Attivo Networks Blogs

Municipalities Prove to be an Easy Target for Ransomware

By: Carolyn Crandall, Chief Marketing Officer – Hackers are always looking for the path of least resistance, and they are increasingly finding it within state and local government networks. While their brethren in the federal government have had their fair share of cybersecurity missteps, state, city, and local agencies have largely remained under the radar, until recently.

It’s time for a wake-up call. With cybercrime projected to cost the country more than $2 trillion by 2019, municipalities are likely to find themselves overmatched and outmaneuvered. While the federal government is steadily improving its defenses, funding for cybersecurity drops off steeply at state and local levels. Small agencies with small budgets often find themselves short on both tools and talent, and vital hardware and software updates can often go ignored for months or even years. This provides fertile ground for cybercriminals looking for an easy target to take advantage of.

Here are a few recent examples of prominent hacks, what happened and where they originated.

  • The Lansing Board of Water and Light—In the spring of 2016, the utility paid a $25,000 ransom to unlock its internal communications systems after they were disabled by a cyberattack in the spring of 2016. While the breach didn’t affect power or water distribution, it crippled the utility’s website and online payment portal and forced it to shut down a customer service line that was quickly overwhelmed. The attack ultimately cost $2 million to rectify.
  • The Colorado Department of Transportation—In late February, the agency was paralyzed by the SamSam ransomware virus, which took about 2,000 CDOT employee computers offline and held them ransom in exchange for bitcoin. The state refused to pay, and instead, it allowed employees to use personal devices for work while it tried to rectify the situation and get back out ahead of the attack. Once the agency got about 20 percent of its computers back up, its security tools detected malicious activity. The SamSam ransomware had morphed and changed to get ahead of its defenses. Six weeks after it first struck, the virus was mostly contained at a cost to the state of $1.5 million.
  • Mecklenburg and Davidson Counties, North Carolina—In December, a fake email and stolen credentials led to a ransomware attack on Mecklenberg County’s computer systems that knocked multiple servers and many public services offline. The county’s IT Incident Response Team was outmatched, and widespread outages swept across the county. The county refused to pay the hackers’ demands for $23,000. After two weeks, only about 40 of the more than 200 infected systems had been brought back online. A few months later, in February, a different ransomware attack struck nearby Davidson County, infecting many of its servers and systems, and leaving most government offices to complete tasks manually. Full recovery took more than a month.
  • The City of Atlanta—Most recently, Atlanta was hit with SamSam on March 22. City services quickly ground to a halt as residents were unable to pay for services and police were forced to issue hand-written citations. The city had received multiple warnings over the course of a year that malware had infected one specific city server, but the issue wasn’t addressed until it was too late. Two weeks after the attack, the city, which serves nearly 500,000 residents, is starting to recover at a cost of over $2.7 million .

There are dozens of other examples of ransomware wreaking havoc on civic infrastructure – from attacks on the public library system in St. Louis to emergency services infrastructure in Murfreesboro to broader attacks on city networks in Newark, NJ, Englewood, CO and Sarasota, FL. Employees within these agencies should ensure they are practicing good cybersecurity hygiene, such as locking and password protecting all personal and agency-owned devices, maintaining software updates, encrypting data and using two-factor authentication, and taking advantage of cybersecurity training.

These measures should be considered table stakes. To detect threats early and accurately, municipalities should consider implementing an active defense strategy using technologies such as threat deception. Modern deception technologies provide immediate, actionable, high-fidelity alerts upon attacker engagement, which dramatically reduces both mean-time-to-detect and respond. Overall, implementing active defense measures equip municipalities to stop threats early in the attack lifecycle, mitigate ransomware costs, and to help them avoid becoming the next headline.

The Attivo Solution

The Attivo ThreatDefend™ Deception and Response Platform is designed for the utmost flexibility and scalability to support a municipalities’ user networks, data centers, cloud, IoT, and SCADA environments. The solution empowers organizations with an advanced deception and response platform that delivers early detection, insight into attacker threat path vulnerabilities, in-depth analysis, forensic reporting, and automations that can dramatically improve a organizations incident response time.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

two × five =

Ready to find out what’s lurking in your network?

Scroll to Top