FAQ about the ransomware attack on Cleveland City Hall

City officials confirmed Friday that the “cyber incident” first reported earlier this week was a ransomware attack. What does that mean? Here are answers to some frequently asked questions.

What is ransomware?

Ransomware is a type of malware (short for malicious software) that allows the hacker who sent it to control access to a network and demand payment for its return. This is usually done by encrypting or corrupting the data so that it is unreadable. The hacker will try to encrypt data backups as well if possible. The hacker then demands payment, usually in Bitcoin or another cryptocurrency, in exchange for the code that decrypts the data.

In many cases, the hacker also steals valuable data – such as personnel files – and offers to resell it, sell it elsewhere, or both.

Almost all victims of ransomware attacks last year reported getting the encrypted data back, according to “The State of Ransomware 2024,” a report published in April based on surveys by cybersecurity firm Sophos. “The top two ways to recover data were restoring from backups (68%) and paying the ransom to get the decryption key (56%),” the report said.

How much are the attackers demanding?

We don’t know. According to the Sophos report, the average demand in an attack on a state or local government in 2023 was $3.3 million, and the average payment from those who agreed to pay was $2.2 million.

Negotiations are common, but not always successful and can backfire. Sophos reports that 20% of state and local agencies that paid paid the amount demanded, 35% persuaded the attackers to negotiate, and 45% ended up paying more.

Will the city pay the ransom?

As mentioned above, it’s quite common to pay. But federal police always advise against it, says Lisa Plaggemeir, executive director of the National Cybersecurity Alliance, a nonprofit that works with the public and private sectors.

“You’re putting yourself in a situation where you’re doing business with criminals,” Plaggemeir said in an interview with Signal Cleveland last week, before the nature of the attack on City Hall was revealed. “So how much do you trust them to actually follow through on what they promised you in the negotiation process?”

And it’s not just a financial crime, but also a national security issue, she said. Last year, a U.S. intelligence official revealed that half of the funding for North Korea’s missile program came from cyberattacks (on banks and cryptocurrency companies) launched from that country.

How did ransomware get into the city’s network?

We don’t know that either. According to the Sophos report, nearly half of all successful attacks on state and local governments were the result of a compromised account login. The attackers found out a person’s password, possibly through phishing. Phishing refers to a variety of methods cybercriminals use to trick people into sharing sensitive information, sending money, or downloading malware.

Or they may have guessed a password, especially if it was something like “12345” or “password” (this happens more often than you might think).

Phishing could also explain how the ransomware got into the city’s network. In a common scenario, the attacker sends a fake email that looks almost identical to an email from a trusted source, such as a supplier. But the attachment is not a real invoice, but the malicious code, and when the document is opened, it is released into the network. This is called spear phishing because it is targeted.

Another possibility: hackers have found a vulnerability in software used by the city.

When will this issue be resolved?

There’s no telling, even for the few people at City Hall who have up-to-date information. The fallout from a ransomware attack on Dallas last year dragged on for months.

Can ransomware attacks be prevented?

Cybercriminals are clever and relentless, but they are also businessmen and “time is money,” Plaggemeir said.

The NCA recommends that everyone follows these guidelines at home and at work:

• Use a different password for each account. Make sure your passwords are truly different – don’t just change a number or letter. Find more password tips here.
• Use two-factor authentication whenever possible.
• Always apply software updates promptly. They often contain patches for recently discovered vulnerabilities.
• Be cautious of emails, text messages, or other electronic communications that ask you to disclose personal information, click a link, or open a document.

“If we were to consistently implement all four of these things,” says Plaggemeir, “we could get the problem significantly under control.”