When Atlanta was hit by a devastating ransomware attack in March 2018, it knocked almost all of the city’s agencies offline, impacting everything from scheduling court cases to paying utility bills online and causing decades worth of official correspondence to disappear.
The incident was headline news, and the recovery cost to the city was estimated to be $17 million. (A Department of Justice probe into the cyberattack resulted in indictments of two Iranian hackers.) Security experts warned that Atlanta should be a wake-up call for how vulnerable local and state governments were to these types of attack — and how underprepared they are to combat them.
So far, it seems like no one has gotten the message.
Just over 12 months later, Baltimore is in the throes of its own costly ransomware attack. Now in its sixth week, the attack has left officials unable to process payments and even respond to emails. And Baltimore is hardly alone: In just the last two months, there have been ransomware attacks in Greenville, North Carolina; Imperial County, California; Stuart, Florida; Cleveland, Ohio; Augusta, Maine; Lynn, Massachusetts; and Cartersville, Georgia.
Reported attacks rose from 38 in 2017 to 53 in 2018, according to data collected by cybersecurity firm Recorded Future. Those numbers are only expected to rise in the coming years.
As corporations harden their defenses against ransomware attacks, hackers have found convenient targets in local municipalities whose defenses are much weaker. And as cities and towns race to digitize more and more of their infrastructure, the potential for larger, more devastating attacks becomes even greater.
“The government knows it needs to change, but they move slowly compared to how quickly private business can pivot to manage their exposure to a new threat,” Gary Hayslip, a cybersecurity expert who previously acted as chief information security officer for San Diego, told VICE News. “Until it is mandated that cities, counties, and states meet a specific level of security and have to periodically demonstrate it as is done in business for compliance, government entities will continue to be low-hanging fruit and cybercriminals don't mind eating them for lunch.”
Why is this happening now?
Ransomware isn’t a new phenomenon. The pernicious malware has been popular among hackers for years, giving them an easy way to extract millions of dollars — typically in bitcoin — from unsuspecting users around the world by infecting their computers and holding their data hostage until they pay up.
But it has recently spiked at the local level, for two main reasons.
1) It’s become increasingly easy to launch an attack
"On the dark web, there are lots of available tools for relative novices to craft together pretty effective pieces of ransomware technology,” according to Chris Kennedy, chief information security officers at cybersecurity company AttackIQ . “It's the ‘Idiots Guide to Hacking’.”
2) Local and state governments are easy and lucrative targets
Just like other criminal groups, cybercriminals tend to look for targets that require the least effort for the maximum profit. These locales fit that bill nicely, for multiple reasons. Agencies at the state and local level tend to “chug along on this old legacy infrastructure, and that old legacy infrastructure is the stuff that is often exploited,” Kennedy says.
In Atlanta, for example, an audit conducted months before the 2018 ransomware attack found its systems had up to 2,000 vulnerabilities. In the end, the hackers took advantage of a weak password to burrow their way into the system.
Those charged with protecting these essential services, meanwhile, are typically overstretched and underprepared.
“Cities are especially prone to ransomware because of, well, politics,” security expert Rob Graham told VICE News. “Public employees famously have extremely high job security, which means you can't fire bad IT workers or those without outdated skills.”
“I do think that we are seeing less than half of the actual cases, and it may be significantly less”
There is a global shortage of qualified cybersecurity talent at the moment, and public bodies simply cannot compete for the top people with private industry, given their very limited resources. In some cases, state and local government agencies may not have any dedicated cybersecurity staff.
“What we found is that they have IT people but not designated security people,” Supervisory Special Agent Joel DeCapua of the FBI’s Cyber Division told VICE News.
Finally, money is a problem. Even if there's sufficient money allocated to cybersecurity, it can often be spent in the wrong places.
“We still don't see town councils, city councils allocating the budget that is necessary to put the protections in place to prevent these kinds of attacks,” Allan Liska, author of the Recorded Future report, told VICE News.
Why it’s going to get worse
In order to adequately fight the growing threat of ransomware against local and state governments, experts say, there needs to be a clear sense of how big the problem is and how hackers are exploiting these systems.
But there’s currently no government agency doing that at the state or federal level, and that’s unlikely to change in the near future.
“I do think that we are seeing less than half of the actual cases, and it may be significantly less,” Liska said. He and other experts believe there needs to be one organization with a mandate to oversee the response to these attacks, and, crucially, to enforce guidelines and best practices.
“We are throwing spaghetti at the wall and hoping something sticks”
Today, the FBI is typically the first point of contact when these attacks happen, giving it the best insight into the scale of the problem. DeCapua says the FBI is currently extremely worried about BlueKeep, a new vulnerability in older versions of Windows that could allow ransomware to spread much faster from computer to computer without any need for human interaction — the same way WannaCry ransomware did in 2017 when it infected 200,000 computers across 150 countries in the space of a couple of days.
“The thing that is keeping us up at night right now is thinking about how a ransomware actor, or any type of hacker, could use this exploit once they are able to weaponize it and then spread like a worm,” DeCapua said.
While incidents like the attack on Atlanta or the spread of WannaCry were meant to be “wake-up” calls for the industry, the hackers are continuing to win, while cybersecurity experts are left mostly fumbling in the dark.
“Fundamentally we don't know what works and what doesn't work in cybersecurity,” Dave Aitel, CEO of cybersecurity firm Immunity and a former NSA hacker, told VICE News. “We are throwing spaghetti at the wall and hoping something sticks.”
Cover: A man behind a laptop. IT systems in several countries have undergone a global ransomware attack. Kirill Kallinikov/Sputnik via AP