In my hometown of Los Ranchos, in Bernalillo County, New Mexico, village residents include goats behind crumbling adobe walls and roosters crowing from the top of mobile homes. Riding horseback down the street is not uncommon. But, even the sleepiest of hamlets cannot escape cyber threats.

Today, Bernalillo County and the town of Los Ranchos were crippled by a ransomware attack on the government IT network. County government buildings and public offices were closed on Wednesday.

A press release from Bernalillo County notes that “The disruption likely occurred between Midnight and 5:30 a.m. on Jan. 5….Vendors for county systems have been notified of the ransomware and are working to solve the issue and restore the system functions, while also applying policies as BYOD and others to proteft the networks”

My colleague Nasser Fattah, Senior Advisor, suggests that “It is unfortunate, but cities will continue to be a big target for ransomware.  Many available statistics show that municipalities have a high hit of ransomware.”

Municipal Ransomware Attack Statistics

44% of global ransomware attacks in 2020 targeted municipalities (Barracuda Networks) while 53.2% of attacks in state government are targeted toward cities and local schools (Forbes). 2,354 governments, healthcare facilities and schools in the United States were affected by ransomware in 2020 and in 2021 the threat remained consistent (Emsisoft).

Studies indicate the risk of municipal ransomware attacks remains high – a persistent risk – yet the “appetite and budgets to mitigate….remain lacking.” 50% of states do not have a committed cybersecurity line-item budget while 37% of states have seen a reduction in funding or no change at all (KnowB4).

Notable Municipal Ransomware Attacks

Notable ransomware attacks on municipalities and infrastructure include incidents coast-to-coast.

In February 2021, a hacker attacked a water treatment plant in Oldsmar, Florida. The hacker was able to change the water supply levels of sodium hydroxide, which at high levels can damage human tissue. An employee was quickly able to identify the intrusion on their systems and notified local authorities. Authorities have yet to identify if this attack was committed by someone within the United States borders or from another country.

In May 2021, Scripps Health, one of San Diego’s largest health care systems, was hacked in a ransomware attack. This attack was caused by malware on their computer networks leaving severe outages. The investigation is ongoing to date of who is behind the attack.

In July 2021, Borger, a small town in the vast Texas Panhandle was attacked. City officials reported systems being down, residents were unable to pay their water bills, and local governments could not process payroll. The cyberattack was led by a Russia-linked syndicate affiliated with REvil demanding $2.5 million dollars.

The Arkansas government also started 2022 with a ransomware attack.

Ransomware Attack Causes

Forbes describes municipalities as being faced with a “barrage of risks and resilience issues” while being “tasked with directing vital services, managing critical infrastructure and responding to the needs of a demanding constituency.”

Cybersecurity experts – including our in-house guru Nasser Fattah – agree that limited resources are at the root of ransomware attacks on municipalities.

“As for the root cause, a contributing factor is the lack of resources and the use of stale technologies, which collectively make municipalities an attractive target.  This is exacerbated with work from home when an already weak security infrastructure needs to support remote work, which now makes the attack surface even bigger,” states Nasser Fattah.

“Local governments often have outdated computer systems. They lack personnel, or qualified personnel, to manage these types of attacks, and they don’t have the money or time to devote to cybersecurity,” furthers the Washington Post.

Municipalities And Third Party Risk

“Municipal governments act as the critical interlockers between consumers, private citizens and the critical infrastructure they require,” continues the Washington Post. The vital sectors and services within municipal governments have divergent security demands. Many sectors and services store private data.

Municipalities are plainly challenged to manage cybersecurity risk. Similarly, they are challenged to manage broader third party risk – but it’s ever more essential.

Thankfully, the roosters are still crowing in Bernalillo County. Public safety services are operating normally. They are still taking calls and responding to emergencies, but ought to explore a third party risk management solution to keep all sectors and services moving forward.