Hackers attack every industry sector using multiple and evolving attack vectors. In recent years they have sharpened their focus on municipalities, which are often understaffed and underfunded from a cybersecurity perspective. Archaic IT infrastructure, slashed budgets, and difficulty in retaining experienced IT security talent have put municipalities at a distinct disadvantage.

Making matters worse, new and more potent variants of ransomware are making cybercriminals a greater threat than they were just a few years ago. So far in 2019, there have more than 40 ransomware attacks on city, county, and state government networks. In some cases, entire networks, including those serving critical functions, were shut down completely for several days.

Ransomware Defined

Ransomware is a form of malware that targets both human and technical weaknesses in an organization’s workforce and IT infrastructure. This type of cyberattack aims to deny the availability of critical data and systems.

Ransomware is frequently delivered through phishing emails to unsuspecting victims. When victims click on links or attachments containing this form of malware, the files in the network become encrypted. The intruder will seek out other devices it can access through the network, including backup data, and lock down those files. In many cases, the victim often receives a pop-up message demanding a ransom to be paid via Bitcoin or prepaid debit cards in exchange for the decryption key to access the hijacked data.

Sometimes cybercriminals place a time limit on the payment of network extortion monies. The hacker might threaten to permanently delete data if the ransom is not received in time.

Types of Ransomware and Costs

In a 2019 report from Coveware, ransomware costs fall into two main categories:

  1. Recovery of cost: this includes the ransom paid, forensic reviews, and help required to rebuild servers and work stations.
  2. Downtime losses: This amount is typically 5 to 10 times the cost of paying the ransom, and it includes lost productivity and lost revenue opportunities.

In 2019, average ransom payments rose from $12,762 in the first quarter of 2019 to $36,295 in the second quarter, an increase of 184%. However, when you look at public-sector victims, they paid on average more than $300,000. According to Markets Insider, the global costs of ransomware to business are predicted to exceed $11.5 billion annually by 2019.

Join our Cyber Risk Webinar Series as we discuss topics from regulatory risk to cyber attacks.
RSVP Now

Downtime: During the first quarter of 2019, downtime due to ransomware attacks average 7.3 days. By the second quarter, the average ticked up to 9.6 days, an alarming rate of increase.

Three of the Most Common Variants of Ransomware

  • Ryuk was developed from older versions of ransomware. It specifically targets enterprises. Since its launch in August 2018, its operator, the Grim Spider crime group, has collected more than $3.7 billion. Ryuk has recently become the most common type of ransomware targeting large enterprises that use distributed networks.
  • Sodinokibi was launched in the spring of 2019. Though not yet as prevalent as Ryuk, it has already infected thousands of businesses through managed security service providers (MSSP). Sodinokibi differs from Ryuk in that it typically hits midsize and smaller business targets— in most cases through a single MSSP. These attacks can cripple both the target company as well as the service provider. For ISPs, Sodinobiki is especially devastating because it puts their entire client base at risk, and therefore their business.
  • Dharma has been on the scene since 2016 and continues to wreak havoc with small and midsize organizations. Typically, Dharma used phishing emails to gain entry. Users are prompted to download a file, at which point the intruder gained entry. A new version of Dharma uses software installation to gains entry. The average ransom for Dharma attacks is nearly $14,000.

To Pay or Not To Pay

Four recent attacks made headlines. Three municipalities decided not to pay the ransom, and one did.

City of Atlanta – In 2018, the city refused to pay a $52,000 Bitcoin ransom demand, but in the end spent over $17 million to recover from the attack. This was one of the most expensive ransomware occurrences yet recorded by a U.S. municipality. According to a news report, “Before the attack, the city received years of warnings about security weaknesses.”

City of Baltimore – In 2019, the city government came under a ransomware attack that brought its computers to a complete stop for a month. On advice from the FBI, the city refused to pay the demand of more than $76,000 in Bitcoin. But, in the end, it cost Baltimore over $18 million to fully recover.

