Earlier this month, the U.S. Conference of Mayors held a meeting in Honolulu, Hawaii. During the event, 225 mayors signed a pledge promising to refuse payment to ransomware attackers. The group’s resolution highlighted the rise of malware attacks on municipalities across the United States.
The document also explained that while hacks can cost municipalities millions of dollars to resolve, paying malicious actors only encourages more data breaches.
Why the Conference of Mayors made their Pledge
Baltimore Mayor Bernard “Jack” Young sponsored the ransomware opposition measure at the conference. Notably, Young gained firsthand experience with server encrypting malware when hackers launched a cyber-attack against the city in May. The digital hijackers used a repurposed National Security Agency tool to seize control of the city’s digital infrastructure.
The attackers demanded $100,000 in Bitcoin to unencrypt the city’s systems, but Mayor Young refused. Ultimately, the municipality was forced to pay $18 million to repair the effects of the hack.
The Florida city of Riviera Beach recently took a different tact after cybercriminals infected its system with ransomware. Despite the Federal Bureau of Investigation’s recommendation to the contrary, the city met the malicious operator’s $600,000 ransom demand.
Similarly, Lake City, Florida experienced a ransomware attack in June. Hackers demanded $460,000 in Bitcoin to release the region’s data, and its city council voted to pay up.
Mayor Young didn’t mention either area by name when talking about his proposal to the Wall Street Journal. However, he did say, “Paying ransoms only gives incentive for more people to engage in this type of illegal behavior.”
No End in Sight
While the Conference of Mayors’ resolution not to meet the ransom demands is the right choice, it doesn’t address the underlying issue. As the organization noted, hackers have deployed ransomware attacks against 170 county, city, or state systems since 2013. Furthermore, bad actors have increasingly launched civic malware attacks. So far, hackers have initiated 22 municipal ransomware assaults in 2019.
Malicious operators have been targeting municipalities for two reasons. One, cities tend to patch together digital infrastructures made up of several different software platforms. As such, it’s difficult for government information technology experts to cover all their systems’ potential vulnerabilities. And two, small towns and cities have a significant incentive to consent to attackers’ demands.
For example, the two Florida cities that paid hackers to regain control of their servers likely did so after crunching some numbers. While a city like Baltimore can absorb an unexpected $18 million shortfall, Lake City and Riviera Beach cannot. So, rather than force their municipalities to go bankrupt, the leaders in those regions just paid the ransom.
However, civic leaders who’ve taken that pragmatic approach have seemingly caused a sharp increase in both ransom demand amounts and frequency. Indeed, the Internet Society’s Online Trust Alliance notes that worldwide losses due to ransomware attacks increased from $5 billion in 2017 to $8 billion in 2019.
Last week, malicious operators initiated a ransomware attack against a civic institution that is considerably bolder than past incidents. On July 10, hackers locked up the digital infrastructure of New York City’s Monroe College. The cybercriminals behind the hack are asking for $2 million to release control of the school’s networks.
With no perceived end in sight, the U.S. Constitution of Mayors’ resolution might be one of the timeliest in today’s digital age.