Ransomware attacks against U.S. government entities: 5 key observations and takeaways for municipalities

Hackers targeted U.S. city and county governments with 79 ransomware attacks in 2020, a 35 percent decrease in the number of ransomware attacks counted in 2019 but still a major impact to some 71 million people. The average ransom demanded in 2020 from governmental related organizations was $570,857, with over $1.75 million actually paid to hackers.⁽¹⁾

In fact, a recent report from consumer tech information site Comparitech shows that cyberattacks cost American government entities about $18.88 billion in recovery costs and downtime in 2020. Further, the average cybersecurity breach costs states between $665,000 to $40.53 million, with a median cost varying from $60,000 to as high as $1.87 million.⁽²⁾

Why are municipalities so vulnerable? Some say it’s because they lag far behind their corporate counterparts in the digital revolution. Others think their IT skills may be lacking or challenged. Budgets are often tight, and there is frequently a gap in funding for new tech. Regardless, ransomware is a huge threat to their cyber resilience – and to every citizen’s data.

Cumulatively, over the past three years, 246 ransomware attacks have struck U.S. government organizations at an estimated cost of $52.88 billion. Ironically, while most ransomware attacks are about just that – holding data for ransom until it’s paid – the goal of most of these attacks on cities, states and counties was not to steal data but to halt processes, interrupt services and cause disruption.⁽³⁾

Based on two years of data on municipal government ransomware attacks, here are the most intriguing data points we came across and the biggest takeaways from the data.

1.  The number of ransomware attacks against government entities levelled off in 2020 but are trending upward again.
   
   Source: MINDSMITH, 2020

Recent research by Barracuda Networks indicates that 44% of global ransomware in 2020 targeted municipalities.⁽⁴⁾

These attacks peaked in the beginning of the year – 11 in January and 10 in February – and then declined every month after that until they shifted up again in September (four attacks) and October (seven attacks), with another uptick in December (six attacks) after just two attacks in November.

These include:

In June 2020, in the city of Florence, Alabama, a cyberattack shut down the city’s email system. The city reportedly paid over $250K to recover the encrypted data. On the back end of 2020 (from July to end of year), cities including Knoxville, TN, Key West, FL, Mt. Pleasant, MI, Salem, NH and Cornelia, GA (among others) reported they, too, were victims of various levels of disruption due to ransomware attacks that locked up or disabled their respective systems.⁽⁵⁾

This gradual decline for most of 2020 could have occurred for any number of reasons. COVID-19 might have disrupted the hackers behind the attacks or reports of attacks might have dropped off due to pandemic news dominating media coverage.

However, in 2021, attacks on government-related entities saw an uplift; in fact, according to this site⁽⁶⁾, through September 2021, there were 42 such attacks, outpacing other industries including education, (32) healthcare (29), retail (12), and finance (7).

Which means, of course, that as we wind down 2021, the threat to municipalities by ransomwares is still very real. And growing.

2. 68% of states had at least one municipality attacked; Texas led all states in attacks by a wide margin
   
   Source: MINDSMITH, 2020

Since the beginning of 2020, U.S. state bodies at various levels have been attacked by ransomware at least 93 times in 68% of states.⁽⁷⁾

Among the states affected, Texas is home to the most local government ransomware attacks of any state over the past two years. And it wasn’t particularly close. There were 31 attacks on Texas municipalities in 2019 and another eight in 2020. In fact, government authorities in Texas were the most exposed to ransomware attacks (13% of all attacks in 2020).⁽⁸⁾

Georgia had the second most cases at 16 (nine in 2019 and seven 2020), followed by Florida at 12 (eight in 2019 and four in 2020), California at 10 (seven in 2019 and three in 2020) and Pennsylvania at nine (four in 2019 and five in 2020).

Why the Lone Star state has become a magnet for these kinds of attacks is up for debate; it’s significant, however, that, according to the mayor of one of the 22 cities affected, “...the hackers broke into the information technology software used by the city and managed by an outsourced company, which also supports many of the other municipalities targeted.”⁽⁹⁾

Something, perhaps, other municipalities should at least consider when weighing similar outsourcing arrangements.

3. Timing is everything – where (and when) ransomware was most prolific in 2020
   
   Source: MINDSMITH, 2020

Over half (55%) of all ransomware attacks occurred in the first quarter of 2020, and most often U.S. states bodies were attacked in January (24%), February (23%) and May (16%).

More than half the time, the attacks (54%) occurred at the city level; almost a third (28%) at the county level; and 18% of the attacks affected the entire state.

The study clearly revealed that different states and counties vary greatly in the volume of successful ransomware attacks. Apart from the attacks in Texas, Florida, California, North Carolina, and Illinois were also among the leaders in the number of ransomware attacks (5% of attacks each).

Reported attacks against municipalities tapered off over the first eight months of 2020 once the COVID-19 pandemic hit, but attacks against organizations increased. One report noted that 51% of malware attacks in Q3 of 2020 were ransomware attacks – up from 39% in Q2 and 34% in Q1.

The general distribution of attacks by the organizational level of the target also demonstrates the vulnerability of local authorities and city governments (e.g., those that have the least number of resources both to prevent attacks and eliminate the destructive consequences of cyberattacks).⁽¹⁰⁾

In other words, state, city, and county seats – wherever they are located – are at risk. They need to practice and evangelize ransomware avoidance strategies, including sensitizing employees at every level to be aware of phishing schemes, suspicious emails and other external threats that, with a single mouse click, can bring down services system-wide not only for them but also the citizens they serve.