Lake City – In 2019, this Florida suburb of Palm Beach agreed to pay a $460,000 Bitcoin ransom after being attacked by Ryuk. Servers, email, and networks were all involved. After meeting with the FBI and security consultants, the city made the decision to pay rather than incur risks from the loss of emergency services. “City officials reluctantly determined that it would be cheaper and more effective to simply pay off the hackers.”

Colorado Department of Transportation – Colorado Department of Transportation employees spent days offline as security officials investigated the damage done by a ransomware virus that hijacked computer files and demanded payment in bitcoin for their safe return. Six weeks after, the agency is back to 80 percent functionality--at an estimated cost of up to $1.5 million.

City

Demand

Method

Paid

Estimated Costs
Atlanta, GA $51,000 Bitcoin No $12 - $17 million
Baltimore, MD $75,000 Bitcoin No $10 - $18 million
Lake City, FL $490,421 Bitcoin Yes $10,000
Denver, CO $51,000 Bitcoin No $1.5 million

On the question of “to pay or not to pay,” responses vary. Lake City opted to pay the ransom. In the case of Atlanta and Baltimore, the decision not to pay resulted in very heavy costs. But in the words of Baltimore mayor Jack Young, “That’s just like rewarding bank robbers for robbing banks.” Some of the best practices recommended to help cities prepare include:

  • Investing in cybersecurity and business interruption planning services — Have a an enterprisewide strategy that covers every user, device, and file.
  • Lock down administrative rights and allow data access to those that are required to have it.
  • Stay up to date — Be sure to make software updates to avoid intrusions due to outdated versions.
  • Back up data — Ensure that critical business data is backed up, stored, and recoverable.
  • Do not open questionable attachments — Train employees to avoid downloading attachments without authentication and built-in virus scanning.
  • Install preventative software programs This includes antivirus software, firewalls and email filters; and keeping them updated.

The FBI and the Council of Mayors

Law enforcement has consistently recommended against paying ransom. After all, paying an extortion demand will only validate the hacker’s business model and perpetuate future attacks. Moreover, there is no guarantee that criminals will live up to their promise to provide a working decryption key. In addition, it is difficult to determine who is getting paid—it could be a terrorist organization that’s being funded for more devastating types of attacks in the future. The Council of Mayors agreed with the position of law enforcement when 225 city mayors recently signed a pledge not to pay.

Transferring Ransomware Risk

Many cybersecurity experts will agree that there is no silver bullet that will prevent all cyberattacks. As a result, the commercial cyber insurance market has evolved along with cyber threats to facilitate options for cyber-risk transfer. These insurance policies can provide indemnification for both first-party direct costs and subsequent third-party liability costs in the aftermath of a cyberattack.

While policy wording can differ among insurance companies, there are common coverages that are found in many cyber insurance policies. These may be especially helpful in transferring financial losses specific to a ransomware attack, including:

  • Cyber Extortion – Cyber insurance policies often cover ransom payments to hackers, should the insured victim decide to pay. They often provide immediate access to cryptocurrency and experienced negotiators who are essential to mitigating the effects of the attack. These negotiators may be able to convince hackers to accept a lesser amount than originally demanded. They may also provide analysis of the hacker’s digital wallets to provide insight into a hacker’s history of providing decryption tools.
  • Business Interruption – The cumulative effect of the encryption of hundreds or thousands of computers, servers, email, and phone systems in one organization can lead to significant costs. The resulting downtime and restoration process may cause severe financial loss, which may be recovered under a cyber insurance policy.
  • Crisis Management – Hackers may change tactics after the initial ransomware attack. Once they have access to networks, they may move laterally and access sensitive information that they can monetize, such as Social Security numbers and financial records. Costs to retain external vendors to investigate and respond to the attack, including IT forensics firms, privacy attorneys, credit monitoring fees, notification, and call center costs may be covered.

In light of the emerging threats posed by sophisticated ransomware attacks, it is imperative that steps are taken to prevent, mitigate, and transfer the risk. Technology-based controls, employee training, and insurance risk transfer mechanisms should all be considered.