On December 16, 2019, the City of Galt’s computer network was under a ransomware attack that took down much of the city’s phone system and blocked employee’s computer access.
Galt, California is situated a little more than a half hour drive south of the state’s capitol, Sacramento, just down state route 99. With a population of 23,647 at the last census, Galt has a typical local government that cares about its citizens and provides critical services including police protection. Galt calls itself a “Great American Little Town…” and it appears to be a great place to live.
It isn’t as though Galt didn’t have some focus on their computer systems as they hired some in-house staff to handle IT responsibilities.
Unfortunately, a city employee opened an email that included a piece of malicious software that is known as ransomware. Ransomware encrypts files on the computer system and requires payment, often in bitcoin, for the encryption key. Once the attack is underway, affected systems are completely unusable unless one of three things occur:
- Payment of ransom
- Restore from backup
- Rebuild of system from scratch
Let’s evaluate the options.
Payment of ransom can be very expensive and the required currency will likely be bitcoin. In a separate ransomware attack on the city government in Lodi, California, the ransom demand was 75 bitcoin – nearly $400,000 in mid-December of 2019. Most small organizations don’t have $400,000 in petty cash to burn. More importantly, even if the ransom is paid, can the attackers be trusted not to provide either a faulty key or, worse yet, just permanently erase the data? Option 1 is expensive and not ideal.
If complete and current backups are available, this is the ideal solution. Restore to clean hardware and resume operations. However, there are two significant concerns here. One is a question: is the policy of most small organizations (small businesses and smaller local government agencies and not-for-profits) really to backup every type of system including the phone systems? Likely, no. Secondly, depending on how long the ransomware has been lurking on the system and how invasive the threat’s reach is, there is a real risk that the backups are also corrupted with very same ransomware encryption. That leaves those backups unusable. Comprehensive restore being somewhat unlikely, this “ideal solution” has a lower probability of being fully available. Prepare for this option.
Rebuilding systems from scratch is the safest except that complete data is not available. That makes the systems a whole lot less useful. This is the only option left if the first two are unavailable.
How much confidence does that evaluation leave a small organization? Not as much as one might hope.
Back in the Lodi situation, the city did not pay the ransom and was able to restore all of the systems from backup.
In the five weeks since the attack, the staff in Galt have managed to get 85% of the city’s systems restored and functional. The outstanding 15% are still undergoing the rebuilding and restoration process and are considered lower priority since they aren’t involved in daily operations for city employees.
According to an update posted on the City of Galt website on January 8, 2020, the telephone systems were “largely restored” with some standard phone numbers still not functioning. Other technology systems were expected to be back online by the middle of January.
That means that there was almost of month of interruption to the daily operations of the city (take into account that some of the delay could also be attributed to the holiday season). Comparing that to a private sector business that has critical dependency on IT systems for revenue production, three weeks of revenue loss would be a tremendous hit to the bottom line. It’s one thing when a company has a planned shutdown for upgrading or retrofitting projects. However, when it’s a complete surprise, the disruption is magnified. If data loss is involved, the costs can be substantially higher.
Evaluation of the direct cost of the ransomware attack in Galt 85% of the way through recovery is $758,000 which includes the cost of IT experts, risk management providers, legal counsel, and forensic audits. It is reported that Galt’s insurance includes some level of cybersecurity coverage.
In a small business environment, add the potential for 3 weeks of lost revenue to the $758,000 direct IT cost. For contextual purposes, Galt has more than 100 full-time personnel and a $10 million budget which corresponds to $100,000 in revenue per employee which has similarities to smaller private sector entities. Using that figure to calculate the lost revenue, three weeks of lost revenue would be roughly $600,000.
Total estimated, effective financial cost to a private sector entity of 100 employees and $10,000,000 in revenue would be $1,358,000.
Financial costs aren’t the only damage to an organization. The negative brand impact varies dramatically between different types and sizes of organizations. Negative brand impact is also terribly difficult to calculate or even estimate. In any event, no one considers negative brand impact to be a desired outcome or a potential for positive business outcomes.
How dangerous are the current strains of ransomware? Based on the number of attacks occurring now, in spite of increased awareness and improved defenses, the answer is very dangerous with the threat increasing on a daily basis.
The reality that every organization that maintains data needs to prepare for the eventuality that ransomware could threaten their operations and bottom line.
In retrospect, Lodi City Manager Steve Schwabauer said “I have to say from my perspective, ransomware attacks were not high on my radar as city manager because there were only a few cities that this had affected, but our IT staff had their eye on it.”
Does that tell us that the IT staff which “had their eye on it” didn’t take enough preventive action such as cybersecurity training for the entire city staff? Or, does it mean that the city didn’t afford the IT staff enough available resources to implement adequate (or at least additional) protections? Or, could the attack even been prevented by any level of cyber defenses?
All of those options are plausible. However, very reasonable investments in cybersecurity defenses can provide huge returns on investment with respect to the potential cost of a ransomware attack. The problem is that it’s very, very difficult to demonstrate that the thwarted (or potential) attack would have delivered maximum payload in a way that is clear to the decision makers who can provide those resources.
It appears that larger businesses have scaled up their cybersecurity budgets to take on these new threats. There isn’t as much evidence to support the same level of improvement for smaller organizations.
If nothing else, the budgets for IT must be increased to include fully comprehensive, offsite backups that are much less susceptible to ransomware attack. (Refer to option #2 above)
It’s time to accept the reality that the ransomware threat is real. It is lurking around your network with the aim of taking our data and operations hostage. It’s a conversation that all of our business and organization leaders need to have with their IT team. And, that conversation needs to occur now.
As a company with a focus on small business, our discussions often refer to small business. However, small businesses that have been hit with a damaging cyberattack are really tight-lipped about discussing attack vectors and breach details. That’s why the story of a small city government who suffered through a ransomware attack can shed some light on the real-life experience of the level of damage that is inflicted on finances as well as the ability to provide services.