Atlanta’s Ransomware Attack Evidence of Threat to State and Local Governments

On Thursday, March 22, 2018, Atlanta’s municipal computer systems fell victim to a ransomware attack. As a result, the city began executing a large proportion of its business on paper, or not at all, and postponing court dates. With customer and employee data potentially compromised, the municipal government encouraged anyone who had ever done business with the city to take precautions such as checking their bank accounts and credit reports. The ransom was approximately $51,000.

Ransomware is a form of malware that blocks normal access or encrypts a computer system’s data and holds it for ransom. Ransomware normally enters a computer system through infected links sent via phishing emails or when computer users visit unsecure websites.

Ransomware attacks have grown in both frequency and cost in recent years, one example being the May 2017 WannaCry attack that affected the United Kingdom’s National Health Service along with thousands of other organizations and businesses worldwide. The attack exploited a vulnerability in a file-sharing mechanism used by Microsoft.

According to the United States Department of Justice website, ransomware is the fastest growing malware threat with more than 4,000 ransomware attacks occurring daily since Jan. 1, 2016—a 300 percent increase from 2015.

In the first three months of 2016, ransomware attacks cost victims $209 million.

Because of the increase in attacks and costs, public pressure has been mounting for greater protection of personal data. In response, private organizations and businesses have been increasing their expenditures on security and prevention measures, oftentimes spending significantly more than the public sector can.

State and local governments face increasingly tighter budgets, and upgrading security and operating systems and buying enough space to back-up crucial data to protect against ransomware attacks can be costly. There are cheaper precautions that can be taken such as educating personnel to be suspicious of unexpected emails or emails from unknown senders. Unfortunately, such safeguards have limited effectiveness, and many workplaces already have those policies in place.

The Atlanta ransomware attack shows that state and local governments need to be aware of their potential vulnerabilities and consider spending more to secure their computer systems and data.

CGS’s 2017 Cybersecurity and Privacy Policy Academy was held in San Francisco, California last November. State policymakers from across the nation attended sessions about public and private sector practices, elections security, and data privacy among other things. The presentations from the academy can be found on CSG’s Knowledge Center.