Cyberattacks that recently crippled nearly two dozen Texas cities have put other local governments on guard, offering the latest evidence that hackers can halt routine operations by locking up computers and public records and demanding steep ransoms.
Government agencies that fail to keep reliable backups of their data could be forced to choose between paying ransoms or spending even more to rebuild lost systems. Officials are increasingly turning to cybersecurity insurance to help curb the growing threat.
“I think we’re entering an epidemic stage,” said Alan Shark, executive director of the Public Technology Institute, which provides training and other support for local government technology employees. “The bad actors have been emboldened.”
The attacks, which have been happening for years, can set governments back decades. Libraries can’t use electronic checkout systems. Police can’t access electronic records, and utility bills must be paid with paper checks rather than online.
Protection is expensive, particularly for smaller cities whose employees may not be trained on the latest ransomware, which often spreads through emails containing malicious links or attachments. Hackers can also entice users to visit a compromised website and then encrypt files stored on a computer or network until a payment is made.
In Keene, a community of about 6,000 people about 45 miles (72 kilometers) southwest of Dallas, problems began Friday when computers used by its roughly 50 employees locked up and prevented any credit card payments, officials said.
Three other cities identified themselves as victims. A spokeswoman for the city of Borger declined to comment on security efforts or costs, and messages for officials in Wilmer and Kaufman were not returned.
The Department of Homeland Security and the FBI are working with the affected cities but declined to release the names of all 22 governments or provide any detail about how the hackers gained access to their systems.
After a 2018 malware attack, Savannah officials canceled traffic court for weeks. Everything from 311 call center requests to city permits and licenses were halted or delayed. Information Technology Director Mark Revenew remained reluctant to discuss details more than a year later, including how investigators believe the city’s systems were compromised.
“These guys are like bank robbers,” Revenew said. “They look at what attacks work and then they replicate it.”
Baltimore officials refused a demand for about $76,000 in bitcoin to restore access to the city’s network. Federal prosecutors last year indicted two Iranian men for ransomware attacks on more than 200 victims, including Atlanta and Newark. The attacks netted more than $6 million and cost the affected governments and companies more than $30 million.
According to the FBI, more than 1,400 ransomware attacks were reported last year, and victims reported paying $3.6 million to hackers.
The FBI does not say how many of those reports came from state or local governments, but other research suggests they are a growing target for hackers. Intelligence analyst Allan Liska recorded 62 ransomware attacks yet this year on government entities, already exceeding last year’s total of 54 based on local media reports.
Liska said his review has found government entities are less likely to pay a ransom than private companies or individuals. Attacks on government generate more attention, though, and hackers seem to be seeking infamy along with a payout.
Governments are among a growing number of clients shopping for cybersecurity insurance. Some customers get the coverage as part of a larger package while others buy a stand-alone cyber policy. Insurers reported taking in more than $2 billion in premiums for cyber coverage last year, according to the insurance brokerage firm Aon’s June report .
In June, several Florida cities decided to pay hackers hundreds of thousands of dollars for a key to decrypt captive data, but officials told residents that they were only on the hook for a deductible. Most of the cost was to be covered by insurers.
The FBI and most professional cybersecurity associations oppose such payouts because they help attackers continue to target other victims. But some officials desperate to get their systems back see it as a better option than paying millions to recreate thousands of lost government records.
Shark said he’s heard of governments paying as much as $20,000 for cyber insurance but considers that an investment against a system rebuild that could cost millions.
Cybersecurity experts caution that the policies are no replacement for basic cyber “hygiene,” including backing up systems and data, training employees on the risks of clicking unknown links and regularly installing updates to hardware and software.
Insurers typically require cyber clients to complete those steps before issuing a policy and failing to do so risks a denied claim after an attack, said Dan Lohrmann of Security Mentor Inc., a training company.
“Elected officials are getting the message that this is not just a technology issue or a security issue but a government competence issue,” he said.
In the northern suburbs of Chicago, seven communities banded together in 2014 to share the cost of contracting with a cybersecurity firm for added technical support and training. Amy Ahner, the director of administrative services for one of the members, said she advocated for the village of Glenview’s purchase of cyber insurance. She saw it as secondary to security efforts.
“I have insurance on my car,” she said. “But what matters most is how I drive it every day.”