“I had to do research on my own to see where everyone was coming from and what my options were,” she said. “Really, there were only two.”
The council could either agree to pay the $600,000 ransom or brace for the fallout — at any cost.
Suddenly, the seaside Florida city of 35,000 had become one of the more than 200 state and local governments broadsided by ransomware attacks in recent years. Over the weekend, officials in Texas found that 22 local entities had been targeted, extending a summer run in which hackers have swiped through a public school system in Oklahoma, a court database in Georgia, a fire department in Rhode Island, and locales in Tennessee, West Virginia, North Carolina and more.
The hacks have potentially deadly consequences, as many of the targeted cities have had to scramble to get police, 911 systems and fire departments back online.
These expensive, disruptive and increasingly frequent attacks have exposed the soft underside of the nation’s cybersecurity preparedness as criminal hackers snarl basic services for millions of Americans — attacking from anywhere in the world while operating with virtual impunity. Security experts say there’s no sign of a reprieve.
Resolving the problems quickly often means paying a hefty ransom. But analysts and law enforcement worry that approach will only galvanize hackers, worsening the problem in the long run and setting up the next slate of vulnerable cities.
“Every time this gets publicized, every time somebody pays hundreds of thousands in ransom, it emboldens [the hackers] to keep going,” said Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike. “That’s the reason they’re going after [governments], which need to have emergency services up and running. When the city has to say, ‘Don’t call 911, call this guy’s cellphone number,’ that’s when the citizenry starts saying, ‘Why?’”
To pay or not to pay?
Experts worry that many local governments are sitting ducks, as municipalities often lack the funding to keep their security systems up to date. Their lawmakers and employees are usually not experts in cybercrime. Plus, their information technology systems are often wired in ways that make it easy to spill from one department to the next. A hacker who happens to infiltrate the city’s accounting department, for example, can easily slip through to the water management unit, the court system and so on.
It’s a situation that catches all victims off guard, often without a clear road map for how to respond. The FBI can investigate ransomware attacks that are reported to it, but victims aren’t required to notify the agency. Investigators worry that too few victims come forward on their own.
All these forces coalesced for Miller-Anderson this summer. Back in February, Riviera Beach’s interim IT manager had warned that the security system for the city’s computers was dangerously out of date, making it “more susceptible to security concerns and ransomware viruses."
The city council approved the purchase of a new system for $798,419, but it was never installed, the Palm Beach Post reported. Then came the ransomware attack — and the decision for Miller-Anderson and her colleagues to pay or not.
For victims, deciding whether to pay the ransom is a Catch-22. Handing over the money is often viewed as the fastest way to regain control of a computer system, but there’s no guarantee that the hackers will follow through. (Some of the more “reputable” hackers have actually offered victims tips on how to avoid future attacks, experts say.) And the ransom is typically far cheaper than what it would cost a city to handle the repairs on its own — sometimes a few thousand dollars vs. millions.
But victims don’t want to be seen as negotiating with, let alone paying, extortionists. The FBI also discourages victims from paying.
“As important as it is to get services back online quickly, there’s a big incentive not to pay,” said Allan Liska, an intelligence analyst at the Internet security company Recorded Future. For cities, “unlike a bank or a hospital, it’s not your money. It’s the taxpayers’ money.”
Riviera Beach had a cyber-insurance policy that put officials in touch with cyberexperts who helped negotiate the ransom, Miller-Anderson said. The policy covered the $600,000 payment, and the city paid its $25,000 deductible.
Shortly afterward, the north Florida town of Lake City committed to paying hackers a $460,000 ransom, almost all of which was covered by insurance. Still, some of the most high-profile ransomware attacks have involved cities that refused to negotiate.
Last year, Atlanta declined a $51,000 demand from hackers. The mayor recently testified before Congress that the cleanup had cost the city $7.2 million. A May cyberattack in Baltimore has cost the city an estimated $18 million. The hackers initially asked for about $75,000, but officials worried that even if the city had paid, its systems would still have been vulnerable. Officials in Texas are not yet naming the municipalities that were recently hacked or releasing any information about ransom amounts.
Section Chief Herbert Stapleton of the FBI’s Cyber Division said that ransomware attacks are a “very high priority because of how widespread they are, and because of the damage and costs they cause for victims.” Once they’ve been hit, victims can contact a local FBI field office and file a complaint with the agency’s Internet Crime Complaint Center, called IC3. (The FBI encourages both.)
The IC3 portal received 1,493 ransomware reports in 2018, and that count does not necessarily include direct reports to FBI field offices. (The agency could not provide a breakdown of attacks on cities or states.) Victims — including individuals, cities and private entities — reported losses in excess of $3.6 million, which includes money paid to hackers. That figure doesn’t necessarily include estimates for lost business, time, wages or services from a third party.
Stapleton said he worries that victims shy away from reporting ransomware attacks on their own.
“The negative publicity, or even just a negative perception, that can be associated with being a victim of ransomware acts as a deterrent to reporting it to law enforcement,” Stapleton said. “That’s one of the major challenges we face.”
‘Why aren’t we cataloguing these somewhere?’
Analysts fear that because these attacks are probably underreported, law enforcement’s efforts may only go so far. That’s what drove Liska to mine media coverage for ransomware attacks on local and state governments. His report found 169 attacks from November 2013 to April 2019 — and he has since identified at least 30 more. By Liska’s count, the number of ransomware attacks in 2019 is on track to surpass that from last year.
Not all cyberattacks are on the scale of those in Atlanta, Baltimore or Riviera Beach — some have targeted smaller entities such as public school districts, library systems or housing authorities. Liska said he found one small area of Alaska where computers were down so long, employees had to pull typewriters from closets to do their work.
But Liska fears that even his tally is an undercount since local news can only surface so much.
“I don’t know if we have 50 percent or 10 percent of the total number of incidents,” Liska said. “Why aren’t we cataloguing these somewhere?”
Miller-Anderson said some of the delay in installing Riviera Beach’s security upgrades was caused by customized equipment that was slow to get to town. But even if the systems had been installed, she doubts that her government would have been bulletproof.
“The way things change so rapidly, I don’t know that it’s something we could have avoided,” she said.
Earlier this month, Riviera Beach’s city manager said the city had recovered 90 percent of its data. For weeks, dispatchers had to write down 911 call information using pen and paper.
“You want to be fiscally responsible, but at the same time you have a decision to make,” Miller-Anderson said. “Sometimes it’s not always well received, but [you do it] as long as it’s a decision you can live with and know you did it to the best of your ability.”