Lake City was not ready. How could it be? The city (population: 12,000) was running old computers on outdated software. So naturally — like moths to a flame — hackers attacked it.
After taking over the sleepy city’s computer networks, the anonymous hackers demanded a nearly half-million-dollar ransom. The mayor reluctantly agreed.
Days later, another small city in Florida, Riviera Beach, paid hackers $660,000 in bitcoin to unlock its computers.
Greensboro and Dallas — larger cities with larger budgets — were targeted for similar ransomware attacks.
Then there’s Baltimore.
Hackers using cyberweapons stolen from NSA — the spy agency known as the “code makers and code breakers” — crippled Baltimore’s computer networks. Unlike Lake City or Riviera Beach, Baltimore city officials refused to pay the thirteen bitcoin ransom.
It ended up being a costly decision. What would have been a $100,000 ransom payment has cost Baltimore, by its own estimates, $18 million.
When hackers attacked Atlanta, they demanded $51,000. The city’s refusal to pay the five-figure ransom could end up costing its taxpayers $17 million.
Baltimore and Atlanta are not outliers. One analysis shows that only 17% of state and local government entities that were hit by cyber attacks definitely paid the ransom. Seventy percent of government agencies confirmed that they did not pay the hackers anything.
We are watching a new type of escalation in cyberwar. The biggest targets — the Sonys of the world — have hardened their defenses against the worst known cyber threats. But millions of organizations — small businesses and city agencies — have limited expertise, vulnerable software, and no visibility into the fast-moving, constantly-changing threats. Like Lake City, they are not ready.
These organizations are soft targets, and hackers are looking for a kill.