When They Hit, Cities Need to Shut Down Their Computer Systems. But Then What?

When They Hit, Cities Need to Shut Down Their Computer Systems. But Then What?

Pensacola and New Orleans are the most recent victims. They’re among a long list of at least 40 municipalities, including Baltimore; Albany, NY and a full 22 cities across Texas, that have been hit with ransomware attacks this year.

The attacks encrypt cities’ computer files making them unusable, and a hefty ransom is demanded for a decryption key in order for the city to get them back. Meanwhile, the targeted city is immediately forced to shut down its systems to prevent spreading the malware, and a city’s ability to perform day-to-day IT-dependent functions comes to a screeching halt.

Municipal workers are suddenly teleported back in time to a pen and paper, pre-computer era. The ransomware attack thus seriously cripples the cities, their citizens and organizations conducting business with the cities. Every city function could be brought down, from tax collection to phones, to the ability of the police and fire departments to operate.

Common Municipal Vulnerabilities. Hackers understand full well the vulnerabilities typically found in small-to-mid-size cities that make them such attractive targets: inadequate or mis-prioritized budgets leading to outdated, more easily hacked software; inadequately backed-up files; city employees who have not received training in cybersecurity awareness; and outdated or non-existent ransomware response plans.

Costs of a Ransomware Attack. When a ransomware attack strikes, the costs to a city in tax-payer money are usually very significant regardless of whether or not a city decides to pay the ransom. Non-paying cities may try to piece together their system from backups while having to shut down large proportions of city business for a potentially long time.

Baltimore, attacked last May, refused to pay any ransom, but their refusal will cost the city $18.2 million according to its budget office estimate. That includes the costs for having its systems restored as well as the costs of delayed revenues.

To hackers, size doesn’t matter. Lake City, FL (pop. 12,000) paid a ransom of about $460,000. Riviera Beach (pop. 34,600) paid $600,000 in ransom to regain access to its encrypted files.

Even though the U.S. Conference of Mayors unanimously resolved last summer to no longer pay any ransom demands because payment only encourages more attacks, the resolution was non-binding. That’s perhaps as it should be since several additional factors complicate the issue for mayors.

For one thing, some cities have insurance policies against attacks and make the calculation that it’s less expensive to pay the ransoms with the help of insurers than try to rebuild their systems. They gamble that payment will prompt hackers to restore their files, even though restoration by criminals is far from guaranteed.

A New Hacker Threat. Cities also have to reckon with the profound costs they could incur if the hackers were to publicly release sensitive stolen information, which recently happened to the city of Johannesburg in South Africa after a ransomware attack.

This new wrinkle in cyber threats, now known by the term “leakware,” was recently acted upon in the U.S. Operators of the so-called Maze ransomware that attacked Pensacola also claimed responsibility for the attack on cybersecurity firm Allied Universal, which has an office in Pensacola. When Allied Universal refused to pay the ransom, Maze’s criminal operators released the security firm’s sensitive information to the public causing even greater financial and reputational damage to the company.

Finger-Pointing. Further complicating a city’s ransomware crisis will be inevitable allegations by some in the government, in the news and social media that the city was egregiously unprepared. Mayors and IT officers in charge of protecting a city’s systems will find themselves in a very hot seat. This was the case with Baltimore’s CIO Frank Johnson, who has now been put on “indefinite leave.”

 

What’s a City to Do? Whether you’re the mayor, the head of IT, or whatever your position, if you’re in charge of leading the crisis team, the first question you need to answer before any ransomware attack occurs is how you intend to manage that crisis without a working computer system?

So many decisions have to be made quickly: How will you coordinate with local law enforcement? How do you calculate whether to pay the ransom or not when the criminals are threatening to release sensitive data publicly? Myriad steps need to be assigned, taken and tracked.

What Pensacola Did to Manage Its Ransomware Crisis

As one example of the complex tasks that need to be completed in response to a ransomware attack, Jeff Bergosh, Escambia County Commissioner, enumerated on his blog the steps that Pensacola and Escambia County took in response to the Pensacola attack.

 

Once we found out that the breach had happened, BCC-IT (Board of County Commissioners-IT) shut their connection to the BOC (Business Outreach Center) network by disabling their two connections into our network. We also performed the following over the weekend:

 

  1. Notified our Security Operation Center (SOC) of the event and requested they put our network on high alert. This increased our alert activity through the day and our Cyber team has been responding to the events.
  2. Notified CISA and gave the City of Pensacola their contact information.
  3. Notified DHS and talked with them over the weekend.
  4. Monitored Firewall and Antivirus logs

Today we met as a Leadership team and have performed the following:

  1. Elevated our Antivirus policy to be more aggressive
  2. Continued to monitor our Firewall and Antivirus logs
  3. Continued to receive events from (SOC).
  4. Shared information with City of Pensacola and the Sherriff’s office.

To provide greater protection to the County network we plan to implement the following changes:

  1. Provide alerts on all emails coming from an external source.
  2. Turn off the ability for employees to access their Personal Email and Social Media Accounts.
  3. Upon login, users will have to click an OK to a Legal notice which will basically state they should have no expectation of privacy while using a county device.
  4. Once logged in, a machine will automatically lock after 15 minutes of inactivity. We will have an exception group, but it will be limited to business-critical operations.
  5. Limit the use of USB devices
  6. Limit Administrative rights
  7. Not allow users to write to their local C: Drive
  8. Require users home PC be up to date with Endpoint protection and the latest Windows Security patches before removing into a county device
  9. Implement a county Phishing Email campaign and Security Awareness training

The Pensacola/Escambia County actions are instructive for any municipality. They can and should be adapted for each municipality’s particular situation.

Consider how much more efficient and, importantly, how much less stressful it would be if these and all similar crisis response steps were methodically listed and carried out via an advanced incident response/crisis management app, readily available on each team member’s mobile phone and entirely insulated from the now hacked computer system.

With such an incident response mobile app in hand, the steps a municipality needs to take to manage the crisis could immediately be put in motion, assigned, tracked and documented with great efficiency and effectiveness. Crisis team leaders could…

  • Gather the crisis team virtually
  • Consult a pre-written, pre-approved interactive plan that’s easily accessible through the app
  • Assign and track multiple must-do tasks
  • Document everything, conversations, documents, videos, etc. for future legal reference and training purposes
  • Have access to a full library of crisis management-related resources

Even if a municipality were to have a robust backup system and highly trained staff able to recover from a ransomware attack, the city is only capable of managing its response proficiently if its crisis plan can be accessed and put in motion by the crisis team independent of its computer system. Only with such an app is a municipality fully prepared.