As recent headlines would suggest, states and localities are increasingly under threat of ransomware assaults like the one on Atlanta in late March. But when it comes to the financial ramifications, the cheapest part of the whole affair is the ransom itself.
In the case of Atlanta, hackers demanded $51,000 in Bitcoin. Officials have not said whether they paid the ransom or not, but in the days following the March 22 attack, Atlanta entered into emergency contracts worth $2.7 million to help restore the city’s computer network.
What's more, much of the system is still down. The city still can’t collect water and sewer payments online. These kind of delays add up, says S&P Global Ratings analyst Geoff Buswick. "The longer it goes on," he says, "the more [likely Atlanta is to] waive fees or take other measures. So the question becomes how long can they go without being able to collect revenue normally.”
Atlanta is far from the only government to be attacked. The Colorado Department of Transportation spent $1.5 million to get its computers back up and running after ransomware attacks in February and March. In 2016, San Francisco’s light rail system was hit by ransomware and, rather than pay, let residents ride for free until they could recover access to its network.
Maybe because of the unforeseen costs of such an attack, some places just opt to pay the ransom. Last week, the town of Leominster, Mass., paid $10,000 in Bitcoin to regain control of its school district computer system.
The financial impact and how governments respond to these events have municipal analysts taking notice. The case of Atlanta is particularly disturbing because of the size of the city and the length of time some systems have been down. “Right now, I’m trying to figure out how to deal with [cyber risk],” says Tom Kozlik, a municipal bond strategist for PNC Capital Markets. “I think a lot depends on how issuers defend themselves, and on if hackers continue to target these entities with increasing severity.”
Meanwhile, the attacks on governments are becoming more sophisticated. Buswick notes that the ransomware attack on Atlanta didn't employ the typical phishing scam, which relies on a city employee to open an email and click on a link or document that, in turn, gives hackers access to a system. In this event, the hackers were able to gain access to the city’s system thanks to password-generating software.
“That’s a concern because that’s different,” says Buswick. "Now, you can just be hit.”