City ransomware attacks and huge payouts mean a once-private corporate problem has gone public

City governments are under assault from ransomware, malicious software that infects entire computer networks, freezing up important files and equipment until the organization pays for a key to unlock the information.

Baltimore and two cities in Florida have fallen victim to ransomware in recent weeks, and Atlanta’s mayor advocated for more federal help in protecting against ransomware in Congress Tuesday. Atlanta and Baltimore are each spending spend millions on the clean-up from their attacks. In Florida, Riviera Beach paid $600,000 and Lake City almost $500,000 and $500,000 to get their data unlocked, according to representatives from those cities.

Cities may have been caught off guard by the attacks, but corporations have been quietly battling the problem for years.

These attacks have given the public the opportunity to examine the problems associated with ransomware, where corporations — not obligated to disclose these attacks — have mostly handled them behind closed doors. These issues include the moral objections to paying off criminals, the practical risks of not paying and the lack of federal support to help mitigate risk.

Ransomware was little known before 2014, when some of the first, very rough versions of the malicious software began circulating more widely through corporations. It took criminal organizations about a year to refine their approach and make the attack style ubiquitous across corporations.

According to FBI statistics, ransomware was an almost immediate success, and incidents exploded in late 2015 and through 2016. It’s continued rising steadily, with criminal organizations further refining their techniques to target the most valuable data and pull higher payouts, according to Molly Arranz, a partner in the data privacy, security and litigation practice group at law firm Smith Amundsen.

In the early years of ransomware, organizations were skeptical of paying, Arranz says, because they weren’t sure the criminals would provide the necessary keys to unlock the files. This changed as some criminal enterprises gained a reputation for “reliably” providing the right keys, making it possible for companies to do a more practical risk-benefit analysis, and in some cases, for insurance companies to pick up the cost, she said.

Arranz said the $600,000 paid by Riviera Beach was a lot, but that six-figure ransoms are not uncommon. There even have been rumors of seven-figure payouts in recent years, she said, but only one confirmed case: a South Korean internet service provider in 2017.

“The companies that are paying the ransom amount, if they don’t pay for it, that information is lost forever,” she said. “Therefore, it’s money well spent.”

As cities pay these larger ransoms, criminals will get new insight into how to extract the maximum dollar value out of their attacks, said Mark Orlando, chief technology officer of defense industrial company Raytheon’s Cyber Protection Solutions group.

“We definitely can expect more high-dollar payouts,” said Orlando.

“Ransomware is, by far, much more lucrative today. It’s become commoditized, and you can get a pre-built, customizable toolset for it. It’s a tried and true business model. [Criminals are] asking for the maximum amount that they think the victim will pay before they try to just go and rebuild the network on their own. They’ve reached a new high-water mark.”

Lake City mayor Stephen Witt told a local news station Wednesday: “I would’ve never dreamed this could’ve happened, especially in a small town like this.”

His surprise may seem unepected, given the boom in ransomware. But the topic has stayed quiet until recently because private businesses aren’t required to report them to shareholders or regulators.

“That’s why you’re not hearing of more of these, and it’s not because companies are hiding the ball,” Arranz said. “They’re complying with what’s legally required of them.”

Companies have strong incentives to keep the attacks private. At best, any organization that pays a ransom or negotiates with those making demands is dealing with criminals. At worst, they could be making a blind payoff to a rogue nation-state like North Korea or a terrorist group. The FBI has traditionally given blanket warnings not to pay ransoms.

But if organizations don’t pay, they’re betting that customers will stick around through days or weeks of downtime while they rebuild, Orlando said. That’s a risky calculation.

Having back-ups that work, or segmented networks — built so parts of the network can be cordoned off from the wider network in the event of an attack– can help, but even these tactics are limited in their effect, Orlando explained.

“On the enterprise side, some equipment is purpose-built to do certain things. Equipment — especially in health care and manufacturing — those are not just files that are stored somewhere else that you can replace, like you replace the data you backed up on your cell phone. Back-ups aren’t silver bullets, in terms of time loss and service loss,” Orlando said.

If a bank is robbed by criminals, or a city attacked by terrorists, there are clear lines of response from federal agencies.

This isn’t the case with ransomware, as Atlanta Mayor Keisha Bottoms discovered when Atlanta was hit by a ransom attack in March 2018. The incident has so far cost the city $7.2 million, including a $52,000 ransom demand, she told Congress on Tuesday.

On Wednesday, Bottoms requested Congress consider giving cities and small towns greater access to information on protecting threats.

“Fortunately, our mission-critical services such as fire, police and ambulance were not affected. Neither was our water supply. However, some departments and government entities suffered irreparable damage,” Bottoms said of the March attack.

“The federal government should … expand programs that share real-time threat information, which is often critical in avoiding and mitigating threats. We should also have federal programs in place to provide cybersecurity disaster-relief funding. This will help offset recovery costs borne locally,” Bottoms said.

Insurance companies, consulting firms, law firms and cybersecurity companies have largely filled the recovery gap left by law enforcement. These businesses offer services, including direct negotiation with criminals, verification of whether the attackers are “legitimate,” intelligence on whether attackers can provide adequate support to unlock the ransomed files and coverage for damage or the cost of the ransom payment. In the case of Riviera Beach, the city said its $600,000 ransomware payment would be covered in large part by insurance.

“Hallmarks of a good cyber insurance plan or policy would include not only coverage for damage to systems or damage to data, but fraud coverage, extortion coverage, coverage for breach response, public relations expense,” said Jonathan Meyer, partner at law firm Sheppard Mullin and former deputy general counsel in the Department of Homeland Security.

“It’s not a simple, off-the-shelf thing. It’s a place where insurance companies are still figuring out how to tailor their coverage, where there is that uncertainty out there,” Mullin said. “Just as it is becoming more and more important.”

WATCH: Why JPMorgan Chase spends $600 million a year on cybersecurity threats