How does Ransomware attacks affect municipal governments?

By Sandy Reeser
VC3 Chief Executive Officer

Ransomware attacks are essentially cyber attacks in which the attacker often encrypts the victim’s data and effectively holds the data hostage unless a ransom is paid.

Although a brazen form of cybercrime, municipalities are far from immune from ransomware.

In general, ransomware attacks are designed to extort the victim which may be a municipal government. For example, the cyber attackers who unleashed the SamSam malware on Atlanta in March of this year had demanded $50,000 in bitcoin. In addition, the city of Atlanta was locked-out of its IT system for six days and, as of June 2018, the city estimated the cost of recovery could reach $12 million.

Besides these impacts, the extent of the cyber attacker’s penetration could also leave a municipal government vulnerable to other cyber risks after the fact. These risks include additional data breaches and leaks on the darkweb where users and website managers can remain anonymous or untraceable.

The impact of ransomware on local government operations

Not only do ransomware attacks put governments at risk of losing control of their classified, confidential and personal information, such as social security numbers or credit card information, these attacks also have operational impacts.

For example, a ransomware attack that shuts down digital assets such as a payment platform or citizen portals, could effectively grind municipal operations to a halt. A municipality may also be forced to use pen and paper instead of apps designed to streamline operations, and ransomware that shuts down 911 or 311 dispatch systems could even put lives at risk.

In March of this year, a ransomware attack on Baltimore shut down the city’s CAD system for about 22 hours impacting the 911 system. While manual dispatching enabled public safety officers to respond to calls during this time period, the city’s dispatch calls were not recorded.

How do Ransomware Attacks Occur?
Initially, ransomware attacks had occurred mostly through phishing. Phishing is essentially a method of tricking the end-user into downloading malicious programs from fake web pages.

In some cases, these fake web pages may even try to trick the user into submitting their login credentials or providing information that could let the attacker compromise that user’s account. This is quite common in email-based phishing attacks targeted at specific individuals within or related to an organization.

However according to cybersecurity expert Allan Liska in a PBS interview, phishing is becoming a less common means of staging ransomware attacks.

This isn’t surprising as employers focus more on training employees to detect phishing attempts. In fact, the International City/County Management Association (ICMA) reports in a study published in 2017 that of 411 local governments surveyed, 40.1 percent provide cybersecurity training for their staff at least annually and 30.9 percent provide training even more frequently.

Thus, cyber criminals are resorting to different - and longer-term - approaches to identify and exploit cybersecurity vulnerabilities in organizations. Microsoft states, “...attackers employ a mix of methods, using traditional techniques alongside new ones as they constantly explore ways to exploit both people and technologies.”

In other words, ransomware attackers are looking for weaknesses in how organizations allow access to confidential information or critical systems. The less rigid an organization’s policies and procedures are in these areas, the higher the attacker’s chances of gaining illicit access.

In addition, cyber attackers may also spend time trying to identify unsecured hardware and software through which they can attack IT systems.

How are Local Governments Faring in Stopping Ransomware?
According to Allan Liska, hospitals, health care facilities, and federal, state and local governments have all been more susceptible to ransomware attacks than other industries. He contributes this to the fact that these public agencies often don’t have the same level of resources dedicated to security and their security teams “tend to be stretched thinner.” Also, Liska says that these public entities often feel obligated to pay the ransom, because constituent or patient services are being disrupted.

While it is a good sign that ICMA’s 2017 survey reports 60 percent of municipalities increased cybersecurity technology spending since 2011, municipalities in general have difficulties hiring and retaining cybersecurity expertise. The same ICMA survey found that the inability to pay such experts competitively, a lack of funding and an insufficient number of properly trained in-house cybersecurity staff are barriers to achieving the highest possible level of cybersecurity.

Gaps in cybersecurity expertise within municipalities have consequences.
For example, 43 percent of local governments told the ICMA that they do not conduct forensic studies following attacks or breaches. These forensic studies are important as they are meant to identify causes and build solutions for preventing breaches in the future.
Likewise, 67 percent of these municipalities lack a written cybersecurity risk management plan that they can refer to should they be hit by a malware or ransomware attack. Without such a plan, a municipality has no clearly-defined response or reporting mechanisms to at least mitigate and recover from a ransomware attack.

It’s certainly not easy to build-up the capacity necessary to prevent every link in the chain that leads up to a cyberattack, but it’s vital all the same. As seen in Atlanta, recovering from a ransomware attack can amount to millions of dollars; prevention costs less.