The Cybersecurity 202: Ransomware is wreaking havoc on U.S. cities
When hackers struck Collierville, Tenn. with a ransomware attack in 2019, the city’s IT staff worked around the clock to recover.
Vital services for the small city of 50,000 were back online within a few days. But, behind the scenes, the full recovery was far more complicated. It included rebuilding some digital systems from scratch and rigorously restoring others from backups. It took the city roughly a year and more than $100,000 to get all of its technology back where it was before the attack, the city’s IT project manager Don Petrowski told me.
“People were very patient, but it was an all-hands-on-deck situation,” Petrowski said. “We worked until we got it done.”
Stories similar to Collierville’s have played out in more than 400 cities and counties across the United States in recent years.
As I reported this weekend, the scourge of ransomware attacks – in which hackers lock up computer systems and demand a payment to unlock them – has impeded emergency responders, stalled tax payments and forced government offices back to pen-and-paper operations for weeks on end.
There are plenty of local examples, as our colleague Karina Elwood recently reported.
“In April, D.C.’s police suffered an attack, with a group posting purported department data after making demands for money," she wrote. "In the fall, Baltimore County Public Schools and Fairfax County Public Schools faced similar attacks, causing online classes in Baltimore County to stop for a brief time. And the Hampton Roads Sanitation District and Bristol Police Department in Virginia became victims last fall and winter.”
The recovery costs have run to millions of dollars for many cities.
Cities that are unable to recover on their own have been forced to pay hundreds of thousands of dollars to cybercriminals to unlock their computers. The FBI discourages such payments, but officials acknowledge they may be necessary in some cases.
Public attention has focused mostly on ransomware attacks against critical infrastructure, such as an attack that hit Colonial Pipeline in May and hampered gas supplies to the southeastern United States. But attacks on cities have been among the most damaging and difficult to recover from.
That’s partly because cities’ information technology has often been underfunded for years or decades, constantly losing out to seemingly more immediate priorities such as policing and social services. Cities also struggle to retain top-shelf IT staff who can attract far higher salaries in the private sector.
“The money just isn’t there and even if the money is there, the people aren’t,” Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, told me.
The increase in ransomware attacks is driven by the rise of cryptocurrency.
That has made ransoms far easier to pay and tougher to track.
The past few years have also seen a rise in ransomware-for-hire gangs based mostly in Russia that have made it far easier for other cybercriminals to conduct ransomware attacks with only minimal skills.
“That’s attracted a lot of cybercriminals that want to make money. Ransomware-as-a-service has been a force multiplier,” Liska said.
The coronavirus pandemic has also supersized the problem.
The reliance on remote working has made it tougher for cities to protect against ransomware attacks. When attacks do hit, city IT staff are faced with the double problem of getting city services functioning again while also dealing with a workforce that’s often still mostly working remotely.
When New Orleans was hit with a ransomware attack in December 2019, the IT staff worked seven days a week through February 2020 to ensure police communications and other city services were sufficiently restored to maintain public safety during Mardi Gras, Chief Information Officer Kim LaGrue told me.
They had planned to slow the pace after that. But when the coronavirus struck in force days later, the seven-day weeks returned as IT staff struggled to manage a string of covid-related crises using technology that was still hobbled.
“We’d established a cadence with the cyberattack that allowed us to roll into the pandemic cadence so we could deliver what the city needed at the time,” LaGrue said.
It would take roughly one year and more than $5 million before New Orleans was fully recovered from the attack and confident the city wasn’t vulnerable to reinfection.
In other cases, IT staff must return to city buildings to manage the recovery from a ransomware attack, despite the pandemic.
That happened when a ransomware attack hit Tulsa in June.
One piece of luck is that the attack struck in a narrow window when many city staff had already received coronavirus vaccines but the more-contagious delta variant hadn’t yet spread widely in the United States.
“Everyone came from basically working from home and being isolated to all of a sudden being in a building and working together,” Chief Information Officer Michael Dellinger told me. “We tried to rotate people, make sure they weren’t working too many hours so they didn’t burn themselves out. You can push yourself too hard, mentally and physically, in an emergency like this.”