The U.S. Conference of Mayors has unanimously resolved to no longer accede to any ransom demands from hackers, following a series of cyber shakedowns that have extorted millions from city governments.
Considering that the number of cyber kidnappings targeting cities and municipalities has grown both in frequency and intensity, the resolution, while not legally binding, establishes an official position that U.S. mayors aren’t going to take it anymore. It also sets up opportunities for managed security service providers (MSSPs) to work with local governments to combat and recover from ransomware attacks.
Ransomware Is Extortion
The latest cyber extortion victimized the Syracuse, NY school district and spread to the Onondaga County library computer system. On July 9, county officials confirmed that the school district system was crippled by the Ryuk ransomware, linked to the Grim Spider hackers thought to be based in Eastern Europe. Three days later the same malware idled county library computers, according to local media. The Federal Bureau of Investigation and private contractors (likely MSSPs) are investigating, the report said. The hackers have reportedly demanded an undisclosed ransom. A few days earlier a ransomware attack hit the City Hall computer of Richmond Heights, Ohio. It is scenarios like these that the Mayors said they will no longer roll over and play dead.
“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit,” the resolution reads. “The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm, therefore be it resolved that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”
Some 1,400 mayors of cities whose populations exceed 30,000 make up the Conference, which recently held its 87th annual meeting in Honolulu, Hawaii. The organization said that "at least 170 county, city, or state government systems have experienced a ransomware attack since 2013," and "22 of those attacks have occurred in 2019 alone," pointing specifically to the cities of Baltimore and Albany, NY and the counties of Fisher, Texas and Genesee, Michigan.
The resolution was put forward by Bernard Young, the mayor of Baltimore (via ZDNet), which was leveled by a ransomware attack two months ago that crippled its computer network. Baltimore declined to pay the ransom, instead electing to rebuild its network infrastructure. Ultimately, those costs spiraled to some $18 million. The city of Atlanta also declined to pay hackers a ransom, instead digging deep into its pockets for upwards of $3 million to restore its systems after an attack last March.
Which Cities Made Ransomware Payments?
Other cities, however, have agreed to ransom demands to retrieve their files and documents. Last month, officials in Lake City, Florida, voted to pay hackers $460,000 to recover data from a ransomware attack. A week earlier cyber kidnappers successfully extracted some $600,000 from the city of Riviera Beach, Florida to unlock its computer systems and restore essential data. A few months before that, Jackson County, Georgia officials paid cybercriminals $400,000 after a cyber attack shut down the county’s computer systems.
The mayors' ransomware resolution was one of 30 mostly socio-political issues the association undertook. Technology-specific resolutions included support for the State Cyber Resiliency Act, which would provide grants to state and local governments to underwrite cyber resiliency plans, and data protection at the network’s edge.
MSPs Also Suffer Ransomware Attacks
MSPs have also suffered ransomware attacks in recent months. The fallout has included:
- An MSP paying hackers $150,000 to unlock data;
- hackers specifically targeting MSP software platforms to launch ransomware attacks; and
- Ryuk ransomware hitting a CSP that works closely with MSPs.
Hackers worldwide have been hitting MSPs of all sizes — not just global technology service providers. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.
Amid those challenges, the MSP industry (spanning technology companies, service providers and more) could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, cyberattacks and associated fallout, ChannelE2E and MSSP Alert believe.
Additional insights from Joe Panettieri.