Defending City Governments Against Ransomware

Ransomware is a cybersecurity threat that continues to become more common and increasingly sophisticated. All industries are vulnerable to attacks, including governments. Ransomware attacks on cities and municipalities continue to happen frequently. The consequences of these attacks can often include the closure of city buildings, interrupted services, disruptions for law enforcement and courts, and IT systems going offline.

Ransomware attacks can also result in stolen personal data, leaving the impacted city or county vulnerable to lawsuits.

Here are some ransomware attacks that targeted cities and counties. In this article, we will also provide actions for defending city governments against ransomware.

Fulton County, GA

In January 2024, Fulton County, Georgia, the largest county in the state, was the victim of a LockBit ransomware attack. Disruptions from the attack included clerks being unable to issue vehicle registrations and marriage licenses, office phone lines being shut down, residents being unable to pay utility bills online, and the sheriff’s office having to use paper forms. It took Fulton County months to fully recover from the attack.

LockBit also claimed to have stolen sensitive data. The group said they would leak the data on the dark web if the county didn’t pay a ransom. Fulton County refused to pay.

Dallas, TX

In 2023, the ransomware group Royal hit the city of Dallas. The attack took down many city services including police surveillance cameras, public safety file sharing, the building permitting system, fire station alert systems, police and fire mobile data computers, and the court-ordered warrant management system.

More than 200,000 people had their information compromised in the attack. The city council agreed to pay $8.5 million for expenses stemming from the attack. It’s unclear if a ransom was included in that cost.

Oakland, CA

In February 2023, Oakland was the victim of a ransomware attack. After the attack, which shut down services like Oak311 phone lines, the city declared a local state of emergency. People impacted by the data breach filed several lawsuits, including one class action, against the city.

Columbus, OH

City officials in Columbus, Ohio warned crime victims and witnesses of potential threats after a ransomware group published their information on the dark web. The data was stolen from the local prosecutor’s office during an attack in July 2024. More than three terabytes of data were stolen in total and dumped on the dark web after the city did not pay the ransom.

The attack also knocked several IT services offline and impacted 911 and 311 operations.

Cleveland, OH

In June 2024, ransomware forced the city of Cleveland to close its city hall for several days. The city was able to keep essential services running. People needing documents like birth certificates were directed to go online or visit neighboring city halls.

Flint, MI

Smaller cities and towns are not immune.  Flint, Michigan was targeted in August 2024. The attack disabled the city’s ability to take credit card payments. It impacted other services including the employee phone network and the city’s mapping services.

Ransomware Defense

Here are some actions municipalities can take to help prevent a ransomware attack and respond more effectively if one does occur.

Penetration Testing

Penetration testing is a key element of a reliable cybersecurity program. It is an effective way to test your existing security measures and discover potential weaknesses that could be exploited. The information gathered during the pen test will help identify which points of entry are the most vulnerable to hackers. With that knowledge in hand, you can take steps to harden those areas and make your networks more resilient to ransomware or any other form of cyber-attack.

MFA and Strong Passwords

Implementing multi-factor authentication for city-owned devices is a simple way to add another barrier bad actors will have to break through to access the network.

Require employees to have strong passwords. A good requirement is a minimum of 12 characters that includes letters, numbers, and symbols.

Protected Data Backups

If a ransomware attack cuts off access to your data, having protected backups can be huge for operational continuity. Keep a protected backup of your data in a separate location. Cloud storage and external hard drives are popular options. Ensure that your backups are encrypted at rest and regularly test your backup methods to ensure accessibility and continuity of the data. Be sure your data backups are updated frequently and meet the organization’s Recovery Point (RPO) and Recovery Time (RTO) Objectives should data recovery become necessary.

Employee Training

Human error is the biggest cybersecurity vulnerability facing any business or organization. A robust security training program is a necessity to reduce the risks of stolen credentials, social engineering, phishing, and other attack methods.

Train staff on how to spot a phishing email (suspicious links and email addresses, urgent action requests, etc.) and conduct phishing campaigns to test the training’s effectiveness. Tell staff to report suspicious emails to your security or IT departments, not just delete them.

Antivirus and Antimalware Software

Invest in antivirus and antimalware software that can help identify and protect against threats. Be sure to install updates and patches as they become available.

Utilize Outside Expertise

The resources and personnel a city can devote to cybersecurity likely depend on the city’s size and budget. Cities and towns without internal cybersecurity staff need to consider bringing outside help. This allows municipalities to leverage the expertise and experience of a cybersecurity professional on a tailored plan that accounts for priority tasks and budget restraints.

Cities with cybersecurity staff can still benefit from an outside perspective. Having a professional assess your security program with a fresh set of eyes can reveal unaccounted-for security gaps and identify additional policies and procedures that would be beneficial.

CompliancePoint has a team of experienced cybersecurity professionals and a full suite of services including risk assessments, penetration testing, a Virtual CISO program, and more. To learn more about how we can help solve your cybersecurity challenges, contact us at connect@compliancepoint.com.