4. Most municipalities aren’t paying ransoms
   
   Source: KnowBe4, 2020

Of the municipalities subjected to ransomware attacks in 2020, 15% have confirmed they have made payments, compared to no ransoms being paid the previous year.⁽¹¹⁾

Based on what’s been reported, most municipalities chose not to pay ransoms. In fact, over the past two years, there are reports of only 16 municipalities that paid some or all of the ransom demanded. Here’s how it breaks down:

In 2020, out of the 71 reported cases, 26.7% of municipalities refused to pay the ransom, while 12.7% did pay. Information from the other 43 government entities wasn’t available, accounting for 60.6% of the cases.

For the reported 16 government entities that paid the ransom, that route may no longer be available to them should they get attacked in the future. Per a ransomware advisory from the Office of Foreign Assets Control (OFAC) in the U.S., they can now be sanctioned for paying ransoms to certain groups.⁽¹²⁾

Specifically:

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.

But paying out ransom doesn’t apply to all. There are exceptions.

Revisiting the attack on Texas towns in 2020 for a combined ransom amount of US$2.5 million in 2019 and 2020 did not get a single cent, according to Texas state officials. This is due to a successful coordinated state and federal cyber response plan that was spearheaded by the Office of the Chief Information Security Officer at the Texas Department of Information Resources (DIR).⁽¹³⁾

Something else to consider when debating whether to pay or not: according to this recent report, people who pay the ransom only receive up to 8% percent of their data back.⁽¹⁴⁾ While this finding may apply mostly or exclusively to enterprises, it seems a reasonable extrapolation that a similar outcome could, likewise, be experienced by government entities.

Of course, not paying the ransom doesn’t mean the same thing as stopping a threat actor or state sponsored hacker from taking your systems offline. However, as the next observation finds, the cost to remediate and recover from the attack could be more than the ransom itself.

5. Ransom demands shrunk in 2020
   
   Source: MINDSMITH, 2020

Based on reported data, ransom demands averaged $686,000 in 2020. Over the past two years, the largest paid ransom was $592,000. This was for an attack that occurred on May 29, 2019, when a phishing email encrypted city records and disabled the email system, digital payroll and 911 systems in Riviera Beach, Florida. The next largest ransom paid was $500,000. This was for an attack that occurred on November 22, 2020, in Delaware County, Pennsylvania, when portions of the county's computer network were locked and knocked offline.

The largest ransom demand reported was $5.3 million, for an attack that occurred on July 3, 2019, in New Bedford, Massachusetts, when 158 city computers were shut down. However, the ransom, ultimately, was not paid.

The decision not to pay ransom still often comes with a heavy cost to cities that were unprepared for attacks. In 2019, the city of Baltimore chose not to pay the $75,000 ransom demand it received, but later spent over $18 million on recovery. New Orleans, after refusing to pay their ransom during an attack in December 2019, spent about $7 million on recovery.

Had these cities proactively protected against ransomware before the attacks, they could have avoided those massive recovery bills, perhaps proving that when it comes to ransomware, the cure can often cost more than the actual infection could ever turn out to be.

Again, that’s not universal guidance; it should be considered on a case-by-case basis.

How to avoid becoming the next victim

Municipalities should continue to prioritize educating their employees so they’re up to date on the latest trends and are mindful about what websites they click on and what emails they open. Now is an opportune time to re-evaluate the resilience of your third-party vendors. After all, you’re only as resilient as the weakest link in your supply chain.

Additionally, according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center, safety measures against the threat of ransomware include the following guidance⁽¹⁵⁾:

• Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
• Never click on links or open attachments in unsolicited emails.
• Backup data on a regular basis. Keep it on a separate device and store it offline.
• Restrict users’ permissions to install and run software applications and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
• Use only applications that are approved to run on your network.
• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.

Additionally, partnering with a service provider or similar organization offering customized Disaster Recovery and Business Continuity Plans (DR/BCP) can also help to mitigate or remediate ransomware attacks on your state, city or county government. Then test, test, and test some more.

While municipalities have been hit particularly hard by ransom attacks over the past two years, so too have many businesses. The latest uptick in reported attacks on municipalities means organizations can’t wait to add defenses and safeguards. If they do, they could easily become another statistic.

Citations

1. https://www.americancityandcounty.com/2021/03/22/report-ransomware-attacks-cost-local-and-state-governments-over-18-billion-in-2020/
2. https://www.forbes.com/sites/forbestechcouncil/2021/06/22/municipal-cyberattacks-a-new-threat-or-persistent-risk/?sh=7ae90ed83ffb
3. https://www.forbes.com/sites/forbestechcouncil/2021/06/22/municipal-cyberattacks-a-new-threat-or-persistent-risk/?sh=7ae90ed83ffb
4. https://www.insideindianabusiness.com/story/44667237/cybersecurity-for-indianas-cities-and-towns
5. https://www.blackfog.com/the-state-of-ransomware-in-2021/
6. Ibid.
7. https://mindsmith.io/en/threat-from-the-dark/
8. Ibid.
9. https://threatwarrior.com/texas-ransomware-attack/
10. ttps://mindsmith.io/en/threat-from-the-dark/
11. https://www.infosecurity-magazine.com/news/local-government-targeted/
12. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
13. https://www.zdnet.com/article/no-municipality-paid-ransoms-in-coordinated-ransomware-attack-that-hit-texas/
14. https://searchsecurity.techtarget.com/news/252508453/Gartner-analysts-debate-ransomware-payments
15. https://www.americancityandcounty.com/2021/03/22/report-ransomware-attacks-cost-local-and-state-governments-over-18-billion-in-2020/