Anyone hit with a ransomware attack must reckon with the dollars and cents: Will it cost more to pay up, or to try to eradicate the malware and restore the data without giving in? But government victims must also grapple with the dubious propriety — and dubious legality — of rewarding crime with taxpayers’ money.
The episodes are at once familiar and frightening. Hackers with no apparent motive other than curiosity and avarice indiscriminately scan the web for vulnerable servers and networks, and all too often find them.
Cybersecurity experts say local government agencies and universities tend to be at a particular disadvantage because they manage many public-facing web services and servers and employ many people who must have access.
Antivirus software tools can ward off some kinds of malicious attacks, but they often fail to stop ransomware because cybercriminals have found too many ways around them — whether by exploiting a security hole in a vulnerable server or tricking a naïve employee into opening a malicious email attachment.
“In cybersecurity, the more places you have where your door is sort of open — which it has to be in local government — the higher your risk is,” said Scott Smith, a former mayor of Mesa, Ariz.
In 2013, the year Mr. Smith became president of the United States Conference of Mayors, the group adopted a resolution identifying cybersecurity as “a critical public safety issue of concern to mayors and cities.”
But local governments are often working with antiquated systems, tight budgets and short-handed I.T. staffs. According to a 2016 survey of chief information officers for jurisdictions across the country, 38 percent of local governments were relying on technology that was at least one generation out of date, and fewer than half had bought cybersecurity insurance, which can help cover the costs of responding to a major attack.
The survey, by the International City/County Management Association and the University of Maryland, Baltimore County, found that extorting ransom was the most common purpose of cyberattacks on city or county governments, accounting for nearly one-third of all attacks. (Mischief and theft of private information were the next most common.)
Local governments were not always high on the ransom target list. In recent years, security experts say, criminal groups like SamSam, the shadowy hacking crew implicated in the Atlanta episode, had been zeroing in on health care providers, particularly hospitals, which they knew could ill afford to lose patient records or wait for weeks to restore normal operations. More than seven-eighths of all recorded ransomware attacks in the United States in 2016 were aimed at the health care industry, according to NTT Security.
That onslaught, experts say, prompted many in the industry to shore up their digital defenses — and the hackers to turn to new targets. “As health care has spent more on their security, we’ve seen attackers moving to local governments,” said Allan Liska, a senior intelligence analyst at Recorded Future, a security firm.
The past 16 months have seen high-profile ransomware attacks at public agencies ranging from a fire department in Ohio to the Bay Area Rapid Transit system, which offered free rides after attackers took down their ticketing systems. Recently, Mr. Liska said, cybercriminals who call themselves “The Dark Overlord” have said in an underground web forum that they had begun to attack state and local governments because their security is so poor.
In Atlanta, the attack apparently mounted by the SamSam group brought down many (though not all) city systems on the morning of March 22. Among other effects, residents have not been able to pay water bills or traffic tickets online, the court schedule has been upended, and police officers have had to file reports on paper. For days, city workers were not allowed even to turn on their computers.
Through a spokeswoman, Mayor Keisha Lance Bottoms of Atlanta declined to be interviewed about the ransom demanded by SamSam to end the attack: the Bitcoin equivalent of about $51,000.
But Atlanta’s leaders are likely to have weighed a host of concerns, including whether the SamSam hackers would keep their end of the bargain. Security experts said the city also had to decide whether it was willing, in effect, to finance a criminal enterprise, and whether it could stomach a reputation as an easy mark.
“Local governments often don’t feel comfortable using taxpayer funds to pay a criminal, especially when they consider where those funds may be going,” said Jason Rebholz, a vice president at Icebrg, a security firm. “On the other hand, they have to weigh a $51,000 ransom demand with the fact that they are likely going to pay a lot more to resume operations.”
Ransomware attacks used to be low-odds propositions. In 2012, by one estimate, only 2.9 percent of victims paid. But these days, the rate is as high as 48 percent, according the Ponemon Institute, a privacy research group.
Those who pay — from a Massachusetts town and police department to the Hancock Health hospital group — generally calculate that it is the cheapest way out. Mr. Rebholz estimated that the total cost for Atlanta to rebuild all its affected systems could run from “several hundred thousand dollars easily into millions of dollars.”
Though many of their concerns are the same, business leaders hit by cyberattacks are often able to respond more nimbly than politicians can.
Corporate executives “can compare and contrast different options in a much freer way,” said Mike Rawlings, the mayor of Dallas and a former president of Pizza Hut.
In the public sector, he said, “It’s not as simple as cost-benefit analysis — you are gambling the trust and the perception of what the city stands for at the same time.”
The Ponemon Institute found that the decision often turns on whether the victim has access to a full and accurate backup for the seized data. The hackers know it: Victims are finding that the first thing intruders like SamSam do is to search the compromised system for “back up” or the names of popular backup services, and delete those files.
“They now go out of their way to force you to pay,” Mr. Rebholz said. “It’s increasingly rare that victims can fully recover.”
The Colorado Department of Transportation awoke late last month to discover that SamSam had locked its employees out of their computers, email and timecard systems; encrypted the agency’s most important databases; and renamed files with the words “i’m sorry.”
Deborah Blyth, the state’s chief information security officer, said in an interview Wednesday that it was an easy decision not to pay. For one thing, the state has a policy forbidding ransom payments. For another, the data had been backed up offline, out of the attackers’ reach, making the department better prepared than most targets.
The department had everything back to normal in a little over a week — but the story was not over. SamSam’s attackers had planted some undetected digital footholds during the first attack that opened the door for a second attack with improved ransomware as soon as the systems came back online.
Three weeks later, Ms. Blyth said, the second restoration job is about 80 percent complete. She is scheduled to brief other state and local governments on Friday about the double whammy.
“I feel terrible for Atlanta,” she said. “I know exactly where they’re at. We need to give other local governments information on SamSam so it doesn’t happen to them. I’m really worried that other state agencies are at risk.”
Officials have been slow to awaken to that danger. After the mayors’ conference adopted its warning resolution in 2013, it tried to hold a cybersecurity forum in Washington for city officials. It was canceled for lack of interest.
“If you had a cybersecurity summit now,” Mr. Smith said this week, “it would be oversubscribed.”
Continue reading the main story