The U.S. Conference of Mayors has unanimously resolved not to give in to any ransom demands from the hackers. This is coming after a series of cyber shakedowns that have extorted millions from city governments.
Considering the number of ransomware targeting cities and municipalities has grown both in frequency and intensity, the resolution, while not legally binding, establishes an official position that U.S. mayors aren’t going to take it anymore.
Ransomware Is Extortion
The latest cyber extortion victimized the Syracuse, NY school district and spread to the Onondaga County library computer system. On July 9, county officials confirmed that the school district system was crippled by the Ryuk ransomware, linked to the Grim Spider hackers thought to be based in Eastern Europe. Three days later the same malware idled county library computers, according to local media. The FBI and private contractors (MSSPs) are investigating, the report said. The hackers have reportedly demanded an undisclosed ransom. A few days earlier, a ransomware attack hit the City Hall computer of Richmond Heights, Ohio. It is scenarios like these that the Mayors said they will no longer roll over and play dead.
“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit,” the resolution reads. “The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm, therefore be it resolved that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”
Some 1,400 mayors of cities whose populations exceed 30,000 make up the Conference, which recently held its 87th annual meeting in Honolulu, Hawaii. The organization said that “at least 170 county, city, or state government systems have experienced a ransomware attack in the last 6 years,” and “22 of those attacks in 2019 alone,” pointing specifically to the cities of Baltimore and Albany, NY and the counties of Fisher, Texas and Genesee, Michigan.
The city of Baltimore has spent over $18 million to rebuild its systems from recent cyberattacks.
The city of Atlanta has spent over $3 million to restore its systems.
The resolution was put forward by the mayor of Baltimore, who declined to pay the ransom, instead electing to rebuild its network infrastructure. Ultimately, those costs spiraled to some $18 million. The city of Atlanta also declined to pay hackers a ransom, instead digging deep into its pockets for upwards of $3 million to restore its systems after an attack last March.
Few Cities Have Made Ransomware Payments
Other cities, however, have agreed to ransom demands to retrieve their files and documents.
Last month, officials in Lake City, Florida, voted to pay hackers $460,000 to recover data from a ransomware attack.
A week earlier cyber kidnappers successfully extracted some $600,000 from the city of Riviera Beach, Florida to unlock its computer systems and restore essential data.
A few months before that, Jackson County, Georgia officials paid cybercriminals $400,000 after a cyber-attack shut down the county’s computer systems.
The mayors’ technology-specific resolutions included support for the State Cyber Resiliency Act, which would provide grants to state and local governments to underwrite cyber resiliency plans, and data protection at the network’s perimeter.