Ransomware Attacks Prompt Tough Question for Local Officials: To Pay or Not to Pay?

This article originally appeared on Stateline.

When cybercriminals struck Lake City, Florida, last June, city officials had to make a tough choice: Pay the hackers or restore systems on their own.

A ransomware attack had hijacked the government’s computer network and held it hostage for several weeks. While the attack didn’t affect the police, fire or financial departments, it wreaked havoc on phone lines, email, utility records and many other services.

The hackers first demanded about $750,000 in bitcoin, a cryptocurrency, from the small, rural city to give it back control of its network.

The city tried to recover the data on its own, City Manager Joseph Helfenberger recalled, but that failed. Its insurance company negotiated with the hackers and got the ransom down to about $470,000. It recommended paying, and officials figured that was the best option because the city would have to cover only the $10,000 deductible.

“This is not a rich community. They can’t afford to spend money they don’t have,” Helfenberger said. “You have to look at what is going to serve the community the best.”

There were at least 113 successful ransomware attacks on state and local governments last year, according to global cybersecurity company Emsisoft, and in each case, officials had to figure out how to respond.

Some states have passed laws to target cybercriminals who deploy ransomware, but prosecutors have rarely used them. And local officials often are left vulnerable.

In Baltimore last May, hackers crippled thousands of computers, then demanded a ransom of about $76,000 in bitcoin. Democratic Mayor Bernard C. “Jack” Young refused to pay. Workers were unable to access online accounts and payment systems for weeks.

The attack ended up costing the city at least $18 million — a combination of lost or delayed revenue and the expense of restoring systems. Young said in a statement last June that the FBI advised the city not to pay, and that it was “just not the way we operate,” adding, “We won’t reward criminal behavior.” The mayor’s office did not respond to Stateline requests for comment.

Baltimore and Lake City aren’t alone. The majority of publicized ransomware attacks in the United States last year targeted local governments, according to a recent report by the National Governors Association and the National Association of State Chief Information Officers.

Yet no one knows how many local and state governments have been hit by a ransomware attack. There is no national clearinghouse that collects all that information. Nor is every attack publicly reported. The FBI, which tracks national crime data, couldn’t be reached for comment before publication. 

Sophisticated hackers and cybercriminals zero in on local and state governments because their networks contain lots of valuable information, such as Social Security numbers, birth certificates, bank account details and credit card numbers.

For cybercriminals, local governments can be easy prey, with fewer resources to protect themselves than state governments. They also provide essential services to residents, which means they must have access to their data to function effectively day-to-day.

“Ransomware attacks against state and local governments were the top cybersecurity industry story in 2019, and it will continue to get worse in 2020, with new forms of ransomware,” said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.

Threats also are evolving. Rather than just encrypting data and demanding ransom in exchange for providing a decryption key, experts say some cybercriminals will threaten to make public sensitive information if they don’t get their money.

That’s already happened in Pensacola, Florida. Hackers in December threatened to release files if the city didn’t pay a $1 million ransom. When it didn’t, they posted what they claimed was a 2 gigabyte archive of city files on a public website.

City spokeswoman Kaycee Lagarde said there is still an active FBI investigation, but city officials don’t think the hackers accessed any personal data, such as Social Security and driver’s license numbers, from employees or residents.

The city had backup for its major systems and was able to recover totally within two weeks without needing outside help, she said. But it ended up spending a total of about $372,000 to hire a company to do a cyber assessment and for another company to provide identity protection for 57,000 employees and residents, out of an “an abundance of caution.”

“In the past, ransomware incidents were simply a very expensive inconvenience. Now they are becoming data breaches that can result in a lot of very sensitive information being posted online,” said Brett Callow, a threat analyst for cybersecurity company Emsisoft. “A government can find itself in a situation in which data has been stolen and it has no good options.”

Costly Attacks

It’s hard to know how much state and local governments have spent dealing with ransomware attacks.

“It’s embarrassing for them to have to admit that,” said Tom Holt, a criminal justice professor at Michigan State University who specializes in cybersecurity. “They don’t want to announce the breadth of cyber insurance coverage and what they’ve had to pay.”

While state governments apparently haven’t paid ransom, a review of media reports shows that local governments shelled out at least $1.9 million in 2019, from the city of Washington, Pennsylvania, which paid $21,250 to hackers, to Riviera Beach, Florida, which authorized its insurer to pay $600,000.

Washington’s mayor did not respond to calls requesting comment. Riviera Beach City Manager Jonathan Evans wrote in an email that the FBI had advised officials there not to comment because it is still an active investigation.

And it cost local and state governments that refused to pay ransom at least $27.1 million to restore their systems and upgrade cybersecurity protection, media reports show. That includes lost revenue while services were put on hold.

To Pay or Not to Pay

Some local governments pay ransom because they feel it’s the best option. They need their data back quickly and might not have the expertise or resources to do it themselves, or the money it would take to restore the system.

Other local governments say “No way” to ransom demands, declaring that they refuse to be extorted.

