Criminals Increasingly Hold Government Computers for Ransom

 

Connecting state and local government leaders

Cybercriminals are preying on government agencies in search of a payoff.

This article was originally published at Stateline, an initiative of The Pew Charitable Trusts, and was written by Jenni Bergal.

In Maine, cybercriminals took over the computer system shared by five police agencies for about two weeks last year until the departments paid the crooks $300. In Los Angeles, a large hospital shelled out $17,000 this year to regain access to its electronic medical records that criminal hackers took hostage. And in eastern Ohio, Columbiana County was forced to pay more than $2,800 in ransom in June after computers in its juvenile court system became infected.

Cyber-age extortionists — who use so-called ransomware software to hijack computer systems and hold them hostage until their victims pay a ransom — increasingly are preying on local governments, hospitals and even police departments, and forcing officials to decide whether to meet the demands or risk losing their data.

“Without that information in our computers, we were stuck,” said Ronald Young, police chief of Damariscotta, Maine, one of the police departments hit in last year’s attack. “We needed to get it back. We use it on a daily basis. It contains information about arrests and warrants and any contact we have with the public.”

Even if officials decide to pay hundreds or thousands of dollars in ransom as the Maine departments did, their computer networks and communications are often crippled for a day or more by the viruses. If officials decide not to pay and restore their systems on their own, it can take days, even weeks, to get back up and running. In the meantime, public services for residents, schoolchildren and even hospital patients may be affected.

In a nation whose policy is not to pay ransom to terrorists, having to pay what often is taxpayers’ money to extortionists who frequently operate out of Eastern Europe or Russia is especially galling to someone like Young.

“It’s a sign of terrorism,” Young said. “I’m a former Marine and we don’t negotiate with terrorists.”

But in the end, he said, paying $300 was the only technologically feasible way the departments could reclaim their data. Paying ransom is a prospect that local and state officials increasingly are confronted with.

City and county governments, along with local school districts, have “seen an exponential rise” in threats in the last 18 months, said Srini Subramanian, a state cybersecurity specialist at the consulting firm Deloitte & Touche LLP.

Local and state governments were struck by as many as 450 infections a month between October and May, said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center (MS-ISAC), a federally funded group that tracks cybersecurity issues for states and local governments.

Since 2005, the FBI’s Internet Crime Complaint Center has received about 9,600 ransomware complaints from individuals, businesses and government agencies. The criminals typically demand between $200 and $10,000, but victims face other costs, such as loss of productivity, legal fees and IT services. Last year, they lost more than $24 million, according to the FBI.

“It’s a very large problem. We continue to see it grow,” Calkin said

A ‘Very Lucrative’ Crime

About six to 10 variations of ransomware are now being used to attack local and state agencies fairly regularly, Calkin said.

The infectious software typically gets launched when a computer user unknowingly clicks on an email with an attachment or link to a website. Sometimes, a user downloads it by browsing a website and clicking on what appears to be a legitimate link, such as a movie clip.

Once the malware is opened, it gets lodged in the computer system and locks files, encrypting them so data such as Microsoft Word documents or Excel spreadsheets can’t be accessed. It displays a message saying the computer has been infected and gives victims a certain period to pay ransom to unlock it so they can open their files or risk losing the data forever.

The ransom usually is small — in the hundreds or thousands of dollars — to make it easier for victims to comply, and often demanded in the digital currency bitcoin. Once they do comply, scammers send information showing how to unlock the files.

Ransomware perpetrators generally aren’t interested in stealing data and personal information from victims, as are other types of cybercriminals. They see it simply as a means to turn hacking into cash.

“Ransomware is very lucrative,” Calkin said. “If they send a million emails and only 1 percent click on it and they get $500 from each person, that’s not bad for a day’s work.”

The criminals, especially if they operate overseas, can be very difficult to track down, let alone prosecute, said Deloitte’s Subramanian.

Some write the software, others develop and test it, some send out the spam and some handle the ransom payments. Bitcoins are stored electronically and are transferred all over the internet, which makes the payments difficult to trace.

What’s easy to see are the effects the criminals can have.

When Hollywood Presbyterian Medical Center in Los Angeles was struck in February, the malware prevented staffers from communicating by email and using electronic medical records for 10 days. The hospital ended up paying about $17,000 in bitcoin to regain control of its system.

Calling Their Bluff Costs

Some victims call the criminals’ bluff and refuse to pay, usually because they have backup systems that can restore data without major delays and expense. But even that often comes at a cost.

Tom Barwin, city manager of Sarasota, Florida, said his city had no intention of coughing up ransom money when it was struck by hackers in February after a city staffer inadvertently opened a phony email. The cybercriminals asked for a huge amount — half a bitcoin per file, which staffers estimated would have cost about $33 million at that time, as 160,000 files were affected.

The ransomware corrupted the city’s file-sharing and storage network, so staffers had to freeze the system to fix it. Although the data was backed up, it took a day and a half to restore the information, Barwin said. Since then, the city has spent at least $100,000 for additional firewall and virus protection, and improving the speed and capacity of its servers.

Barwin scoffed at the idea of shelling out ransom. “We weren’t going to pay them a dime,” he said. “Our job is to enforce laws. We don’t encourage people to break them.”

Most state governments, whose computers store a lode of personal information on their residents, so far have successfully blocked ransomware attacks with firewalls and updated anti-virus programs, said Doug Robinson, executive director of the National Association of State Chief Information Officers.

But recently, he said, they’re seeing new, more sophisticated varieties that are harder to protect against.

“It has become very serious very quickly,” Robinson said. “In the last few years, it was primarily focused on smaller jurisdictions — local governments, water departments, police agencies. Now, we’re seeing it spread into the states.”

A survey of state information technology security officers released last month found that ransomware was one of the most prevalent cybersecurity threats they expect to face in the coming year.

Some states are taking extra precautions.

In Ohio, State Auditor Dave Yost’s office ran an in-house test in June, sending out a fake email to 100 randomly selected staffers. Twenty percent opened it. His office reported the results in an in-house, e-newsletter and warned employees to be careful. Then it sent out a set of fake emails to the entire staff in August. Seven percent opened them. After that, every staffer was required to complete mandatory cybersecurity training.

Even so, Yost cautioned that government officials can’t stop ransomware just by requiring staffers to be vigilant about email. “If something gets through, you’d better have your system locked down so they can’t do the kind of harm they want to do,” he said.

Some lawmakers also are taking notice and are seeking to up the punishment for unleashing ransomware. The California Legislature unanimously passed a bill in August that defined ransomware as a type of extortion, making it a felony punishable by up to four years in prison. Democratic Gov. Jerry Brown signed the measure into law last month.

But Calkin of the MS-ISAC said it’s unlikely such laws are going to have much effect on criminal hackers who operate abroad.

“Realistically, a state bill doesn’t make a lot of sense to me,” he said. “State legislation is not going to stop these people.”

Calkin said his multi-state group works with the FBI to help build ransomware cases. As of now, he knows of no arrests that have been made.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.