Last spring, a ransomware attack hit the small city of Lodi in California鈥檚 Central Valley.
Hackers used malicious software to target Lodi鈥檚 phones and financial services, crippling the city鈥檚 ability to access swaths of its data, according to the city鈥檚 manager, Steve Schwabauer.
鈥淎ll of our financial services, data, money that people owed us for utilities, and money we owed our vendors for construction contracts and service contracts, everything was locked up,鈥 he says.
Ransomware attacks, often launched from outside the U.S., have become an increasingly pressing threat to cities and towns across the country, with high profile cases in major urban centers such as Atlanta and Baltimore.
But the majority of attacks this year have hit smaller cities, and nearly half targeted cities with populations under 50,000, according to . In Texas, hackers successfully launched ransomware attacks on , many of which were small and rural.
A few months after Lodi was attacked, the story played out again on the other side of the country. A the 12,000-person municipality of Lake City, Florida. City manager Joe Helfenberger says business 鈥渃ame to a screeching halt.鈥
In both Lodi and Lake City, hackers demanded close to half a million dollars to restore the systems, prompting leaders of both cities to ask themselves the same question: To pay or not to pay?
In Atlanta and Baltimore, city officials chose not to pay the hackers and instead spent millions trying to recover their data, an approach that many cybersecurity experts recommend. They say paying the ransom can incentivize hackers to launch attacks on other cities, as well as repeated offensives against the city that forked up the cash.
But for other municipalities, particularly cities with smaller budgets to draw from, the choice isn鈥檛 always cut and dry.
When Lake City鈥檚 hackers demanded about $460,000 in Bitcoin, the Florida city decided to pay. Helfenberger says city leaders had exhausted every other option.
鈥淚 really had no other choice,鈥 Helfenberger says. While public safety systems remained intact, 鈥測ou鈥檙e talking about utility maps and [Geographic Information Systems] data. Records for minutes, and all the resolutions or ordinances. Everything since the beginning of the city.鈥
Insurance covered much of the ransom payment, leaving Lake City on the hook for only the $10,000 deductible.
Helfenberger says he understood that there was no guarantee the hackers would return control, and he was conscious of the increased risk to other cities. But the city estimated that recovering the data would have been an expensive, slow process, if it were even possible.
鈥淲e were told by the vendors that with this type of attack, nobody had ever successfully decoded this military-level encryption,鈥 he says. 鈥淚t鈥檚 not our money to spend. It鈥檚 the taxpayer鈥檚 money.鈥
In California, when attackers demanded about $400,000 from Lodi, the city鈥檚 administration made a different decision. They didn鈥檛 pay.
鈥淚t really comes down to the simple fact that it was possible for us to reconstruct our data,鈥 Schwabauer says, pointing out that the city鈥檚 backup data wasn鈥檛 compromised.
鈥淚n addition, we had several third party vendors 鈥 who were able to set up offsite sites for us and allow us to operate from the cloud while we put together our onsite systems,鈥 he adds.
Does that success mean Lodi was prepared for this kind of attack?
鈥淧erfectly, no,鈥 Schwabauer says. But, 鈥渂etter than some, perhaps.鈥
Without knowing the exact circumstances that Lake City faced, though, he says he can鈥檛 fault that city for paying the ransom.
鈥淲e would have had a much harder decision to make if our backup data had been compromised,鈥 he says.
And he understands the bill that comes with this type of attack.
Lake City and Lodi may have less data to secure than larger cities. But they also have annual revenues under $20 million, a fraction of the $2 to $3 billion that Baltimore and Atlanta each allocate yearly. Baltimore officials estimate the city has spent $18 million on recovery efforts, more than Lake City鈥檚 entire annual budget.
Lodi is now spending about $500,000 improving its technical infrastructure, Schwabauer says. IT improvements after the attack in Lake City, including backup storage and multifaceted authentication, have cost that municipality about $330,000 so far, according to Helfenberger.
鈥淢ost cities in this country are facing that same challenge and they鈥檙e having to decide, 鈥極K, now we realize how serious this threat is, and we鈥檝e got to start having a more robust IT infrastructure to prevent this from happening,鈥欌 Schwabauer says. 鈥淎nd even that is ultimately no guarantee.鈥
Francesca Paris produced and edited this interview for broadcast with .
This article was originally published on
Copyright 2020 NPR. To see more, visit https://www.npr.org.