Atlanta Mayor Keisha Lance Bottoms waits to speak at the Atlanta Press Club luncheon, Tuesday, June 18, 2019, in Atlanta. Andrea Smith | AP

City governments are under assault from ransomware, malicious software that infects entire computer networks, freezing up important files and equipment until the organization pays for a key to unlock the information. Baltimore and two cities in Florida have fallen victim to ransomware in recent weeks, and Atlanta's mayor advocated for more federal help in protecting against ransomware in Congress Tuesday. Atlanta and Baltimore are each spending spend millions on the clean-up from their attacks. In Florida, Riviera Beach paid $600,000 and Lake City almost $500,000 to get their data unlocked, according to representatives from those cities. Cities may have been caught off guard by the attacks, but corporations have been quietly battling the problem for years. These attacks have given the public the opportunity to examine the problems associated with ransomware, where corporations -- not obligated to disclose these attacks -- have mostly handled them behind closed doors. These issues include the moral objections to paying off criminals, the practical risks of not paying and the lack of federal support to help mitigate risk.

A young crime is growing up

Ransomware was little known before 2014, when some of the first, very rough versions of the malicious software began circulating more widely through corporations. It took criminal organizations about a year to refine their approach and make the attack style ubiquitous across corporations. According to FBI statistics, ransomware was an almost immediate success, and incidents exploded in late 2015 and through 2016. It's continued rising steadily, with criminal organizations further refining their techniques to target the most valuable data and pull higher payouts, according to Molly Arranz, a partner in the data privacy, security and litigation practice group at law firm Smith Amundsen. In the early years of ransomware, organizations were skeptical of paying, Arranz says, because they weren't sure the criminals would provide the necessary keys to unlock the files. This changed as some criminal enterprises gained a reputation for "reliably" providing the right keys, making it possible for companies to do a more practical risk-benefit analysis, and in some cases, for insurance companies to pick up the cost, she said. Arranz said the $600,000 paid by Riviera Beach was a lot, but that six-figure ransoms are not uncommon. There even have been rumors of seven-figure payouts in recent years, she said, but only one confirmed case: a South Korean internet service provider in 2017. "The companies that are paying the ransom amount, if they don't pay for it, that information is lost forever," she said. "Therefore, it's money well spent." As cities pay these larger ransoms, criminals will get new insight into how to extract the maximum dollar value out of their attacks, said Mark Orlando, chief technology officer of defense industrial company Raytheon's Cyber Protection Solutions group. "We definitely can expect more high-dollar payouts," said Orlando. "Ransomware is, by far, much more lucrative today. It's become commoditized, and you can get a pre-built, customizable toolset for it. It's a tried and true business model. [Criminals are] asking for the maximum amount that they think the victim will pay before they try to just go and rebuild the network on their own. They've reached a new high-water mark."

The moral, practical and reputational hazard

Lake City mayor Stephen Witt told a local news station Wednesday: "I would've never dreamed this could've happened, especially in a small town like this." His surprise may seem unepected, given the boom in ransomware. But the topic has stayed quiet until recently because private businesses aren't required to report them to shareholders or regulators. "That's why you're not hearing of more of these, and it's not because companies are hiding the ball," Arranz said. "They're complying with what's legally required of them." Companies have strong incentives to keep the attacks private. At best, any organization that pays a ransom or negotiates with those making demands is dealing with criminals. At worst, they could be making a blind payoff to a rogue nation-state like North Korea or a terrorist group. The FBI has traditionally given blanket warnings not to pay ransoms. But if organizations don't pay, they're betting that customers will stick around through days or weeks of downtime while they rebuild, Orlando said. That's a risky calculation. Having back-ups that work, or segmented networks -- built so parts of the network can be cordoned off from the wider network in the event of an attack-- can help, but even these tactics are limited in their effect, Orlando explained. "On the enterprise side, some equipment is purpose-built to do certain things. Equipment -- especially in health care and manufacturing -- those are not just files that are stored somewhere else that you can replace, like you replace the data you backed up on your cell phone. Back-ups aren't silver bullets, in terms of time loss and service loss," Orlando said.

Looking for support, but not finding it