“We are seeing more ransomware attacks because they work,” said Eli Sugarman, who directs the Hewlett Foundation’s cybersecurity program. “Cities are struggling to secure their complex and oftentimes outdated systems, and when attacked some choose to pay.” And, he noted, there is “notoriety that comes from each successful attack.”
When companies are hit with ransomware attacks they often cover it up. But cities cannot — as Atlanta learned in March 2018, in one of the most serious cyberattacks against an American municipality. Attackers demanded roughly $51,000 in Bitcoin but, according to The Atlanta Journal-Constitution, the city refused to pay the ransom. A document leaked to local news outlets showed that responding to the attack could cost the city $17 million. At the time, Mayor Keisha Lance Bottoms called the attack “a hostage situation,” and threat researchers working on the response blamed a hacking crew called SamSam.
Two Iranians, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, were indicted on a charge in that attack last year, and there has been no major recurrence of SamSam attacks since. But new, more targeted malware has appeared.
The hackers who disabled Baltimore city computers in May demanded about $76,000 in Bitcoin to release the city’s files and allow employees to regain access to their computers. The mayor, Bernard Young, said the city would not pay the ransom, in part because there was no guarantee the files would be unlocked.
In the nearly four months since, the city has brought systems back online one by one, spending more than $5.3 million on computers and contractors brought on to help recover from the attack. An early estimate put the combination of lost revenue and city expenditures at more than $18 million.
Lester Davis, a spokesman for the mayor, said some lost revenue had been recouped and that it was impossible to quantify how much money the city lost by lack of productivity and missing payments. Baltimore issued water bills in recent weeks for the first time since the hacking, meaning many residents are facing payments three times as much as normal.
Five states — California, Connecticut, Michigan, Texas and Wyoming — appear to have laws that refer specifically to “ransomware” or computer extortion, although other states have laws that prohibit extortion and computer crimes such as malware or computer trespass, according to the National Conference of State Legislatures.