransom when the amount is just a few hundred dollars, but the examples cited at the beginning of this article show that is not normally the case. Hackers know who they’re targeting; they understand municipalities have access to funds an individual might not. Another factor to consider when deciding whether to pay a ransom is that some experts believe ransomware often funds terrorism and organized crime—clearly contradictory to the missions of public safety agencies.
Finally, consider the message you’re sending to the hackers when you pay a ransom. The FBI acknowledges most victims who pay ransom do get their files back. But they note every time a payout is made, it encourages hackers to attempt more attacks.
*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*
By: Richard Spiers, CPCU, ARM, ARe, AIC
Consultant, Spiers Consulting, LLC
Richard has been in the insurance industry since 1980 and was a claim executive in the reinsurance and excess marketplace since 1985. He was with Genesis Management and Insurance Services for over 20 twenty years. He is currently doing claim consulting work. Richard has extensive experience handling the wide array of claims faced by public entities, K-12 school districts and the higher education sector. Based in Chicago, he has also worked for Transamerica Insurance Group, Northbrook Excess and Surplus Insurance, CNA and Allstate Reinsurance. He is a graduate of Northern Illinois University, a member of the Society of CPCU, and holds associate designations in risk management, claims, and reinsurance. Richard has been developing and presenting insurance industry-related training sessions to a variety of client and industry groups for over 25 years.