Why cities get hit hard by ransomware—and what they can do about it

Ransomware attacks exploded as a threat to cities late last decade—and they’ve remained a persistent threat since.

Security firm Sophos’s 2022 report on municipal ransomware found 58% of state and local government organizations experienced some kind of incident in 2021, and they tended to be worse at stopping attacks and protecting data than private-sector organizations.

Why are cities so vulnerable, and how can they avoid becoming the next cybercrime headline? Experts weighed in for IT Brew.

Not enough money—or planning. That municipal entities often have scant budgets for cybersecurity isn’t a secret. According to University of Maryland, Baltimore County computer science professor Richard Forno, almost half of US cities have IT policies that are not aligned with best practices. Worse, nearly one-third of cities wouldn’t even be able to identify an attack. Allan Liska, a ransomware expert at Recorded Future, told IT Brew that cities face “the problem of a large attack-surface that’s generally not segmented.”

For example, a 2018 attack on Atlanta forced shutdowns of systems including free Wi-Fi at the regional airport, and an attack on Oakland earlier this year quickly migrated from main city offices to police networks.

City systems are often interlinked because it’s a cheaper and easier way for municipal IT teams to handle identity and access management, Liska told IT Brew.

“There’s no reason that your free airport Wi-Fi, even if it’s run by the city, should be connected to any other part of your city network,” Liska said. “It’s not just cities that have this problem; most corporate networks are shockingly flat.”

Kim LaGrue, the CIO of the City of New Orleans, told IT Brew that her department prevented a Ryuk attack in 2019 from spiraling out of control because it had a well-established incident response plan. Those procedures gave city officials clearance to shut down municipal systems without hesitation and established key steps, like spreading word via methods that couldn’t be monitored by the attackers, getting vendors in motion, and flagging priority systems for recovery.

“We don’t know if had we not disconnected from the internet, if there would have been little exfiltration of data or a devastating amount of data exfiltration,” LaGrue said. “We did not respond to the ransom letters…We knew our best chance was to fall back to our backups and rebuild if we had to.”

New Orleans’ recovery efforts ultimately cost over $5 million—much of which, LaGrue says, went to upgrading or replacing legacy infrastructure.

Solutions. Liska said cities can focus limited resources on stopping initial access brokers—hackers who penetrate networks and pawn access to the highest bidder—before they can break in.

“That means better patch management. We’ve been talking about better patch management for 20 years,” Liska told IT Brew. He added that improved identity management, monitoring for exposed credentials, multi-factor authentication, and continuous phishing training for all staff are relatively cheap and effective methods, as is migrating smart city functions to less vulnerable cloud environments.

Nick Tausek, lead security automation architect at security firm Swimlane, told IT Brew via email that automating some of those tasks can “provide a huge boon for the security posture of local municipalities, and can have enormous ROI.”

“The effect is especially apparent in low-staffing environments, where a small team would otherwise be drowning in a sea of alerts and notifications,” Tausek wrote.

Even if skyrocketing premiums mean insurance is “no longer the cost-effective solution,” LaGrue said, municipalities should verify they actually meet minimum standards to get a policy.

“That was great answering questionnaires, seeking policies, and really inventorying where you are,” LaGrue advised. “Those are invaluable steps to take.”

Correction 05/26/22: This article has been updated to reflect that Richard Forno is a computer science professor at University of Maryland, Baltimore County, not University of Maryland.