Hackers Use Ransomware To Attack Cities
SCOTT SIMON, HOST:
American cities are being taken hostage - not by bandits in ski masks, but cybercriminals who use so-called ransomware to shut down critical systems until the cities pay up. Baltimore has spent more than a month and $18 million trying to recover from that kind of attack. And Riviera Beach, Fla., reportedly agreed to pay almost $600,000 in ransom this week.
Kate Fazzini is a cybersecurity reporter at CNBC. Thanks so much for being with us.
KATE FAZZINI: Thank you very much, Scott.
SIMON: What do we know? What happened in these two cities?
FAZZINI: So it seems like some pretty standard ransomware was used. It's usually sent to some unsuspecting people via email. They click on a link, and it spreads very, very quickly through their entire network so that their systems are locked up, data is locked up. So there's nothing they can do until either they pay or replace all the equipment.
SIMON: And how common have these attacks become?
FAZZINI: Oh, they're very common. In fact, they're much more common than you might expect. The cities get highlighted a lot because, obviously, if you can't pay your utility bill, it becomes a public issue. But these are just sweeping through many different companies and organizations. They don't always have to report - in fact, they very rarely have to report that they've happened, so what you're seeing in the media is just the tip of the iceberg.
SIMON: Any idea who's responsible, or does that encompass a lot of people?
FAZZINI: It definitely encompasses a lot of people, a lot of nation-states. You see some of these groups sort of doing both. So we've had issues with ransomware being deployed by criminals who were also doing some work for the Iranian government or the North Korean government. It's almost impossible to tell right away, and even after a lengthy investigation, it's still very hard to tell.
SIMON: So Riviera Beach, Fla. - what makes it worth their while to pay hundreds of thousands of dollars?
FAZZINI: So there have been a couple of different big ransomware attacks. Obviously, you see Baltimore, Atlanta had to pay several million dollars to fix and replace their equipment and get back online. A lot of these cities lose hours and hours of productivity. It just makes financial sense for some organizations to pay the ransom.
They do have to have some reassurances, though, that the information they're going to get back from the criminals who did this will actually work to unlock their computers. Also, it appears in Florida that their insurer is actually going to be covering that cost, so that's probably another incentive for them to go forward with it.
SIMON: I wonder about this. If Riviera Beach pays to avoid being attacked, doesn't it make it more likely that criminal organization just attacks - and I'll make up something - Delray Beach, Fla., the next week?
FAZZINI: I think you maybe missed your calling as a cybercriminal, Scott. Criminals are always looking to, what is the formula that makes paying the ransom worth it to the person who I'm attacking? So I'm absolutely certain that you're right that you will see an uptick in at least attempts to do this in other cities.
SIMON: Cities have computer experts, right? Shouldn't they be avoiding these attacks somehow?
FAZZINI: I think it's a pretty sensitive issue. In the case of Baltimore, the mayor came out and publicly blamed the National Security Agency for having lost some exploits several years ago that had resulted in the attack that they sustained. But at the same time, there had been a patch available that the city hadn't put in place.
You know, nationwide, there was an enormous lack of people with cybersecurity skills. City governments aren't known for their enormously high salaries. So I think you'll see the competition at tech firms, at big banks making it very hard for these cities to have enough people in place.
SIMON: Kate Fazzini reports on cybersecurity at CNBC, and her new book is "Kingdom Of Lies: Unnerving Adventures In The World Of Cybercrime." Thanks so much for being with us.
FAZZINI: Thank you, Scott, for having me.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.