And some governments wind up in the middle.

In New Bedford, Massachusetts, which was attacked in July, cybercriminals demanded more than $5 million in ransom. Mayor Jon Mitchell made a counteroffer of $400,000, using insurance proceeds. The hackers didn’t agree, so the city opted to restore its system from backups. 

New Bedford spokesman Jonathan Carvalho said in an email that the city doesn’t have an estimate of the cost because much of the restoration was done in-house and consultants were paid through an insurance policy.

“The reality is that municipalities, corporations, and even private individuals are in an arms race with cybercriminals who operate in far flung places across the globe,” Mitchell said in a statement in September. “Every advance in anti-viral technology is effective until the criminals figure out how to get around it.”

Lohrmann, of Security Mentor, said there isn’t an easy answer for local governments to the question of whether to pay ransom.

“This is the $6 million question. It’s nuanced. It depends on the circumstances,” he said. “If it’s ‘pay $30,000 or it’s going to cost me $5 million to restore all my systems,’ I can see why they want to pay.”

The FBI cautioned in an October online alert that paying ransom only encourages more criminal behavior and emboldens cybercriminals, and it doesn’t guarantee the victim will regain access to the data.

But the agency noted that it “understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

CyberEdge, a cybersecurity research and consulting firm, found in 2019 that about 39% of public and private entities around the world that were hit with ransomware attacks over a 12-month period paid ransoms and lost their data anyway.

In July, the U.S. Conference of Mayors adopted a resolution urging local governments not to pay ransom to hackers.

That’s the right position, said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides training and other support to local government information technology executives.

“The danger is you pay, and they decide to walk away and still don’t unlock the files,” Shark said. “And your system may be so infected that if you pay, maybe they’ll come back again.”

But for Lake City official Helfenberger, that was a risk that officials had to take.

“It’s easier for more affluent communities to not pay ransom,” he said. “For communities that are poor like us and don’t have resources it’s much more of a struggle.”

And it would have cost “a whole lot more” than what the insurance company paid the hackers to try to restore everything, the city manager added. “There is no way we would have been able to recreate all the utility maps, the [meeting] minutes from the beginning of creation and all the other records. It’s just not possible.”

Legislative Action

All 50 states have computer crime laws, and most address unauthorized access or computer trespass, according to Pam Greenberg, a senior fellow at the National Conference of State Legislatures. Ransomware potentially could be prosecuted under those statutes or extortion laws, she said.

But at least five states — California, Connecticut, Michigan, Texas and Wyoming — have made the use of ransomware or other forms of computer extortion a crime.

This year, Greenberg said, at least seven states are considering measures related specifically to ransomware.

Legislation proposed in Maryland, for example, would create criminal penalties for possessing ransomware with the intent to use it without authorization. Violators could face up to 10 years in prison and a $10,000 fine.

“The state attorneys want it. They want to be able to charge people if they can find them,” said Maryland Democratic state Sen. Susan Lee, who sponsored the measure. “At least there would be a law on the books. If it’s not there as a criminal offense, it’s not a deterrent.”

But some technology experts say ransomware could be covered under existing computer crime laws. And most ransomware attacks come from overseas countries such as Russia, Iran and China. That means finding and prosecuting perpetrators on the state level would be difficult, if not impossible, they say.

“I think it is a waste of time,” said Shark of the Public Technology Institute. “It sounds terrific, but most of these actors are in other countries. The money is going to bitcoin, and it’s untraceable.”

Legislators in Iowa and New York are considering another way to deal with ransomware: They’ve introduced bills that would prohibit local and state governments from paying ransom.

“We will only continue to see these attacks increase if we don’t put this policy in place. We have to cut off the money supply,” said New York Democratic state Sen. David Carlucci, the bill’s sponsor. “ For years, the U.S. has had policies of not negotiating with terrorists or kidnappers. A similar idea should prevail about paying ransom for cyberattacks.”

Daniel Castro, vice president of the Information Technology and Innovation Foundation, a nonprofit think tank in Washington, D.C., agrees.

“I think it’s the right kind of strategy,” he said. “If you take away the option of them paying, the attackers are going to look for someone who can pay. They’re a for-profit enterprise.”

But others argue that barring government officials from paying ransom won’t eliminate the problem.

“I think it’s not going to work,” said Security Mentor’s Lohrmann, “although the intentions are good.”

There’s no way right now to stop cybercriminals from launching ransomware attacks on local and state government, he said, so the best approach is to be prepared.

“Is there a perfect solution, a silver bullet? No,” Lohrmann said. “But if you’ve got great backups and a really good restore system and staff training and other protections in place, you can dramatically reduce the likelihood that ransomware is going to have a major impact on you.”

That’s what Lake City ended up doing.

After the attack, Helfenberger said, the city immediately started staff cybersecurity training, and it has spent about $300,000 doing multiple system upgrades and continues to do more.

“You’ve got to consider that cybercriminals are gaining knowledge constantly,” he said. “If you stay the same, you’re going to get behind and it’s not going to work.”