When he learned about a ransomware attack in March, Daniel Saroff didn’t sweat it. The chief information officer of Massachusetts’ public defender office had easily fought off a similar attack against some desktop computers more than four years earlier.
But the new attack on the Committee for Public Counsel Services was far worse, scrambling vital data on the servers and fatally compromising the agency’s entire network. “Once we realized it was smarter than the old one, that was when fear and dread set in,” Saroff said.
There’s a lot of that going around at government offices throughout the United States. City and state agencies are being hammered by ransomware attacks that have crippled public services and cost taxpayers millions.
So far, Massachusetts has been spared the devastation caused by ransomware assaults in cities like Atlanta and Baltimore. And state and local officials are scrambling to make sure their systems are secure. Last year, the Baker administration and the Massachusetts Technology Collaborative launched a statewide cybersecurity center to prepare for digital attacks against the state’s major public- and private-sector organizations.
“Part of the strategy is to assume you’re going to get hit,” said Michael Brown, a retired Navy rear admiral who chairs the state’s Cybersecurity Strategy Council. With aggressive criminal gangs constantly probing for security flaws, that’s a pretty safe bet.
In a ransomware attack, criminals break into computer networks and install software that encrypts all of the data. Vital information is made inaccessible, and only the criminals have the key to unlock it. They promise to do so, for a price.
Ransomware has been around for decades, but attacks against individuals and businesses have soared in recent years. According to the research firm Cybersecurity Ventures, they cost the global economy $8 billion last year.
Lately, online criminals have been going after governments in a big way. The Somerville data security company Recorded Future identified 53 ransomware attacks against state and local agencies in 2018, up from 38 the year before. As of April, the company had spotted 21 such attacks in 2019.
Apart from Baltimore, Greenville, N.C.; Imperial County, Calif.; Cleveland; Riviera Beach and Lake City in Florida; Augusta, Maine; and Cartersville, Ga., have been hit in recent months. In May, the City of Lynn could not collect parking fines online because Penforms USA Inc., the Utah company that manages its parking services, had been victimized by ransomware.
“It’s happened to every single part and level of government.” said Bob Rudis, chief data scientist at Rapid7, a Boston network security company.
Government agencies are soft targets, Rudis said. They can rarely afford the newest computers and software — or the best cybersecurity experts, who can earn more by working in the private sector.
Besides, Rudis added, “Governments kind of have to run.”
For instance, police services are vital to public safety. When the Tewksbury Police Department was hit with ransomware in 2015, the town lost access to gigabytes of crucial data, including arrest records. The online criminals wanted a measly $500 in ransom to restore access. The department paid up.
Also, many non-emergency services are important to the local economy. In Baltimore, home sales ground to a halt for weeks, because ransomware had crippled the city’s system for recording real estate transactions. The episode demonstrated that “an attack on a government agency could have huge downstream effects on the entire local economy,” Rudis said.
Some cities will pay plenty to avoid that kind of trouble. In June, Riviera Beach, Fla., coughed up a $600,000 ransom to get its municipal data back. Two weeks later, Lake City, Fla., made a $460,000 payment.
In both cases, most of the ransom was covered by a cybersecurity insurance policy. Brad Gow, global cyber product leader at the insurer Sompo International Holdings Ltd., said his company offers coverage to several cities and states.
“We have paid out multiple ransomware extortions that are well into six figures,” Gow said. “As distasteful as it is, sometimes it’s easiest and best for them to just pay off the perpetrators.”
Sompo doesn’t just cut a check for the victims, though. It sends in a team of experts to scour the network. Sometimes they find the lost data is backed up somewhere in the system, eliminating the need to make a payoff. The company has people on staff who contact the attackers via e-mail and try to negotiate a lower ransom.
“They have the ability to speak Russian, Serbian, and some of the other Slavic languages,” Gow said, because so many cyber criminals are headquartered in Eastern Europe. When the ransom is paid and the unlocking software is delivered, Sompo’s people check it for other malware.
“Once you have that decryption key, you’ve got to realize you’re dealing with criminals,” Gow said. “You can’t trust that.”
In addition, Sompo and other insurers work with clients to prevent future attacks. Many are launched through infected e-mails opened by unwary employees, so better-trained workers are the first line of defense. Another popular attack vector is Remote Desktop Protocol, a feature in Microsoft operating systems that lets authorized outsiders take control of a company’s computers. Hackers are good at abusing this feature, so potential victims must maker sure that each computer’s RDP software is secured, or permanently disabled.
The last line of defense is frequent backups of critical files. This should be done through a server that is disconnected from the organization’s network when not in use, to protect the backed-up files from corruption. An organization that stands to lose just one or two days’ data can afford to ignore a ransom demand.
Despite the damage caused by ransomware, Recorded Future estimates that 70 percent of victims refuse to pay. Last year, Atlanta wouldn’t hand over $51,000 to regain access to some of its computers; instead, it’s paying $17 million to clean up the mess. Baltimore refused to pay $75,000 and will spend $18 million on repairs.
The attackers who hit the Massachusetts public defenders’ office didn’t ask for a specific amount, offering instead to negotiate. Saroff wasn’t interested. He figured the system was so compromised that it would have to be rebuilt, anyway, to ensure that no other malware had been smuggled in. So he’s reconstructing the lost files from backups and will spend about $300,000 for a complete network rebuild.
“Paying for ransomware doesn’t actually save money,” he said. “All it does is save data.”