The city that reads, Baltimore, is only the latest U.S. city to fall prey to a crippling ransomware attack. This time, the attackers appear to have leveraged a new ransomware variant called RobbinHood, which crept under firewalls crippling key city systems. In all, the attackers demanded a ransom payable in 13 bitcoin ($103,000 at today’s exchange rate), showing how the advent of cryptocurrencies has given cyber criminals added cover, although payments to digital wallets, particularly in bitcoin are traceable to individual wallets, even at the micropayment level. Baltimore’s case, like Atlanta before it, demonstrates how countless cities, communities and public sector entities are squarely in the crosshairs of cyber threats and proving to be easy prey at that.
Cities and the public sector more generally may not be the most lucrative ransomware targets, where the average ransom demand is around $116,000 for publicly disclosed ransoms. Moreover, cities are at least asserting publicly that they will not pay. Nevertheless, they are falling one by one like so many dominoes in a rally to emerging ransomware threats, for which RobbinHood is only the latest strain to emerge in the market. Part of the vulnerability in a city is the vast surface area of attack, which is only amplified by “smart city” efforts where municipal leaders and mayors make technological investments in sensor arrays and other connected devices that enable better information flow across city systems and functions. This drive for improved city connectivity, along with the vast network of internet-connected devices (IoT), are leaving a proverbial cyber backdoor open.
Add to this vast threat surface area cyber risks that emerge between the keyboard and the chair, such as targeted phishing attacks, social engineering or the nexus of physical losses and cyber threats, and protecting city systems may prove to be an impossibility by today’s standards. This is especially true given how hard it will be for even the most well-funded cities to attract top cybersecurity talent, let alone drive improvements in cyber hygiene or compliance across disparate city functions. These functions are not only informationally siloed, they often rely on a wide network of third party vendors, contractors and others who may have different definitions of what constitutes good cyber hygiene.