Last spring, a ransomware attack hit the small city of Lodi in California’s Central Valley.
Hackers used malicious software to target Lodi’s phones and financial services, crippling the city’s ability to access swaths of its data, according to the city’s manager, Steve Schwabauer.
“All of our financial services, data, money that people owed us for utilities, and money we owed our vendors for construction contracts and service contracts, everything was locked up,” he says.
Ransomware attacks, often launched from outside the U.S., have become an increasingly pressing threat to cities and towns across the country, with high profile cases in major urban centers such as Atlanta and Baltimore.
But the majority of attacks this year have hit smaller cities, and nearly half targeted cities with populations under 50,000, according to IT security firm Barracuda. In Texas, hackers successfully launched ransomware attacks on 22 cities and towns, many of which were small and rural.
A few months after Lodi was attacked, the story played out again on the other side of the country. A similar attack hit the 12,000-person municipality of Lake City, Florida. City manager Joe Helfenberger says business "came to a screeching halt.”
In both Lodi and Lake City, hackers demanded close to half a million dollars to restore the systems, prompting leaders of both cities to ask themselves the same question: To pay or not to pay?
In Atlanta and Baltimore, city officials chose not to pay the hackers and instead spent millions trying to recover their data, an approach that many cybersecurity experts recommend. They say paying the ransom can incentivize hackers to launch attacks on other cities, as well as repeated offensives against the city that forked up the cash.
But for other municipalities, particularly cities with smaller budgets to draw from, the choice isn’t always cut and dry.
When Lake City’s hackers demanded about $460,000 in Bitcoin, the Florida city decided to pay. Helfenberger says city leaders had exhausted every other option.
“I really had no other choice,” Helfenberger says. While public safety systems remained intact, “you're talking about utility maps and [Geographic Information Systems] data. Records for minutes, and all the resolutions or ordinances. Everything since the beginning of the city.”
Insurance covered much of the ransom payment, leaving Lake City on the hook for only the $10,000 deductible.
Helfenberger says he understood that there was no guarantee the hackers would return control, and he was conscious of the increased risk to other cities. But the city estimated that recovering the data would have been an expensive, slow process, if it were even possible.
“We were told by the vendors that with this type of attack, nobody had ever successfully decoded this military-level encryption,” he says. “It’s not our money to spend. It's the taxpayer’s money.”
In California, when attackers demanded about $400,000 from Lodi, the city’s administration made a different decision. They didn’t pay.
“It really comes down to the simple fact that it was possible for us to reconstruct our data,” Schwabauer says, pointing out that the city’s backup data wasn’t compromised.
“In addition, we had several third party vendors … who were able to set up offsite sites for us and allow us to operate from the cloud while we put together our onsite systems,” he adds.
Does that success mean Lodi was prepared for this kind of attack?
“Perfectly, no,” Schwabauer says. But, “better than some, perhaps.”
Without knowing the exact circumstances that Lake City faced, though, he says he can’t fault that city for paying the ransom.
“We would have had a much harder decision to make if our backup data had been compromised,” he says.
And he understands the bill that comes with this type of attack.
Lake City and Lodi may have less data to secure than larger cities. But they also have annual revenues under $20 million, a fraction of the $2 to $3 billion that Baltimore and Atlanta each allocate yearly. Baltimore officials estimate the city has spent $18 million on recovery efforts, more than Lake City’s entire annual budget.
Lodi is now spending about $500,000 improving its technical infrastructure, Schwabauer says. IT improvements after the attack in Lake City, including backup storage and multifaceted authentication, have cost that municipality about $330,000 so far, according to Helfenberger.
“Most cities in this country are facing that same challenge and they're having to decide, ‘OK, now we realize how serious this threat is, and we've got to start having a more robust IT infrastructure to prevent this from happening,’” Schwabauer says. “And even that is ultimately no guarantee.”
Francesca Paris produced and edited this interview for broadcast with Tinku Ray.
This segment aired on August 29, 2019.