More than 40 municipalities have been the victims of cyberattacks this year, from major cities such as Baltimore, Albany and Laredo, Tex., to smaller towns including Lake City, Fla. Lake City is one of the few cities to have paid a ransom demand — about $460,000 in Bitcoin, a cryptocurrency — because it thought reconstructing its systems would be even more costly.
In most ransomware cases, the identities and whereabouts of culprits are cloaked by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran and, in some cases, the United States. The majority have targeted small-town America, figuring that sleepy, cash-strapped local governments are the least likely to have updated their cyberdefenses or backed up their data.
Two years ago such attacks were still relatively rare. But now they are far more targeted, and as companies and towns have shown an increased willingness to pay ransoms, criminals have turned to new and more powerful forms of encryption and more ingenious ways of injecting the code into computer networks. Only this summer did the United States begin to see multiple simultaneous attacks, often directed at government websites that are ill-defended.
Last year, hackers based in Ukraine hit Allentown, Pa., a city of 121,000 residents, with a malware package that shut down the city government’s computers for weeks. No explicit ransom demand was made, but the attack played out like many that target cities, said Matthew Leibert, Allentown’s longtime chief information officer.
When an Allentown city employee took a laptop with him while traveling, it missed software updates that might have blocked the malware. The employee unwittingly clicked on a phishing email, and when he returned to the office, the malware spread rapidly.
The attack cost about $1 million to clean up, Mr. Leibert said. Improved defenses are costing Allentown about $420,000 a year, squeezing the city’s budget. He said one frustration was the scattershot targeting that happened to hit Allentown. “There are warehouses of kids overseas firing off phishing emails,” Mr. Leibert said.