As government networks are increasingly targeted by high-profile and insidious ransomware campaigns, the U.S. Conference of Mayors vowed at their recent meeting in Honolulu to not fork over ransom payments to hackers.
The resolution, “Opposing Payment To Ransomeware Attack Perpetrators,” passed out of the Criminal and Social Justice committee with no recorded objections:
- WHEREAS, targeted ransomware attacks on local US government entities are on the rise; and
- WHEREAS, at least 170 county, city, or state government systems have experienced a ransomware attack since 2013; and
- WHEREAS, 22 of those attacks have occurred in 2019 alone, including the cities of Baltimore and Albany and the counties of Fisher, Texas and Genesee, Michigan; and
- WHEREAS, ransomware attacks can cost localities millions of dollars and lead to months of work to repair disrupted technology systems and files; and
- WHEREAS, paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit; and
- WHEREAS, the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,
- NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.
Passage occurred two months after the National Capitol Region Threat Intelligence Consortium Cyber Center warned that a new ransomware campaign dubbed RobbinHood is “actively targeting government networks within the United States” since its discovery in April and “targets entire networks and attempts to encrypt files on as many computers on the infected networks as possible.”
“The distribution method used to infect systems is currently unknown; however, open source reports suggest that the threat actors behind the campaign may be compromising remote desktop services or using Trojans to deliver the ransomware variant,” the alert added.
Soon afterward, security company Armor said it analyzed the RobbinHood ransomware that infected the city of Baltimore’s computers and dug into its file-locking virus that encrypts files. A note demanded 3 Bitcoins, or about $17,600, per system or 13 Bitcoins, about $76,280, to decrypt all of the city’s systems. The hackers said they would cut off negotiations if the FBI was contacted and said files would be damaged if they tried to battle the ransomware with antivirus software. A 10-day deadline was given to get the files back, with four days until the price went up.
Baltimore did not pay the ransom; the resolution passed at the mayors’ meeting was introduced by Baltimore Mayor Jack Young.
Also in May, ransomware infected the city’s phone systems and servers in Washington, Pa. Cities hit by ransomware in April included Amarillo, Texas, Stuart, Fla., and Greenville, N.C., which was also targeted by RobbinHood and was infected in its public safety and financial computer systems.
Garfield County, Utah, paid ransom in April after systems were infected by a phishing email. In March, Jackson County, Ga., paid $400,000 in Bitcoin to hackers to free their systems.
The mayors also passed a resolution supporting the State Cyber Resiliency Act (H.R. 2130/S.1065) and calling on the Trump administration to “provide critical resources necessary to enhance our nation’s critical cybersecurity infrastructure at the local level.”
And they passed a data security resolution stating that “federal government contracting of data storage with any private data center should only contract with entities that use fault-tolerant solutions and follow the standards set by the National Institute of Standards and Technology (NIST), and Federal Acts, FITARA and FDCCI adopted in 2014 that ensure physical protection, redundancy, sustainability, and resiliency of the power supply.”