For more on this story watch The Situation Room with Wolf Blitzer at 5 p.m. Eastern.
The firm compiled all known instances of ransomware infections of local government systems, a type of cyberattack that encrypts a computer’s files, where the attacker demands payment –usually in bitcoin — for a key to unlock them.
The federal government and the FBI do not track the attacks nationwide.
There have been 22 known public-sector attacks so far in 2019, which would outpace 2018, and that does not take into account that attacks often aren’t reported until months or years after they’re discovered.
The latest major city to be hit is Baltimore, which was infected with ransomware Tuesday. It has quarantined its networks and been forced to provide most of its municipal services manually.
“It’s frustrating. It’s unfortunate. But we’re working through it,” Baltimore City Council President Brandon Scott said in a news conference Friday.
The city announced the attack the day it was discovered but downplayed its severity, announcing only that it had affected a handful of city services including the issuing of marriage licenses and birth certificates. Many of those problems were cleared up by the beginning of the workweek.
However, City Hall didn’t mention that the Albany Police Department’s systems had been significantly impacted.
“We were crippled, essentially, for a whole day,” Gregory McGee, a patrolman who is vice president of the Albany Police Department’s union, told CNN at the time.
“All of our incident reports, all of our crime reports, that’s all digitized,” McGee said, which meant cops had to write down everything that happened on paper. They showed up to work and had no access to staff schedules.
“We were like, who’s working today?” McGee said. “We have no idea what our manpower is, who’s supposed to be here.”
The Albany mayor’s office didn’t respond to multiple requests for a status update on the attack, though a spokesperson had previously said the city would make an announcement once it had been cleaned up.
Late last month Genesee County, Michigan, which includes the town of Flint, announced that it was finally ransomware-free, after an attack effectively shut down the county’s tax department for most of April.
First attack in 2013
The first known small government ransomware infection hit the small town of Greenland, New Hampshire, in 2013 but the number of attacks didn’t explode until 2016, when there were 46.
The number dropped to 38 in 2017 — indicative of a temporary worldwide reduction in ransomware infections — before rising to 53 last year.
Industry estimates suggest ransomware attacks cost billions of dollars each year, though it’s hard to put a precise number on the costs because there’s no comprehensive record of attacks across the globe and not all of them are reported.
The number of victims who have self-reported to the FBI’s Internet Complaint Center has decreased in recent years. There were 2,673 cases in 2016; 1,783 in 2017; and 1,493 last year. Those numbers don’t reflect all the cases the FBI is aware of through field office reports.
This suggests hackers are being more discerning about who they decide to target, to maximize the amount of money they can make, according to Supervisory Special Agent Adam Lawson of the FBI’s Major Cyber Crimes Unit.
“It’s less of an individual user, and it’s more targeting towards private sector, businesses, or public sector, municipalities, police departments, etc. Those attacks are going up, while attacks on individual users are going down,” Lawson told CNN.
“I think our assessment is that (who gets targeted is) who’s got more money. An individual user, if their computer is impacted by ransomware, it’s kind of a cost-benefit analysis: ‘I’ve had this computer for five years. I’m not going to pay you $300 to unlock my computer; I’ll just go get another one.’ Whereas for a business network, if you lock up the main controller or some vital records, it’s much more complicated for them. So it’s probably based on who’s paying the money.”
Attacks are carried out by a wide variety of actors, ranging from criminal gangs to people allegedly working at least tangentially with their countries’ governments.
But just as often, when US authorities have been able to identify and charge someone they believe has been responsible for an attack, they’ve been out of reach in countries where they cannot be extradited to the US.
The two most destructive worldwide ransomware worms — WannaCry and NotPetya, which came within a few months of each other in 2017 — were allegedly created in North Korea and Russia before getting out of hand.
There are likely other suspects the FBI has identified but the agency is waiting for them to travel to countries where the US is able to coordinate arrests.
“We are aware of who some of these people are,” Lawson said. “Just because we don’t come out and say it doesn’t mean that we’re not waiting for them to perhaps travel somewhere, where we can get them.”