Axios Codebook

A recent resurgence in ransomware attacks targeting local governments is spurring local IT leaders into action to lock down their systems.

Driving the news: Leaders in Dallas are preparing to spend months recovering from a recent attack that hindered the city's 911 emergency services, court systems and more.

• Oakland, California, continues to struggle with the long tail of a ransomware attack that started in February.
• Over the weekend, a ransomware gang published sensitive data stolen from the city of Lowell, Massachusetts, during a recent breach.

What they're saying: "Cities are seeing either themselves or a close neighbor — or they're seeing big cities in their states — all get hit with this stuff, so everybody is on high alert at this point," Mark Manglicmot, senior vice president of security services at Arctic Wolf, told Axios.

• "We're talking to more of these city IT and security leaders, and I can tell they're scared," he said.

The big picture: After a reported dip in ransomware costs last year, experts say that ransomware attacks against governments are back up to previous levels — and could even be worse.

• Ransomware gangs spent the last year writing new malware to infect companies and evade detections, Manglicmot said.
• Malicious attackers have also recognized that local governments have a trove of sensitive data about their residents, Rita Reynolds, chief information officer at the National Association of Counties, told Axios.
• Nearly seven in 10 IT leaders at local and state governments said in a Sophos report last week that they faced ransomware in the last year. Most of those attacks started either through unpatched systems or stolen passwords.

Flashback: Cities and towns have been facing an uptick in ransomware — where hackers encrypt an organization's networks until a ransom is paid — since at least 2019.

• One of the most notable such cases was in Baltimore when ransomware prevented residents from paying their water bills or parking tickets for at least two weeks.

Between the lines: Local government IT officials face a unique set of challenges to fend off fast-moving ransomware gangs.

• Local governments are amorphous: They include not only the networks within city halls, but also public libraries, the police department and other public offices.
• Providing IT departments with more funds is a yearslong process that requires buy-in from local politicians or federal grant programs.
• Most local governments have small IT teams that dual-hat as cybersecurity teams — meaning they not only provide tech support to employees and residents, but they also need to monitor possible threats and find time to patch systems.

The intrigue: Governments are increasingly turning to third-party service providers and cloud products to fill the gaps in their security stacks, Reynolds told Axios.

• Doing this helps modernize government services and augment the workload for threat monitoring.
• However, if these tools aren't configured properly or aren't patched when new vulnerabilities are discovered, they can provide new entry points for ransomware criminals, Reynolds said.

Yes, but: It's challenging to put a precise number on how many ransomware attacks there have been so far in 2023, since there's no standardized requirement to report such incidents.

• "It's a hard thing to track for a couple of reasons and that is the willingness for the folks I work with in county governments to say out loud, 'Here's what's happening,' because it draws attention," Reynolds said.
• Not all experts even agree that there's been an increase in attacks: Allan Liska, a ransomware analyst at Recorded Future, recently estimated that attacks on state, local, tribal and national governments have been on the decline since 2021.

The Philadelphia Inquirer is actively responding to a cyberattack that affected print production, the media outlet confirmed to Axios.

What's happening: On Thursday, the daily newspaper discovered "anomalous activity on select computer systems," Inquirer publisher and CEO Lisa Hughes said in a statement Monday.

• The targeted systems were immediately taken offline, and the Inquirer was unable to print its regular Sunday edition, the outlet reported over the weekend.
• The Inquirer is now working with Kroll, a third-party cyber investigations firm, according to the statement. The FBI has also said it is aware of the incident.

What they're saying: "The security of our network and systems is a top priority," Hughes said in the statement.

• "Based on the results of our investigation, we will take action as needed to help prevent a similar situation from occurring in the future."

Why it matters: Media organizations have long been a target for malicious hackers and ransomware gangs — and that threat could heat up as the 2024 U.S. election cycle ramps up.

• The Guardian faced a ransomware attack in December that affected parts of its technology infrastructure but didn't disrupt print or online production.

Between the lines: The cyberattack comes as Philadelphia residents cast their ballots today in the Democratic primary in the mayoral race.

• Inquirer employees aren't allowed in the office through at least Tuesday as investigators respond to the incident, meaning reporters and editors will have to find alternative means to work together in person to cover the election.

The intrigue: While the Inquirer hasn't said what kind of cyberattack it's facing, experts have noted that the details and response plan mirror those of other organizations that have responded to ransomware attacks.

Despite the economic headwinds, at least one major cybersecurity startup is still preparing to go public.

Driving the news: Huntress, a popular endpoint security provider among small to medium-sized businesses, has raised a $60 million funding round led by Sapphire Ventures, the company announced today.

• Existing investors Forgepoint Capital and JMI Equity also participated in the new Series C round.
• Casber Wang, a partner at Sapphire Ventures, will join Huntress' board of directors.

The big picture: Huntress started with a focus on targeting customers who have 1,000 or fewer employees, but in recent years, the startup has been eyeing companies with double the headcount and adding to its product offerings to meet changing demands.

• Huntress has more than 3,600 customers, including medical companies, IT providers and metal distributors.

Between the lines: The new funds will be used to further expand Huntress internationally and build new products for securing organizations' credentials and logins, Huntress CEO Kyle Hanslovan told Axios.

• The company also raised a $40 million debt round in September to fund acquisitions and those new product buildouts, and it acquired security awareness startup Curricula in July.

The intrigue: Hanslovan said he's eyeing the summer of 2025 for a possible IPO, noting that while the company could be ready sooner, the macro environment might not be stable enough before then.

• "I've just seen way too many of these consolidation plays — they strip out the good support, the product gets stagnant, and it just becomes essentially a cash cow for private equity," Hanslovan said.
• "That was always the North Star: We should be independent if we want to be Huntress," he added.

Yes, but: Only one cybersecurity company went public in 2022, and this year isn't looking to be too much better considering inflation and fears of a debt-ceiling crisis.

• Instead, many cyber startups have been laying off staff, eyeing an acquisition or turning to private equity.
• "Cyber is probably the hardest sector to invest in for a growth investor," Sapphire Ventures' Wang told Axios. "There's not a lot of middle-of-the-road outcomes."

@ D.C.

📸 The Transportation Security Administration is testing out facial recognition use in airport security lines. (Associated Press)

🔍 The Department of Veterans Affairs might pursue a five-year cybersecurity contract for vulnerability scanning, cyber threat intelligence services, malware analytics and more. (FCW)

@ Industry

☁️ Twitter's former CISO is now at cloud security company Lacework. (Wall Street Journal)

🔐 Microsoft appears to be scanning password-protected, cloud-based files for malware, according to user reports on Mastodon. (Ars Technica)

🇨🇳 A former ByteDance executive claims in a lawsuit that the Chinese Communist Party maintained access to ByteDance data stored in the U.S. (Axios)

@ Hackers and hacks

🚗 Data belonging to 237,000 current and former federal government employees has been exposed in a breach at the U.S. Department of Transportation. (Reuters)

💊 A ransomware gang stole more than 5.8 million patients' sensitive data from pharmacy services provider PharMerica. (BleepingComputer)

👀 Researchers at BlackBerry say the Cuba ransomware gang is actually a team of Russian government hackers tasked with targeting Ukraine. (TechCrunch)

Shoutout to all the Codebook readers who also saw Taylor Swift in concert this past weekend.

• For those wondering: Friday's show got "Gold Rush" and "Come Back ... Be Here" as our surprise songs. I can't complain!