In the past two weeks, two different cities in Florida have had much of their computer systems held hostage by ransomware attacks. In both instances, essential services were left inaccessible, forcing towns to dig into their coffers and pay off the attackers in order to make the issue go away. This has become a troubling trend across the United States as more and more cities have been targeted by attackers — and it seems as though the situation isn't going to get better any time soon.
Palm Beach suburb Riviera Beach forked over $600,000 after attackers disabled email and emergency service systems, forcing the local administration to operate on paper. This week, officials of Lake City, Florida paid $500,000 to regain access to computer systems after being locked out of them for two weeks.
Cybersecurity firm Recorded Future published a report earlier this year that found 22 known attacks on local governments in 2019. The report was published in May, so it didn't account for the two attacks in Florida that occurred this month. It also can't tally the number of attacks that have been carried out but have not yet been made public. Some officials attempt to downplay or hide attacks in order to save face publicly or resolve the issue in private before word can get out. Even without those incidents factored in, we are on pace to see more ransomware attacks targeted toward state and local governments this year than occurred in 2018.
Ransomware attacks are still a relatively new phenomenon for governments. The first known attack took place in 2013, hitting the tiny town of Greenland, New Hampshire. Attacks have spiked in recent years, and it seems as though the malicious actors behind the attacks have gotten smarter about picking and choosing their targets. For instance, a ransomware incident that hit Albany, New York earlier this year took place on a Saturday, which appeared to be planned by the attackers in order to hit the city when much of its staff wasn't working.
It's also likely that attacks have ramped up because targeting municipalities has proven to be considerably more profitable to attackers than trying their luck with individuals. When a person is hit by ransomware, it's certainly inconvenient but it's unlikely that their files are so essential that they will be willing to pay a steep price to regain access to them. A report from CyberEdge Group found that just 19 percent of ransomware victims actually pay to regain access to their files. Most cybersecurity experts recommend not paying the ransom, as there is no guarantee that you'll actually get your files back. It's possible to overcome a ransomware attack simply by keeping a regular backup file and simply reformatting their infected machine.
Things aren't so simple for governments, who have wide-reaching systems that can all be knocked offline if not properly secured. When the Fisher County, Texas law enforcement office was hit with ransomware earlier this year, it was unable to connect to the statewide police database. When the city of Baltimore got infected, its entire line of communications including phones and email were shut down, as were all non-essential servers. When these systems go offline for any extended period, the potential damage done to a municipality's operations can change the math. Suddenly, it may be worth paying the price to get back to business as usual. In some cases, including the recent incidents it Florida, insurance policies can cover much of the cost.
The problem that this presents, though, is that each time a city just opts to pay the fine, they encourage the attackers to continue. A malicious actor who can net a quick $500,000 because they know a small town would rather just have insurance pay to get operations back online rather than try to navigate through the attack will likely try to replicate their success with other cities. Seeing as many as one-third of local government IT systems are considered to be outdated, according to the Center for Digital Government, it seems likely that many are not equipped to handle an attack. Modernizing the systems would be the ideal solution, though that costs money that some counties and towns likely don't have. In the meantime, other solutions have bubbled up. Some have suggested passing a law to make it illegal for governments to pay ransoms. That may stomp out attacks if the people behind them know they won't be able to cash in, but it also may leave cities who are hit by attacks unable to operate for extended periods of time. There's nothing stopping an attacker from hitting a town just out of spite.