A Florida town pays $600,000 to hackers who seized control of the city’s computer systems, a breach that began in the police department.
Computer screens at a dispatch center go dark, jail cell doors can’t be opened remotely and sheriff’s deputies can’t look up license plates as a cyberattack hits Jackson County, Ga.
An airport in Albany County, NY, pays a “less than six-figure” ransom to restore data that was encrypted by a virus spread on the airport authority’s servers and backup servers.
These are just a few examples of the fast-growing threat of ransomware attacks on local governments and public safety agencies. The U.S. Conference of Mayors cites at least 22 major ransomware attacks against local governments in 2019, causing service disruptions and costing millions of dollars in ransoms and repairs. Experts say the actual number of attacks is probably much higher than reported, because many agencies that have paid ransoms do not want their names released for fear of becoming a repeat target.
While ransomware is a key concern for any business, such attacks on local government and public safety agencies threaten lives, not just the bottom line. Why are public safety agencies a target for ransomware attacks, and why are these attacks growing? Perhaps most important, how can local governments protect themselves?
Why Ransomware Targets Public Safety
Cyber criminals have forced U.S. hospitals, schools and cities to pay hundreds of millions in ransom to regain access to critical files. In the most widely reported case, two individuals from Iran were indicted after allegedly collecting over $6 million in ransom payments from municipalities and other victims. The ransomware they developed was known as “SamSam” and the attackers specifically targeted public entities, hospitals and municipalities.
But why? In the SamSam case, then-Deputy Attorney General Rod Rosenstein stated, “They knew that shutting down those computer systems could cause significant harm to innocent victims.”
If your agency has been hacked, defense attorneys can raise questions about whether digital file evidence has been altered by the hackers.
So the first thing to consider is that public safety agencies and local governments make good targets for ransomware because hurting them has a multiplier effect, with potentially life-threatening consequences.
Media accounts of how ransomware has hurt public safety agencies can also lead to an increase in attacks. In many communities, negative publicity surrounding law enforcement has generated anger, which can in turn make agencies more vulnerable to ransomware attacks. Local governments are also an easy target because they often rely on aging computer systems that are easier to access and damage.
When ransomware attacks first started hitting public safety agencies, it was not common to pay ransoms. After all, law enforcement agencies aren’t typically inclined to allow criminals to dictate the terms of engagement. But when those payments were refused, files were never seen again. Now, the increasing number of attacks are, more often, forcing agencies to pay.
Anatomy of an Attack
Much of the ransomware affecting the United States originates in Russia and other parts of Eastern Europe. The FBI is investigating actively, but it has been difficult to find details on the members of the “ransom gangs.” Because all that’s needed is some computer equipment, technological expertise and access, hackers can live almost anywhere, connecting virtually across the world and evading detection for years.
A typical ransomware attack goes like this: An email is received with what appears to be an important link to click on or an attachment to open. When the recipient dutifully clicks or opens, their files become encrypted. This encryption can spread through the agency’s or municipality’s networks until everything gets locked.
The user will usually see a message indicating their files are being held hostage; they may see a clock ticking with a countdown to the deadline for paying the ransom. The ransom is normally demanded to be paid via Bitcoin, an untraceable digital currency. The message will also often provide instructions on how to access Bitcoin. When the ransom is paid, the agency will get an emailed “decryption key” that unlocks the system. If the agency won’t pay, the hackers threaten to delete the files.
Experts say the actual number of attacks is probably much higher than reported, because many agencies that have paid ransoms do not want their names released for fear of becoming a repeat target.
It can be tempting to quickly pay a ransom when the amount is just a few hundred dollars, but the examples cited at the beginning of this article show that is not normally the case. Hackers know who they’re targeting; they understand municipalities have access to funds an individual might not. Another factor to consider when deciding whether to pay a ransom is that some experts believe ransomware often funds terrorism and organized crime—clearly contradictory to the missions of public safety agencies.
Finally, consider the message you’re sending to the hackers when you pay a ransom. The FBI acknowledges most victims who pay ransom do get their files back. But they note every time a payout is made, it encourages hackers to attempt more attacks.
Criminal Justice Implications
In addition to the life-threatening consequences of ransomware attacks on 911 dispatch centers, public utilities and detention facilities, such attacks have specific implications for law enforcement.
Police department computer systems contain plenty of important and personal information, from sexual abuse and violent crime reports to 911 call records, case files of ongoing investigations and personnel records. When these records are compromised, potential consequences include:
- Altering of files. If your agency has been hacked, defense attorneys can raise questions about whether digital file evidence has been altered by the hackers. Experts note this could have a potentially devastating impact on a municipality’s criminal justice system.
- Accusations that agencies deliberately let the files be lost. If the agency won’t pay the ransom, hackers often delete the files. This can make the agency vulnerable to plaintiff attorneys who argue the agency deliberately didn’t pay the ransom in order to destroy records it didn’t want to share—files that contained potentially damaging or contradictory information.
- Lost evidence. If evidence from open cases is lost or altered, cases can fall apart, allowing criminals to go free.
What You Can Do
Ransomware is a perfect example of what risk management expert Gordon Graham calls “external intentional misconduct”—or put simply, bad behavior by bad people. He notes these are some of the most difficult risks to guard against. But that doesn’t mean we should just give up. There are several steps you can take to safeguard your agency or municipality against ransomware attacks.
First, seek good system experts to help you upgrade your file storage security and find stronger ways to back up your files. Secure backups with an easy recovery system can eliminate the need to pay ransom if you are attacked. Experts recommend daily backups to minimize the amount of data lost.
Second, train your staff—everyone!—on the importance of cybersecurity. Everyone with access to your email system should understand the consequences of falling prey to a phishing attack and should be able to identify suspicious emails. Many organizations routinely test employees by sending fake messages to see whether employees fall for them. You IT department should also consider online courses, such as the course offered through Lexipol that meets the new Texas requirement for cybersecurity training. You can also obtain assistance from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, which offers cyber training to state and local governments and will conduct tests on municipal systems to determine how secure they are.
Third, think through situations now so you’re better prepared if one does occur. What amount of ransom would your agency or municipality be comfortable paying—if any? How would you message the payment to your community? Check out this free communications coordination and response checklist from Harvard’s Kennedy School of Government. It was developed to address attacks on elections, but many of the steps apply to public safety agencies.
And don’t expect the FBI to make recommendations on whether you should pay a ransom demand. They will tell you what your options are but will leave it up to you to make a decision to access your backup systems, contact a security expert or make the payment.
Fourth, make sure your organization’s policies on information security are up to date and personnel are trained on them. For law enforcement agencies, this includes your digital evidence policy.
A Final Word
With myriad risks facing public safety agencies and local governments, it can be tempting to take a “it can’t happen here” approach to ransomware attacks. The idea that a couple of rogue individuals thousands of miles away can bring a city to its knees is somewhat difficult to fathom when dealing with the day-to-day challenges of staffing, personnel issues, media scrutiny and budget pressure. But ransomware is a real threat, and we need to understand it, acknowledge it and prepare for it. Our mission compels us.
Liska A and Gallo T. Ransomware: Defending Against Digital Extortion. Shroff/O’Reilly: Sebastopol, CA, 2016.