Targeted ransomware attacks on local US government entities — cities, police stations and schools — are on the rise, costing localities millions as some pay off the perpetrators in an effort to untangle themselves and restore vital systems.
The tally by cybersecurity firm Recorded Future — one of the first efforts to measure the breadth of the assaults -- found that at least 170 county, city or state government systems have been attacked since 2013, including at least 45 police and sheriff's offices.
The firm compiled all known instances of ransomware infections of local government systems, a type of cyberattack that encrypts a computer's files, where the attacker demands payment — usually in bitcoin — for a key to unlock them.
The federal government and the FBI do not track the attacks nationwide.
22 known attacks this year
There have been 22 known public-sector attacks so far in 2019, which would outpace 2018, and that does not take into account that attacks often aren't reported until months or years after they're discovered.
The latest major city to be hit is Baltimore, which was infected with ransomware Tuesday. It has quarantined its networks and been forced to provide most of its municipal services manually.
"It's frustrating. It's unfortunate. But we're working through it," Baltimore City Council President Brandon Scott said in a news conference Friday.
At the end of March, New York's state capital, Albany, quietly admitted it had been hit with ransomware, on a Saturday -- a typical choice, as hackers calculate attacks can do more damage when IT staff aren't working.
The city announced the attack the day it was discovered but downplayed its severity, announcing only that it had affected a handful of city services including the issuing of marriage licenses and birth certificates. Many of those problems were cleared up by the beginning of the workweek.
However, City Hall didn't mention that the Albany Police Department's systems had been significantly impacted.
"We were crippled, essentially, for a whole day," Gregory McGee, a patrolman who is vice president of the Albany Police Department's union, told CNN at the time.
"All of our incident reports, all of our crime reports, that's all digitized," McGee said, which meant cops had to write down everything that happened on paper. They showed up to work and had no access to staff schedules.
"We were like, who's working today?" McGee said. "We have no idea what our manpower is, who's supposed to be here."
The Albany mayor's office didn't respond to multiple requests for a status update on the attack, though a spokesperson had previously said the city would make an announcement once it had been cleaned up.
Law enforcement also was targeted in Texas in March, when the Fisher County sheriff's office was infected and reportedly lost the ability to connect to a statewide law enforcement database.
Late last month Genesee County, Michigan, which includes the town of Flint, announced that it was finally ransomware-free, after an attack effectively shut down the county's tax department for most of April.
First attack in 2013
The first known small government ransomware infection hit the small town of Greenland, New Hampshire, in 2013 but the number of attacks didn't explode until 2016, when there were 46.
The number dropped to 38 in 2017 -- indicative of a temporary worldwide reduction in ransomware infections -- before rising to 53 last year.
Industry estimates suggest ransomware attacks cost billions of dollars each year, though it's hard to put a precise number on the costs because there's no comprehensive record of attacks across the globe and not all of them are reported.
The number of victims who have self-reported to the FBI's Internet Complaint Center has decreased in recent years. There were 2,673 cases in 2016; 1,783 in 2017; and 1,493 last year. Those numbers don't reflect all the cases the FBI is aware of through field office reports.
This suggests hackers are being more discerning about who they decide to target, to maximize the amount of money they can make, according to Supervisory Special Agent Adam Lawson of the FBI's Major Cyber Crimes Unit.
"It's less of an individual user, and it's more targeting towards private sector, businesses, or public sector, municipalities, police departments, etc. Those attacks are going up, while attacks on individual users are going down," Lawson told CNN.
"I think our assessment is that (who gets targeted is) who's got more money. An individual user, if their computer is impacted by ransomware, it's kind of a cost-benefit analysis: 'I've had this computer for five years. I'm not going to pay you $300 to unlock my computer; I'll just go get another one.' Whereas for a business network, if you lock up the main controller or some vital records, it's much more complicated for them. So it's probably based on who's paying the money."
Attacks are carried out by a wide variety of actors, ranging from criminal gangs to people allegedly working at least tangentially with their countries' governments.
Occasionally, international law enforcement has been able to coordinate and arrest ransomware attackers. In 2017, for instance, a joint operation of six law enforcement agencies, including the FBI, arrested three suspects in Romania and two in Hungary who were accused of running the CTB-Locker ransomware scam.
But just as often, when US authorities have been able to identify and charge someone they believe has been responsible for an attack, they've been out of reach in countries where they cannot be extradited to the US.
The US says two Iranians were responsible for the two most destructive municipal ransomware attacks in the US, which took place in Atlanta and Newark. The ransomware, called SamSam, successfully extorted more than $6 million in ransom, the Department of Justice said , and caused more than $30 million in damage.
The two most destructive worldwide ransomware worms -- WannaCry and NotPetya, which came within a few months of each other in 2017 -- were allegedly created in North Korea and Russia before getting out of hand.
There are likely other suspects the FBI has identified but the agency is waiting for them to travel to countries where the US is able to coordinate arrests.
"We are aware of who some of these people are," Lawson said. "Just because we don't come out and say it doesn't mean that we're not waiting for them to perhaps travel somewhere, where we can get them."