US cities plagued by ransomware are finding that the fallout continues long after the initial attack. Last month, Tulsa became the latest US city to suffer a ransomware attack. Six weeks later, it is still dealing with the fallout.
It emerged last week that the hacker group behind the May 2021 attack has since shared more than 18,000 files via the Dark Web. Most of them are internal department files and police citations, some of which contain personally identifiable information such as name, birth date, address, and driver’s license number.
Officials have warned anyone who has filed a police report, received a police citation, made a payment to the city of Tulsa, or shared identifiable information with the city online, in person, or on paper before May 2021 to take precautions. These include checking their financial accounts and changing their passwords.
Tulsa said it would not pay any ransom and insisted it would not negotiate with the hackers.
The ransomware threat against cities grows
Research by Comparitech found that in 2020, 79 individual ransomware attacks were carried out against US government organizations, potentially impacting 71 million people and costing an estimated $18.9bn in downtime and recovery costs.
Several ransoms were paid. In January 2020, Tillamook County in Oregon agreed to pay $300,000 following a REvil attack. It was estimated that the recovery costs could amount to $1 or $2m if it wasn’t paid.
In February 2020, San Miguel County in New Mexico paid $250,000 in Bitcoin to recover data stolen in an attack. In May 2020, the Florida Keys Mosquito Control District paid a $291,000 ransom over a Dopplemayer attack. Despite hiring a security firm, the city found it had no option but to pay the ransom to protect residents’ personal information. In November 2020, Delaware County in Pennsylvania agreed to pay $500,000 in ransom to have gigabytes of data released back to it.
Refusing to pay can be even more financially crippling. An attack on Baltimore in 2019 cost the city around $18m. That wasn’t the ransom cost because Baltimore refused to pay. It was the cost of remediation, new hardware, and lost or deferred revenue.
In March 2018, Atlanta was also attacked in a breach that affected up to six million people. Although initially, Atlanta said there was little evidence that personal data had been compromised, the breach turned out to be worse than originally thought. Three months after the attack, around a third of the software programs used by the city remained offline or partially disabled.
Cybersecurity spend needs to increase
The reality is that state and local agencies are not allocating proper resources to the ransomware threat. Many cities do not spend enough on cybersecurity. According to Deloitte’s 2021 NASCIO Cybersecurity Study, which surveys chief information officers (CIOs) from all 50 US states, 44% of states spend less than 5% of their IT budget on cybersecurity.
With ransomware attacks increasing, cities must create tried and tested action plans to shore up their defenses. These include monitoring network vulnerabilities and incorporating off-site backups to ensure they can effectively recover from a ransomware attack.
Tulsa is the latest US city impacted by ransomware. It won’t be the last.