The recovery process can drag on for months or more than a year, diverting time and resources from other city and county priorities.
The coronavirus pandemic has also supersized the problem, forcing employees to return to potentially unsafe working conditions when they can no longer work remotely.
The Colonial Pipeline attack in May and other infrastructure attacks threatening national security have sucked up much of Washington’s attention. But private companies like Colonial Pipeline can typically recover in days or weeks from such attacks with little damage to their bottom lines. For under-resourced cities and counties, however, the recovery is far more grueling.
“Cities are vulnerable to attacks because we don’t have resources in the same way that the private sector does. That makes us more attractive targets,” Kim LaGrue, chief information officer for the city of New Orleans, said.
When New Orleans was hit with a ransomware attack in December 2019, LaGrue said her staff worked seven days a week through February to ensure police communications and other city services were sufficiently restored to maintain public safety during Mardi Gras. They’d planned to slow the pace after that. But when the coronavirus struck in force days later, the seven-day weeks returned as IT staff struggled to manage a string of covid-related crises using technology that was still hobbled.
“We’d established a cadence with the cyberattack that allowed us to roll into the pandemic cadence so we could deliver what the city needed at the time,” LaGrue said.
It would take roughly one year and more than $5 million before New Orleans was fully recovered from the attack and confident the city wasn’t vulnerable to reinfection. The city is still waiting to see how much money it can recoup from a $3 million ransomware insurance policy.
The pace of ransomware attacks has surged in recent years, hitting cities and other targets. The increase is driven by the rise of cryptocurrency, which makes ransoms far easier to pay and tougher to track, and by an explosion in the value of ransoms that some organizations are willing to pay to get back online.
When ransomware hackers hit Atlanta in 2018, they demanded the bitcoin equivalent of about $51,000 to unlock the city’s computer systems. The ransom demand for Baltimore in 2019 was about $76,000. Neither city paid. It cost Atlanta about $17 million to recover from the attack and it cost Baltimore about $18 million.
Such ransom demands are almost quaint these days.
Hackers that hit Pensacola, Fla., in late 2019 demanded a $1 million ransom to unlock those systems. Hackers that compromised Delaware County, Pa., in November 2020 demanded $500,000. Pensacola didn’t pay up, but Delaware County did. In the private sector, ransom demands have soared even higher. Colonial Pipeline paid $4.4 million to unlock its computers in May. The meat processor JBS paid an $11 million ransom in June.
The FBI urges victims not to pay ransoms because those payments can be used to launch additional ransomware attacks or to fund other international crimes. It acknowledges, however, that some victims without good digital backups of their systems and data may have little choice but to pay.
The past few years have also seen a rise in ransomware-for-hire gangs based mostly in Russia that have made it far easier for other cybercriminals to conduct ransomware attacks with only minimal skills.
“Right now, ransomware is by far the most profitable cybercriminal activity and that’s attracted a lot of cybercriminals that want to make money. Ransomware-as-a-service has been a force multiplier,” said Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, who tracks ransomware trends.
Cities are particularly easy targets for ransomware attackers because their information technology has often been underfunded for years or decades, constantly losing out to seemingly more immediate priorities such as policing, social services and road repairs. Cities also struggle to retain people with top-shelf IT talent who can attract far higher salaries in the private sector.
“The money just isn’t there and even if the money is there, the people aren’t,” Liska said.
Cities also tend to be more interconnected than other organizations. Hackers who worm their way into computers for the tax office, for example, can hop from there to computers in the police and fire departments or the courts and marriage bureaus until the entire city is locked down.
In some cases, the damage goes beyond lost money and city services.
A ransomware gang called Babuk released troves of information from the D.C. police into the dark regions of the Internet in May after negotiations about paying a ransom broke down. The information included raw intelligence about threats following the Jan. 6 attack on the U.S. Capitol.
In other cases, cities that paid ransoms were still unable to recover some large digital files, such as footage from police body and dashboard cameras. Cities have also had to drop prosecutions because digital evidence was corrupted by ransomware attacks or when they can’t prove the hackers didn’t tamper with the data.
Tulsa was hit with a ransomware attack in June and has mostly recovered. But when it refused to pay the ransom, hackers released about 18,000 city files onto the portion of the Internet known as the “dark web.” The information included personal information such as the names, birth dates and driver’s license numbers of residents, which could make them more vulnerable to identity theft.
The city is still tallying the cost of recovery from that attack, Tulsa Chief Information Officer Michael Dellinger said.
One piece of luck is that the attack struck in a narrow window when many city staff had already received coronavirus vaccines but the more-contagious delta variant hadn’t yet spread widely in the United States. That made it far easier for remote working IT staff and contractors to return to city buildings to respond to the attack.
“Everyone came from basically working from home and being isolated to all of a sudden being in a building and working together,” Dellinger said. “We tried to rotate people, make sure they weren’t working too many hours so they didn’t burn themselves out. You can push yourself too hard, mentally and physically in an emergency like this.”
There’s some reason for hope.
The $1 trillion bipartisan infrastructure bill that passed the Senate in August included $1 billion to help states and cities upgrade cybersecurity. That would be by far the biggest cash infusion for municipal cybersecurity in history. It could go a long way toward making cities more resilient against ransomware. The House is scheduled to consider the bill in September.
The federal government has also surged the resources it provides to cities. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency conducts free cybersecurity assessments for city governments. The Center for Internet Security also provides a suite of free cybersecurity tools for cities under a grant with DHS.
But with millions of dollars at stake, ransomware attackers are likely to find ways to hack into cities even as they improve their protections.
“Groups like this, they’re doing it for profit and you can never be 100 percent protected,” Dellinger said. “We always have to be on alert. It’s always possible you could get hit again.”
Part of Tulsa’s focus during its recovery has been on ensuring that if it is compromised by ransomware again, the city can recover faster.
“We want to shorten that recovery time,” Dellinger said. “We want to get operations and people back faster so we can minimize the damage.”