None

Managing Ransomware Risks

Wherever it occurs, the ransomware attack on a city or town government follows a familiar pattern.

An employee of the local government accidentally exposes the city's IT infrastructure to a hacker — maybe by clicking an email attachment that contains a virus or by providing authentication information like a password over email to someone posing as a coworker.

Once the hackers have broken in, they might encrypt the city's files or its entire computer system, and then demand a ransom through the untraceable Bitcoin cryptocurrency in exchange for reopening the city's badly needed computer access. In a worst-case scenario, this could leave the city without the ability to conduct its business by email and phone systems and access records and files.

Increasingly, city governments are considered prime targets for this type of attack. Once hackers have done their damage, the city is faced with difficult choices. Pay the ransom, which some cities do, or refuse the ransom and then rebuild from a backup if one is available, or for those without a backup, attempt to rebuild everything.

The cost of the choices cities make can be high. In June, Atlanta Mayor Keisha Lance Bottoms testified to Congress about an attack that struck the City of Atlanta in early 2018, in which the hackers demanded $51,000 in bitcoins, and the city refused. By the time of Bottoms' testimony, Atlanta had spent $7.2 million on recovery costs, and the attack had wiped out, among other things, vast amounts of camera footage from police patrol cars.

Municipalities have steps they can take to help reduce the threat of a ransomware attack, beginning with staff training. Krystal Dailey, information technology manager for the Municipal Association of SC, often shares with the Association's staff examples of phishing attempts sent to someone on staff to illustrate the warning signs email users can detect.

For example, hackers can pull organizational information from a website, Facebook or Linkedin account to create an email address and signature that makes the message appear as though it is coming from a high-ranking member of the organization. The hacker, posing as that person, might provide a virus disguised as an attachment or make a request for personal or authentication information while using high-pressure language.

"There's always an urgency in the email that there's some kind of action required, so that puts you in a panic state," Dailey said.

Some other "red flags" she described include a failure to address the reader by name, as well as a large number of writing errors or typos.

Dailey pointed to backups as another valuable precaution. Data backups can be handled through an IT contractor, but if handled by the city itself, she said, should at least be offsite or in a physically separate location from where the primary copies of the city's data are stored.

"A municipality that has been hit but that has appropriate backups could be able to go back and restore its data in order to continue conducting its business," she said. "The sad fact, though, is that it would still cost you time and resources to get back up and running. A municipality that does not perform nightly backups, though, would have nothing it could turn to."