In March 2018, a SamSam virus attack crippled the city of Atlanta, and the perpetrators demanded a $51,000 ransom.
This high-profile attack caused the closure of the Hartsfield-Jackson Atlanta International Airport, and took down at least one-third of the 424 software programs used by the City of Atlanta. The city refused to pay the ransom, and the recovery price tag is now “somewhere in the range of $21 million” according to Taylor Amerding of Forbes.
A ransomware attack of this magnitude should serve as a wake-up call for every government organization – state, federal or municipal. However, the attacks keep coming.
Cyber Attacks on Government Organizations on the Rise
Allan Liska of Recorded Future issued a report based on data through the end of April 2019 showing a rise in publicly acknowledged attacks.
Ransomware attacks on state and local governments increased from 46 attacks publicized in 2016 to 53 in 2018.
This includes Atlanta, so perhaps there is a downward trend for 2019… not so. In the first four months of 2019, 21 attacks already occurred, as noted in Liska’s report.
In August 2019, NPR’s Bobby Allyn covered a ransomware attack in which computer systems for 22 cities in Texas were simultaneously hit by hackers who demanded a collective ransom of $2.5 million. One of the victims, Keene, TX, only has a population of 6,100 and seems too small to hit.
However, as Ideal Integrations covered in August 2019, the vulnerability is the target and the ransom is just the opportunistic exploitation of the vulnerability.
The New York Times noted that cities as large as Baltimore, MD and Albany, NY have also been struck by ransomware attacks in 2019, and that “sleepy, cash-strapped local governments are the least likely to have updated their cyberdefenses or backed up their data.”
The article also points out that ransomware attacks strike the full range of government entities. In Georgia alone, hackers struck police departments, court systems, hospitals, city infrastructure and the Department of Public Safety.
A Ransomware Disaster
In Colorado, a state emergency was declared to fight ransomware in 2018. As detailed by Benjamin Freed of Statescoop, CISO Deborah Blyth of the Office of Information Technology had a disaster declared to release additional emergency budgets to combat the encryption of 2,000 Department of Transportation computers by a SamSam attack.
Unfortunately, most municipalities and smaller agencies will not have the ability to declare a state emergency if they are attacked – they must face the costs on their own. To make maters worse, not all of the costs are limited recovery expenses.
Ian Duncan of the Baltimore Sun noted that the city of Baltimore refused to pay a $76,000 ransom and has subsequently spent more than $4.6 million on recovery efforts between May 7 and May 29. If only the financial costs stopped there.
The city expects to spend $5.4 million more on computers and contractors through the end of 2019. Furthermore, Baltimore officials estimated that lost or delayed revenue due to the attack has cost the city as much as $8.2 million.
So, what about reputation and downtime?
In January 2017, Lisa Vaas of NakedSecurity covered how Cockrell Hill, TX lost eight years of digital evidence after refusing to pay a ransomware attacker.
When Atlanta was hit a year later, it lost years of dashboard-mounted camera footage that may never be recovered. The impact of such a loss of evidence is incalculable.
They city of Atlanta will not be able to use that evidence to support cases against criminals or to defend the city from lawsuits claiming police abuse.
Government organizations have a mission beyond the dollars and cents of their potential losses that must be factored into any calculation of the recovery costs and strategies.
What’s more? Not every organization can wait to recover from ransomware.
In January 2018, Hancock Health determined that the human risk and business costs to recover from a SamSam attack exceeded the $55,000 ransom expense. As Charlie Osborne of ZDNet explained, backups of all systems for the hospital were available, but the “days, maybe even weeks” of time that would be required to recover would be too burdensome.
Likewise, not every organization can afford to fight off ransomware. Lake City, FL understood that it was at risk, and purchased cyberinsurance. While its insurer paid off most of the ransom required this summer to recover from a ransomware attack, Kimberly Goody of FireEye noted that they “see some evidence that there is specific targeting of organizations that have insurance.”
Target or not, the ransom cost is only the beginning of the process if a government entity wants to be secure after and attack.
Recovered systems will need to be examined to ensure that the attackers did not leave any additional vulnerabilities on the systems.
As noted in a previous blog, more sophisticated attackers often gain access on one machine and then launch attack on separate machines in the network to obscure their entry point. The entry point for the attack will need to be forensically located and secured from further attacks.
Lynn Galluze, computer systems and website coordinator for Washington County, Pa., recognized that just paying a ransom did not eliminate the city’s vulnerability.
In May 2019, the county was forced to pay a $21,250 ransom to recover its communication system. Ms. Galluze contacted Ideal Integrations and Blue Bastion, to help the city clean their environment and prevent future attacks.
Be Proactive with Cybersecurity
Blue Bastion has the cybersecurity experience to monitor the network for lingering and sustained attacks while it examines and cleans each machine in the organization.
Don’t wait for an attack to occur. The cost of recovery can be much higher than the cost of implementing improvements, in advance, to the IT infrastructure and cybersecurity posture.
A single machine is all it takes to ruin a CISO’s day.
For example, in 2018, an Allentown, Pa. employee took his laptop on a trip and it missed software updates. When he returned to the office, his infected machine spread malware rapidly and cost the city $1 million to clean up! The IT systems failed to check if his system was updated or infected and no cybersecurity monitoring company was there to stop the infection in advance.
Ultimately, every organization must prioritize cybersecurity and IT recovery against a host of other priorities in a government-wide budget. Just keep in mind that as a CIO or CISO, it is not just your duty to fight – your job may depend on it.
Six months after the SamSam attack on Atlanta, the city hired a new CIO, Gary Brantley, who noted that city auditors blasted the city’s cybersecurity readiness standard two months before the attack occurred.
Despite a report that found 100 servers running a Windows operating system that Microsoft stopped supporting in 2015, and 2,000 other severe vulnerabilities, the previous CIO was not able to act fast enough to make Atlanta resistant to attack.
$21 million dollars later, it is now Brantley’s problem to resolve.
Blue Bastion is ready to help your organization now, before the attack. Prompt action allows for prioritized planning that controls costs and timing. Our managed detection & response service prevents attacks from becoming critical situations and make ongoing costs more predictable.
Additionally, if the malware attackers strike before your team can budget for improvements, you can report the incident in real time and get support right away by clicking here.