Ransomware Attacks Cost Municipalities

Robert Sargent

Tennant Risk Services

April 28, 2019

The start of 2019 has seen a rash of successful ransomware attacks (see here, here) on municipalities, most without comprehensive Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage).

Municipalities continue to be a lucrative target because of lax security (see here), and expensive service disruptions provide an incentive to pay the ransom.  Authorities recommend not paying the ransom demand, for obvious reasons, but some have no choice (see here, here).

Unlike data breaches, ransomware attacks are particularly damaging because they can shut down an organization’s operations (see here).  Successful ransomware attacks can cause significant disruption of services and result in significant costs associated with downtime (“business interruption” in the insurance world).  The large number of recent attacks against municipalities show the level of damage that ransomware attacks can cause, including:

Taos, NM (here, here, here) – Taos schools were infected from a ransomware attack, with the criminal demanding a $5,000 payment for the decryption key.  The ransomware was introduced to the system through a phishing email, and the resulting malware shut down most of the school system’s digital services.  The school board approved additional funds the forensic cleanup, but a month later the systems were not fully restored.

Augusta City Center, ME (here) – Malware locked up the servers and spread to some additional devices in municipal operations, resulting in a reduction in system accessibility for a few days and the suspension of some services.  No ransom payment was made, and no data was released.

Jackson County, GA (here, here, here) – Jackson County paid a $400,000 ransom payment and received the decryption from the hackers, resulting in the recovery of county’s data and systems.  Although there was no guarantee that paying the ransom payment would be successful, experts recommended making the payment because rebuilding the systems would be costly and could take months.  The county has maintained that the payment was about the same as the cost to rebuild the systems, but faster.  The ransomware locked (“encrypted”) their systems and data, forcing the county to use paper and other manual methods to provide services.  The malware was the Ryuk virus, which has been widely impacting municipal and other organizations.

Imperial County, CA (here) – The Ryuk malware encrypted much of the county’s digital information and demanded a ransom payment.  The cyber attack shut down the county’s online payment system, the clerk-recorder’s office and the Department of Social Services, among others.

Greenville, NC (here, here, here) – A return to paper forms was the short term solution to a ransomware attack on Greenville, NC, which shut down systems for over a week.  The attack infected the city’s computer system, including police and fire systems, financial systems, and email.  In addition to servers, over 800 workstations needed to be checked for infection and 130 different systems needed to be repaired.

Garfield County, UT (here, here) – A ransom payment by Garfield County, UT, was the only option to recover data encrypted by a ransomware attack.  The attack started after someone clicked on a phishingemail.

Albany, NY (here, here) – A ransomware attack resulted in the suspension of some city services, although many operations were continuing.  The attack may have been limited to the records and marriage-certificate offices, although there are conflicting reports about the extent of the attack. 

Stuart, FL (here) – The Ryuk malware encrypted data on the city’s servers.  The ransom demand was not paid, and staff has been rebuilding the systems, but services were reduced over a period of days.  A backup system was in place, but it is unclear whether all of the city’s information was backed up.

Cleveland Airport, OH (here, here, here) – A ransomware attack shut down administrative systems at Cleveland Hopkins International Airport, affecting email, payroll, and other information systems. 

Del Rio, TX (here, here, here) – The Texas city resorted to pen and paper when a ransomware attack knocked out the cities servers.  The malware strain was unusual in its approach, and, reportedly, no ransom was paid.

Atlanta, GA (see here) – The Atlanta ransomware attack in 2018 is an example of how bad and expensive it can get.  Server access was blocked for six days, resulting in significant disruption and a costly fix.  Estimates of the cost of the attack range from $2.6 million to $17 million.

What Can Be Done?

Municipal organizations remain vulnerable because of budget constraints and a lack of IT security investment (see here), but proactive preventative steps can reduce or completely eliminate costs from an attack.  According to one expert (see here), the key steps to prevent losses include:

  • Have a third party conduct a cyber-security assessment
  • Hire an experienced CISO (Chief Information Security Officer)
  • Increase cyber risk training
  • Buy Cyber Risk Insurance

Given the spate of successful attacks on municipalities, underwriters are taking a closer look at the IT protections in place, including training, before offering comprehensive Cyber Risk Insurance to municipalities at current competitive rates.  Policies vary widely, but comprehensive Cyber Risk Insurancepolicy forms are available that include the coverages necessary to respond to ransomware attacks, such as business interruption.

Tennant Risk Services, a division of Worldwide Facilities, is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty).  Cyber Risk Insurance is our specialty, and we excel at hard to place accounts. 

Looking for a specific solution?