Ransomware gangs zero in on under-resourced U.S. cities and towns

A recent resurgence in ransomware attacks targeting local governments is spurring local IT leaders into action to lock down their systems.

Driving the news: Leaders in Dallas are preparing to spend months recovering from a recent attack that hindered the city's 911 emergency services, court systems and more.

• Oakland, California, continues to struggle with the long tail of a ransomware attack that started in February.
• Over the weekend, a ransomware gang published sensitive data stolen from the city of Lowell, Massachusetts, during a recent breach.

What they're saying: "Cities are seeing either themselves or a close neighbor — or they're seeing big cities in their states — all get hit with this stuff, so everybody is on high alert at this point," Mark Manglicmot, senior vice president of security services at Arctic Wolf, told Axios.

• "We're talking to more of these city IT and security leaders, and I can tell they're scared," he said.

The big picture: After a reported dip in ransomware costs last year, experts say that ransomware attacks against governments are back up to previous levels — and could even be worse.

• Ransomware gangs spent the last year writing new malware to infect companies and evade detections, Manglicmot said.
• Malicious attackers have also recognized that local governments have a trove of sensitive data about their residents, Rita Reynolds, chief information officer at the National Association of Counties, told Axios.
• Nearly seven in 10 IT leaders at local and state governments said in a Sophos report last week that they faced ransomware in the last year. Most of those attacks started either through unpatched systems or stolen passwords.

Flashback: Cities and towns have been facing an uptick in ransomware — where hackers encrypt an organization's networks until a ransom is paid — since at least 2019.

• One of the most notable such cases was in Baltimore when ransomware prevented residents from paying their water bills or parking tickets for at least two weeks.

Between the lines: Local government IT officials face a unique set of challenges to fend off fast-moving ransomware gangs.

• Local governments are amorphous: They include not only the networks within city halls, but also public libraries, the police department and other public offices.
• Providing IT departments with more funds is a yearslong process that requires buy-in from local politicians or federal grant programs.

• Most local governments have small IT teams that dual-hat as cybersecurity teams — meaning they not only provide tech support to employees and residents, but they also need to monitor possible threats and find time to patch systems.

The intrigue: Governments are increasingly turning to third-party service providers and cloud products to fill the gaps in their security stacks, Reynolds told Axios.

• Doing this helps modernize government services and augment the workload for threat monitoring.
• However, if these tools aren't configured properly or aren't patched when new vulnerabilities are discovered, they can provide new entry points for ransomware criminals, Reynolds said.

Yes, but: It's challenging to put a precise number on how many ransomware attacks there have been so far in 2023, since there's no standardized requirement to report such incidents.

• "It's a hard thing to track for a couple of reasons and that is the willingness for the folks I work with in county governments to say out loud, 'Here's what's happening,' because it draws attention," Reynolds said.
• Not all experts even agree that there's been an increase in attacks: Allan Liska, a ransomware analyst at Recorded Future, recently estimated that attacks on state, local, tribal and national governments have been on the decline since 2021.

Sign up for Axios’ cybersecurity newsletter Codebook here