Municipalities Face a Constant Battle as Ransomware Snowballs

As record-breaking volumes of ransomware hit cities, towns, and counties this year, municipalities remain easy targets that pay, and there's no end of the attacks in sight.

Code on a screen with the word "Ransomware" in red
Source: Jne Valokuvaus via Shutterstock

Municipalities in the United States, and globally, are experiencing a fresh wave of ransomware attacks, with even big cities like Dallas falling to the gangs' activities. As this string of cyberattacks continues, it highlights how a historically unprepared sector remains in desperate need of implementing viable cybersecurity defenses and solutions.

In a prime example of the trend, on Nov. 7, the Play ransomware gang posted information it claimed to have stolen from Dallas County in an alleged ransomware attack, with threats of posting more if the group does not get its desired payment. On the same day, the county provided a cybersecurity update, citing an ongoing investigation and collaboration with law enforcement.

"Dallas County is aware of an unauthorized party posting data claimed to be taken from our systems in connection with our recent cybersecurity incident," according to the update. "We are currently in the process of thoroughly reviewing the data in question to determine its authenticity and potential impact."

A Recent History of the Ransomware Attacks

Unfortunately, the incident wasn't a one-off — far from it. The potential breach comes just months after the city of Dallas was hit with a different cyberattack that affected public services such as 311 calls, libraries, animal shelters, safety departments, and online payment systems. This instance was not the first time that the perpetrator, the Royal ransomware group, had attacked the city, either. 

In another example of the struggle between ransomware groups and municipalities, Rock County, Wisc., experienced a cyberattack Sept. 29 against its Public Health Department, compromising its computer systems. The Cuba ransomware gang claimed responsibility for that attack, and announced that the stolen data included financial documents and tax information. 

The trend is not just a US issue: On Oct. 30, 70 municipalities in Germany were affected by a ransomware incident after a service provider had to restrict access to prevent the spread of malware. And prior to that, schools in Hungary and Slovakia were victims of attacks by ESXiArgs ransomware. The Florida Supreme Court, Georgia Institute of Technology, and Rice University were also hit.

"There is an uptick in ransomware attacks across almost all industries and organization types in the past 12 months," says Erich Kron, security awareness advocate at KnowBe4, "with record-breaking amounts of ransomware attacks, financial impact from ransomware, and a variety of ransomware-enabling tools and ransomware-as-a-service (RaaS) providers on the market."  

This assessment is shown by the data: According to a Sophos study on ransomware attacks, "the rate of ransomware attacks in state and local government has increased from 58% to 69% year-over-year, contrary to the global cross-sector trend, which has remained constant at 66% in our 2023 and 2022 surveys."

However, as the threat of ransomware attacks against municipalities remains high, the security protections for these targets have remained limited.

Municipalities Make for the Perfect Victim

While threat actor tactics and tools evolve and the volume of their attacks increases, the data shows that municipalities are falling behind and failing to rise to the occasion when it comes to protecting themselves. According to the Sophos study, there are a variety of reasons for that.

For instance, municipalities are notoriously understaffed, underfunded, and possess little training when it comes to cybersecurity preparation and mitigation. When ransomware groups seek out their targets, they know that municipalities will be unprepared to handle their attacks, which will either lead to success and potential notoriety or, even better, an easy ransom payment. 

Sophos reported that more than a quarter of state and local government organizations (28%) in its survey admitted to making a payment of at least $1 million or more when it came to ransoms, a massive increase compared with the 5% that made that large of a payment in the 2022 data. Of the organizations whose data was encrypted in an attack, 99% got their information back, with 34% reporting that they paid a ransom and 75% relying on backups.

Nick Tausek, lead security automation architect at Swimlane, notes that the local public sector historically has a worse security posture than the federal government or large corporations. He adds that the public sector also has "organizational lack of appetite to endure prolonged outage due to public services, and a lack of automation."

Furthermore, along with tight funding and limited security programs and staffing, "these commonalities are present in most municipalities at a greater proportion than the private/federal ecosystem, and combine to make recovery difficult, and the temptation to pay the ransom to restore functionality more alluring to the victims," Tausek continues. 

While ransomware groups celebrate their easy wins, municipalities struggle to bounce back. When Dallas was hit by the ransomware attack that took down its systems, the city was still trying to make progress in becoming fully operational even a month later. The only good news is that the city worked with cybersecurity experts to try to enhance its security posture and take additional steps after the attack occurred. But these attacks leave lasting effects that can take extended periods of time to recover from, making municipalities all the more vulnerable in the meantime.

The Future of Cyber Safety for Municipalities

Like Dallas, municipalities will have to start being actively involved in implementing cybersecurity practices and procedures, according to Daniel Basile, chief information security officer at Texas A&M System's Shared Service Center.

"In a lot of the cities, unfortunately, there's a one- or two-person IT shop that's handling the entire county or small city," he says. However, there might be additional resources to tap. In Texas, for example, Basile notes that procedures have been established so that the Texas Department of Emergency Management can assist in emergency situations. 

"We have deployable asset teams across the state of Texas, and special-interest response teams that can go out and help get things running again," he explains. "They're obviously not going to bring you whole, but they're going to make it so that you can do business again for public sector organizations."

Though lack of staffing is an issue that needs to be addressed, Swimlane's Tausek believes that adding new members to cybersecurity teams won't necessarily rapidly resolve the difficulty in responding to constant ransomware attacks.

"Simply adding people to the security team is not cost-effective, is not scalable, is difficult in practice, and is not enough to respond at the modern scale of threats," he says. "A two-pronged approach of investing in both automation technology and skilled cybersecurity professionals is the strongest approach to maintain a healthy security posture."

Ultimately, he says that prevention, while obvious, will always be key. 

"End-user training, vulnerability management, patch management, regular backups, disaster-recovery drills, and system/network hardening are still the best lines of defense against ransomware," he notes. By incorporating these into automation software, it will reduce human error and allow for a quicker response time when threats arise. 

Municipalities will need to prioritize their limited defensive budgets strategically, which means "an in-depth analysis of where your threats are," according to KnowBe4's Krohn, so that these groups can mitigate these issues on a scale of what is most pressing and needs attention. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights