The Magazine of American Municipal Power, Inc. and its Member Communities


The Rise of Ransomware Attacks on Municipalities

5 min read



December 2019

On Aug. 16, 2019, 23 local governments across Texas were simultaneously hit with a ransomware attacks that brought their respective duties to a screeching halt. The computer systems that kept these municipalities running were encrypted and inaccessible.

Rather than booting up computers and starting their normal workday, employees were greeted with messages indicating that their system was encrypted and would only be made available to them if a collective ransom of $2.5 million in bitcoin was paid to the individual or organization orchestrating the attack. Some of these towns were unable to access birth and death certificates or even do basic tasks such as take utility payments.

Attacks such as these are known as ransomware, and there has been an increasing number of them targeting local, county and state governments across the country. In fact, according to findings by the U.S. Conference of Mayors, there have been at least 170 such attacks since 2013, with a continued spike in occurrences throughout 2019.

One reason these attacks are on the rise is that they are simple to commit — an attacker targets a victim’s network through a single piece of malicious software, usually through a seemingly harmless email, which then locks and encrypts that person’s computer data, allowing the attacker to refuse access until their demanded ransom has been paid.

There are many options for how to deal with this issue, but some cities still decide to simply pay the ransom, no matter how steep the price might be. In June 2019, two Florida municipalities chose to pay attackers more than $1 million in order to regain access to their data. Just a few short months before that, a county in Georgia was forced to pay more than $400,000.

You might be thinking that “my community would never give in to those demands,” and you’re not alone in that thought. In their July meeting, the U.S. Conference of Mayors unanimously voted to no longer give into any ransom demands from attackers. While this is an admirable stance to take, it may be easier said than done.

In 2019, the City of Baltimore and the City of Atlanta were both struck by ransomware attacks, demanding $76,000 and $50,000 respectively. In the end, both cities succeeded in repairing their systems, but the costs were overwhelming. The City of Atlanta was forced to pay nearly $3 million to repair the damages and restore their systems, while the City of Baltimore was forced to spend more than $18 million.

While there are many other steps that could be taken to secure your network, the items above provide a good starting point for getting your utility better prepared to detect, respond and prevent the debilitating impacts of ransomware.

Segment your networks out so that wholesale attacks can be minimized into retail attacks. Put in another way, segment out devices to minimize the damage. It can help to minimize damage when a virus encounters a firewall that blocks it from accessing other systems on the network. Consider using virtual LAN (vlan) capabilities that are available in most managed network switches, along with a firewall to minimize the cost to doing this. Another option would be to physically separate these networks. Some ideas for logical network groupings are:

One thing is certain, ransomware attacks on municipal targets are on the rise, as are many other forms of cyber attacks. These attacks often lead to damages that cost hundreds of thousands, or even millions of dollars to repair, and they can take weeks or even months to deal with. Therefore, the best approach is to put up a strong, multi-layered defense and to be prepared for an attack when it occurs.

A key part of this process should be ensuring that you and/or your organization are following good cyber hygiene practices. These can include:

  • Making sure all software and antivirus programs are up to date and properly functioning on all computers, printers, mobile devices and anything else that connects to your networks. This task is often more difficult than it seems. While doing this cannot guarantee your systems will be protected, especially from newer viruses, it can provide you with a solid, powerful first line of defense. Check to ensure that all devices are up to date and enable automatic updates where possible.
  • Additionally, there are a number of third-party applications out there, many of which are free to download and install that are not designed to secure development standards or best practices. A good rule of thumb is that if you do not absolutely need the third-party application to do your job, then it is probably not worth downloading and installing. If you do, make sure your IT department is aware of it and can verify that it is from a reputable third-party developer.
  • Backup all of your data, or at least the most important parts. Even if you were to pay a ransom in the event of a ransomware attack, there is no guarantee that you would gain access to your data again. Having backups ensures that the worst-case scenario does not leave you down for the count. The options for data backups are plentiful and the best solution may vary based on the requirements of your organization. For some, it could be as simple as backing up to a local, removable device, while for others, contracting with a cloud provider may be the only option. No matter what solution you decide upon, be sure that you have a good tested backup and that it is stored offsite and is inaccessible to potential attackers. There are plenty of stories where attacks were not only able to use ransomware to encrypt files on the network, but also encrypt the backups, leaving the municipality completely helpless.
      • Printers, VOIP phone, CCTV systems (these devices often do not need access to the internet at all)
      • Guest wireless (does not need access to anything but the internet)
      • Servers (usually only need access by specific admin users)
      • Workstations and mobile devices
      • SCADA networks (should always be separated and do not require internet access)
  • Keep employees involved and knowledgeable. Establishing a regular routine of cybersecurity awareness among your employees can make all the difference. Most ransomware attacks start out as nothing more than a seemingly harmless file or email attachment, so it is important that your employees know what they might be dealing with. Many end users do not think twice about opening an attachment from what appears to be their boss or clicking a link from what appears to be their coworker. Make them aware of just how these cyberattacks occur and ensure they know how to respond when they do. Plan and practice your incident response. Tabletop exercises or walkthroughs of scenarios are important. Utilities do a very good job of drilling response for other crisis scenarios, such as physical attacks or weather events, and cyber response should be worked on just as much.

While there are many other steps that could be taken to secure your network, the items above provide a good starting point for getting your utility better prepared to detect, respond and prevent the debilitating impacts of ransomware.

Remember, the attacker’s goal is for you to pay the ransom, and for them to become increasingly effective at making it happen. While the tactics in use are always evolving, here are a few to look out for:

  • Some attackers try to leave malware and viruses on the network for a long period of time (months to years) before it becomes active and starts encrypting files. This ensures that your backups will also contain infected files, ensuring they will just re-encrypt themselves when restored. This is why it is very important to keep multiple point-in-time backup copies of data, rather than just the most current.
  • Some attackers try to siphon off files and confidential data prior to encrypting them in order to use them as blackmail against the organization, threatening a public release unless you pay the ransom.

Keep in mind that paying the ransom does not guarantee that any of the above things still will not happen. Remember that you are dealing with criminals and they make their own rules.

AMP’s IT Cyber Security leadership, under the direction of the AMP Board of Trustees, is developing a program to help members improve their cyber posture. The initial pilot for this is underway. Results and feedback will be shared in the coming months and will be used to develop a formal offering for all AMP members.

When it comes to cybersecurity, there is no better defense than your employees. Start preparing with them today. Take stock of your defenses now and be ready to react before an attack occurs.

If your utility or municipality needs assistance or guidance preparing for a potential ransomware attack, or if you have any other general cybersecurity questions, AMP’s IT team is available to assist you. Feel free to contact us at [email protected].