Ransomware attacks cost cities millions. Will Cleveland face the same fate?
Tuesday marked the second day City Hall is closed due to a cyber "threat." Ransomware attacks on local and state governments in the U.S. increased by 51% over the same period in 2022, according to the Center for Internet Security’s 2022 National Cybersecurity Review. Cleveland City Hall has been shuttered for a second day due to a cyber “threat” that could lead to a halt in services and cost taxpayers millions. If confirmed as a ransomware attack, Cleveland joins other cities and public institutions across the U., including Atlanta, Dallas, New Orleans, and scores of smaller cities and institutions that have been hit by such cyber threats. The FBI advises organizations against paying ransoms, stating that those who pay ransom can get their systems back online quicker than those who don't. The cyber attack insurance policy for Cleveland has not been specified.
Diterbitkan : 10 bulan yang lalu oleh Courtney Astolfi, Courtney Astolfi | [email protected], castolfi di dalam Politics Tech
CLEVELAND, Ohio – With City Hall shuttered for a second day amid what Mayor Justin Bibb called a cyber “threat,” Cleveland could be finding itself on a growing list of cities that have fallen victim to ransomware, which often grind services to a halt and cost taxpayers millions.
During the first eight months of last year alone, ransomware attacks on local and state governments in the U.S. grew by 51% over the same period in 2022, according to the Center for Internet Security’s 2022 National Cybersecurity Review, which surveyed more than 3,600 state, local, and other regional governments.
In Cleveland, city officials are still working with federal and state authorities to determine the type and scope of the threat to City Hall’s computer systems, which was first flagged on Saturday.
Read more: What we (don’t) know about ‘cyber incident’ at Cleveland City Hall
Bibb on Monday cited that ongoing investigation as the reason why officials aren’t saying much at all about the threat, including whether it’s a ransomware attack, and whether the city has its data sufficiently backed up, so it isn’t forced to pay a ransom to regain access to it.
If it is a ransomware attack, Cleveland would join Baltimore, Atlanta, Dallas, New Orleans and scores of smaller cities and public institutions across the U.S., and globally, that have been hit by ransomware gangs. While ransomware attacks happen to all types of organizations -- and big businesses have often found themselves on the receiving end – local and state governments are particularly vulnerable, according to several studies and news reports.
Municipalities are known to be understaffed, underfunded, and not properly trained in cybersecurity, making them an ideal target, according to a December report from cybersecurity news website Dark Reading.
“When ransomware groups seek out their targets, they know that municipalities will be unprepared to handle their attacks, which will either lead to success and potential notoriety or, even better, an easy ransom payment,” the article stated.
Bibb wouldn’t say whether he would consider paying a ransom if one were demanded. But broadly, the FBI advises organizations against paying.
Those organizations that pay ransoms may be able to get their systems back online quicker than those who don’t, according to Lisa Plaggemier, executive director at the National Cybersecurity Alliance.
In cases where the ransom isn’t paid, organizations must rely on their own clean back-ups to restore each system one-by-one. That can take time. Meanwhile, some city workers are left to complete their jobs without access to the computer systems they normally rely on. And if the backed-up data isn’t sufficient or is poorly maintained, organizations can suffer even more consequences.
Take Baltimore’s run-in with ransomware in May 2019, when hackers demanded about $76,000 to unlock the city systems they’d encrypted. The hackers warned that if the city didn’t pay within a few days, the price tag would increase. After 10 days, they said they’d wipe the city’s files completely.
Similar to what Cleveland did on Sunday, Baltimore responded by shutting down all servers, save those needed for essential services. Baltimore officials ultimately refused to pay up. They initially estimated it would take them weeks to recover, but the restoration process ended up taking five months. For weeks, the city’s online payment systems were offline, city bills weren’t getting paid, and email and phone systems were down, according to news reports. Some databases and applications were offline for months.
Even without paying the ransom, Baltimore faced a tab of over $18 million in recovery expenses, the Baltimore Sun reported. The city did not have insurance that covered cyber attacks, so taxpayers were completely on the hook.
Cleveland does not have a specific cyber attack insurance policy either, according to a city spokeswoman. The city is largely self-insured, meaning it usually pays for insurance costs directly out of its bank account.
Another big municipal attack occurred in Dallas in May 2023, when police, utility and court systems, among others, were affected. The city similarly shut down its servers to prevent the ransomware from spreading further. About three weeks after problems were detected, a ransomware group threatened to release sensitive information it had accessed, including employee information, medical information, and detailed court records.
It wasn’t until August that Texas authorities disclosed that more than 30,000 people’s personal information had been compromised, including Social Security numbers.
It’s unclear whether Dallas agreed to pay a ransom. But the Dallas City Council later signed off on an $8.5 million bill, including money for vendors who helped in the recovery process. A local news report from August said Dallas officials declined to say whether a ransom payment was included in that bill.
New Orleans, too, refused to pay a ransom after an attack in late 2019. It took the city one year, and more than $5 million, to recover, though it did have a $3 million ransomware insurance policy, the Washington Post reported.
Ransom demands have increased massively over the past few years, because hackers have found ransomware to be lucrative, said Alex Hamerstone, director of advisory solutions for Fairlawn-based TrustedSec.
While some refuse to pay ransoms, other public entities have chosen to pay them, likely because they determine it would be quicker and cost less than recovering data from back-ups or rebuilding the entire system.
In 2020, for example, the University of California at San Francisco shelled out $1.14 million to ransomers, and Delaware County, Pennsylvania agreed to pay $500,000.
In fact, a recent report from cybersecurity company Sophos – reflecting ransomware attacks in a variety of private and public organizations, across 14 different countries -- found that just 4% of ransom demands in 2022 exceeded $5 million. By 2024, that figure had grown by nearly eight times, with 31% of ransom demands now exceeding $5 million.
More organizations are paying them, or relying on a combined approach that relies on both back-ups and paying a ransom.
According to Sophos’ 2024 report, 65% of organizations that are roughly Cleveland’s size used back-ups to recover from a ransomware attack, and 56% paid all or part of the ransom demanded.
Topik: Security, Security Breach, Ransomware, Cyber Crime