BALTIMORE—Local governments across the country are facing a growing threat of cyberattacks and escalating ransom demands, as an attack in this city has crippled thousands of computers for a month.
“Ransomware is a pandemic in the United States,” said Joel DeCapua, supervisory special agent in the Federal Bureau of Investigation’s cyber division, referring to a particularly devastating form of malicious software. Hackers are increasingly going after larger targets, compared with five years ago, when most ransomware attacks hit home computers, he said.
Municipalities in general are less prepared than companies due to limited resources and difficulty competing for cybersecurity talent, security professionals say. They are also increasingly reliant on technology to deliver city services and some have aging computer systems, according to Standard & Poor’s.
Ransomware attacks often start when an employee opens a link or an attachment in a phishing email. Hackers can also exploit vulnerabilities in a security system. The ransomware then blocks files the cyberattackers say they will unlock in return for a payment, typically in bitcoin.
Local governments must decide whether to pay off the hackers to try to limit damage. Baltimore, which was hit by hackers on May 7, says it won’t pay a $76,000 ransom. Others have paid, including a Georgia county that said it complied with a $400,000 demand in March.
Governments are less likely than private firms to pay, as officials want the public to see them heeding the FBI’s advice, which is to not pay criminals, Mr. DeCapua said.
Share Your Thoughts
Should cities negotiate with hackers who hold computer files for ransom? Why or why not? Join the conversation below.
Even if Baltimore had paid the ransom, it still would have incurred major costs to restore systems, ensure they are virus-free and boost cyber defenses, said Sheryl Goldstein, Baltimore’s deputy chief of staff for operations.
“There is no guarantee they don’t hack you again and ask for more money,” she said.
After Baltimore’s attack, investigators found more than one group had breached its computer network, people familiar with the investigation said. One group installed ransomware, known as RobbinHood, apparently as part of a long-running operation, they said.
Separately, there were signs that one hacking group inside the network had used an attack tool called EternalBlue to move from computer to computer, they said. EternalBlue was released in 2017 by a shadowy hacking group that said it stole the code from the National Security Agency, and a month later it was used in the world-wide WannaCry worm attack.
There is no evidence, however, that EternalBlue code played a role in the ransomware attack, according to Rep. Dutch Ruppersberger (D., Md.), who was briefed on the situation by the NSA.
Ms. Goldstein declined to comment on whether city computers had been patched to address known vulnerabilities.
The Baltimore hack delayed home sales and has prevented the city from issuing water bills. Officials managed to restore computer and email access for some employees late last month.
Hackers often operate overseas, stymieing U.S. law-enforcement authorities. A federal grand jury in Atlanta indicted two Iranian nationals in December for allegedly hacking into the city of Atlanta’s network in March 2018, and both men remain wanted by the FBI.
Atlanta, which refused to pay a ransom of $51,000 in bitcoin, has endured millions of dollars in losses from the attack, according to the local U.S. attorney’s office.
Coveware, a firm that helps hacking victims, found through a survey of its clients that average ransoms grew by 89% to $12,762 in the first quarter of this year, compared with the fourth quarter, propelled in part by a rising ransomware variant called Ryuk. It remains hard to quantify the total impact because most ransomware attacks aren’t publicly reported.
Jackson County, Ga., hit with Ryuk in March, was hamstrung because hackers also compromised its backup data. It decided to pay the hackers bitcoin equal to $400,000 from its $10.5 million rainy-day fund.
The county of about 70,000 people regained its data and largely returned to normal operations within five weeks, said Kevin Poe, the county manager.
“If we didn’t pay the ransom, we could have been down for months,” he said. “In a perfect world, everybody would say we’re not going to pay and you kind of put them out of business.”
Whether to pay “is a risk calculation that has to be done in real time,” said Christopher Scott, who leads global response teams for IBM Security’s incident-response business. “In some cases, that choice might be ‘I have to pay.’”
A 2018 global survey by CyberEdge, a Maryland-based IT research and marketing firm, found that 40% of victims that paid a ransom didn’t get their data back. But cybersecurity professionals say hackers often operate with a warped sense of business scruples to exact payoffs, even offering to provide references from entities that recovered files after paying.
A Ryuk attack carried a steep demand of $1.2 million for Imperial County, Calif., in April. But secure backup data helped the county avoid paying the bounty. Instead, the county has spent more than $1.6 million to beef up equipment and security, costs largely covered by a cyber-insurance policy.
Ryan Kelley, chairman of the county board of supervisors, said he would have objected to paying any amount. “It’s like somebody gets into your garage and they steal your air compressor,” he said. “You feel violated.”
Sammamish, Wash., officials also refused to pay a ransom, roughly $42,600, after a January attack. The city was helped by secure backup data, as was Augusta, Maine, which declined to entertain an unknown ransom in April.
“I don’t like talking to criminals,” said Fred Kahl, Augusta’s IT director.
- Cyberattack Hobbles Baltimore for Two Weeks and Counting (May 21, 2019)
- More U.S. Cities Brace for ‘Inevitable’ Hackers (Sept. 4, 2018)
- Ransom Demands and Frozen Computers: Hackers Hit Towns Across the U.S. (June 24, 2018)
—Robert McMillan contributed to this article.