Illustration: Aïda Amer/Axios
At least 21 state and municipal government agencies in the United States this year were locked out of their own records and computer systems until they paid up, according to data disclosed to Axios by security company Emsisoft.
Why it matters: Ransomware attacks are among the most dangerous cybersecurity risks facing businesses and governments, Brett Callow, a threat analyst with Emsisoft, said. The threats cost the U.S. roughly $7.5 billion last year, the company estimates.
- They work like this: The attackers encrypt a target organization's files so it is unable to operate computers, email or websites unless they pay.
- Attackers are upping the danger with a new trend: Stealing their victims' data as leverage for payment, which began at the end of last year, Callow said.
What's happening: Local governments have succumbed to ransomware at a rate of one every other day since the start of 2020, Emsisoft estimates. Those attacks have resulted in interrupted 911 emergency services, closed schools, offline surveillance systems and states unable to issue or renew driver's licenses.
- Yes, but: Callow said "there has been no noticeable increase at the rates at which governments have been hit," and this year's rate seems to be consistent with last year.
- Ransomware attacks historically spike from March to May and then peak through the summer months, he said.
- Emsisoft isn't sure why those spikes happen, but they are "possibly tied to Easter and summer vacation times" when fewer people are handling more emails that could include suspect attachments, Callow said.
Catch up quick: At least 10 police departments were targeted in 2019 and 2020, including the NYPD, reported in November, whose fingerprint database was hit.
- Other targets reported this year include the Contra Costa County Library in California, the Albany County Airport Authority in New York, the New Mexico Public Regulation Commission, the Ernest N. Morial New Orleans Convention Center, the North Miami Beach Police Department, Belvidere City Hall in Illinois and Volusia County libraries in Florida.
- In 2019, courts across Georgia had to reenter civil and criminal records because of an attack. They were among 113 government entities targeted, per Emsisoft.
Between the lines: "Organizations usually don't disclose how frequently they're attacked or what they're attacked by," Callow noted. "We only find out about the ransomware cases because they're very hard to hide, because they are so disruptive."
The bottom line: "It used to be said that backups are the best defense against ransomware," Callow said. "But, that's the not the case anymore. Backups obviously don't help you retrieve stolen data."
Go deeper: Choice to pay ransomware might be simpler than you'd think