On May 17, the city of Augusta, Georgia, published a public information tweet of a type that’s becoming increasingly familiar to citizens across the United States:
“The City is currently experiencing a disruption in network services, which may affect telephone and email access. We are working diligently to resolve the issue as soon as possible. Our Public Safety services are operational, despite the network disruption.”
A week later, the city’s mayor, Garnett Johnson, confirmed the disruptive outage was caused by “unauthorized access to our systems,” which many interpreted as an allusion to the outage being caused by ransomware.
From there, things spiraled somewhat. Confirming the ransomware theory, by May 26 the BlackByte ransomware group had added Augusta to a list of victims published on its disclosure website, complete with a warning that the “clock is ticking.”
To back up the claim, the group sent what appeared to be payroll data to a news website. Mayor Johnson was forced to take to Twitter once again to deny the claim that the attackers had demanded an outlandish $50 million ransom to bring the incident to a conclusion.
Government Red Faced
The attack on Augusta was unfortunate—the city is supposed to be a U.S. cybersecurity hub thanks to government-funded institutions such as the Hull McKnight Georgia Cyber Training and Innovation Center.
We highlight Augusta’s plight here not because the incident is unusual or exceptional, but because, frankly, it’s anything but.
Across the country, a growing number of U.S. cities have found themselves on the receiving end of similar ransomware attacks. Recent victims include (to name only a selection from a list that can be hard to keep up with):
- Dallas, Texas
- Quincy, Massachusetts
- Allen Park, Michigan
- Oakland, California
Sometimes these attacks become plain embarrassing. Take the example of what happened to the police department of San Bernadino County in California only a few weeks before the Augusta attack.
The County admitted it had paid attackers a ransom of $1.1 million. However, this wasn’t as bad as it seemed, the County explained, because it had anticipated an attack at some point and had insurance to cover all but $511,852 of the extortion sum.
Let’s put this in a less flattering context. First, we have the issue of this being a shakedown of a law enforcement department, hardly a good look for citizens or taxpayers. It’s also not clear how legal it is for government departments to pay some ransomware groups when there’s a risk some might be subject to sanctions rules put in place last year by the U.S. Treasury Department.
But the most harmful potential effect of the frequency of attacks, and the payments sometimes made to bring them to an end, is that they risk undermining citizen trust in U.S. local government.
Fairly or not, the continued success of attacks could be interpreted by citizens as incompetence. Telling citizens that insurance has been taken to cover some of the costs associated with paying ransoms is unlikely to soothe this frustration.
Most of the ransomware threat groups conducting these attacks are based in Russia. To them, siphoning money from U.S. taxpayers is both personally enriching and a geo-political win.
In the long run, everybody loses. Russia’s already tarnished reputation sinks further, while U.S. institutions and government look weak and are lacking a coherent solution to a problem for which no end is in sight.