U.S. Mayors: Cities Must Refuse to Pay Ransomware (Then What?)

Image: Unsplash

There have been 22 major ransomware attacks on local governments in 2019 alone. The U.S. Conference Mayors says governments should refuse to pay ransom when systems are taken hostage. Get resources on what municipalities need to do before — and when — ransomware strikes.

Municipal governments are becoming more common victims of ransomware. Cities like Baltimore and Atlanta, as well as county governments and local public safety agencies, have been hit.

According to the U.S. Conference of Mayors, more than 170 state and local government systems have encountered ransomware attacks since 2013. That’s why the organization adopted the following resolution, Opposing Payment To Ransomware Attack Perpetrators, recently at its 87th annual conference in Honolulu:

1. WHEREAS, targeted ransomware attacks on local US government entities are on the rise; and

2. WHEREAS, at least 170 county, city, or state government systems have experienced a ransomware attack since 2013; and

3.WHEREAS, 22 of those attacks have occurred in 2019 alone, including the cities of Baltimore and Albany and the counties of Fisher, Texas and Genesee, Michigan; and

4. WHEREAS, ransomware attacks can cost localities millions of dollars and lead to months of work to repair disrupted technology systems and files; and

5. WHEREAS, paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit; and

6. WHEREAS, the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,

7. NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.

De-incentivizing ransomware attacks can help reduce their frequency, according to government cybersecurity, as well as industry, experts.

Paying ransomware sets a dangerous precedent and it’s very troubling that, in a way, it became the norm for local government. It’s easy to understand how the decision of not paying is a very hard one to make, because there is just so much at stake. Having the right type of disaster recovery plan, with a cyber recovery first approach, will allow local government to have better ability to bounce back and not be a helpless victim. Recovery plans combining clean and validated backups with automation will hopefully make the ransomware crime unprofitable and a thing of the past,” said Mickey Bresman, CEO, Semperis.

What Municipalities Must Do

When attacked by ransomware, governments can take steps to neutralize attacks. Prevention is critical, and cities should:

  1. Take immediate precautions
  2. Prioritize strengthening cybersecurity defenses
  3. Heed the advice of chief information security officers

The most critical piece of advice in establishing emergency cyber response protocolimplement daily back-ups now.

“Without backup, there is no recovery,” stressed Shannon LeColst, a cybersecurity liaison for the Metro Boston Homeland Security Region at a recent cybersecurity panel for state and local governments.

Is your local government vulnerable to ransomware? Get an audit — it can be free. The Municipal Research and Services Center has a Cybersecurity Resources List for Local Governments.

Learn more about local government ransomware vulnerabilities:

2 Key Things Cities Should Know About the Baltimore Ransomware Attack

About the author

Andrea Fox

Andrea Fox

Andrea Fox is Editor of EfficientGov.com and Senior Editor at Praetorian Digital. She is based in Massachusetts.