After being hit by a ransomware attack, the second Florida city this month has opted to pay hackers their requested ransom.

UPDATE

A city in Florida has paid hackers almost $500,000 after suffering a ransomware attack that locked down its email systems and servers – only the latest municipality to be hit by ransomware and pay the ransom.

The Florida municipality, Lake City, has a population of 12,046 and is located in northern Florida. Lake City officials voted on Monday to pay the hackers 42 Bitcoin (which translates to 460,000 USD), which would be mostly covered by insurance.

Lake City marks the second Florida city this month to pay hackers their demanded ransom. The two Florida cities are only the latest in a string of ransomware attacks targeting state and local city governments – and experts warn that the cities paying the ransom could only show hackers that the attacks are profitable, incentivizing them to launch even more attacks against municipalities.

“The incidents in Atlanta, Baltimore and now Florida show that it’s not ‘if’ it’s going to happen but ‘when,'” Rick McElroy, head of security strategy at Carbon Black, told Threatpost. “These attacks seem to be financially motivated, dictated by return on investment. The FBI recommends that ransomware victims not pay – that’s been well established. However, it’s very difficult to unequivocally stick to that.”

The initial infection occurred two weeks ago, after an employee in city hall opened a malicious email. The attack locked down the city’s email and servers. The police and fire departments were the only ones not impacted, as they operate on a different server, according to reports.

Further technical details about the malware that then infected the network is not known, and officials from Lake City did not immediately respond to a request for comment on these details from Threatpost. While insurance would cover the majority of the ransom payment, $10,000 would need to be collected from taxpayers.

The city is reportedly working to recover the data after receiving a decryption key as of Thursday, according to local reports.

“I would have never dreamed this could have happened, especially in a small town like this,” Stephen Witt, mayor of Lake City, told local media.

Disbelief was the same reaction of city officials for the other Florida city hit by a ransomware attack this month. Last week Riviera Beach, a city in Florida populated by 35,000, paid a ransom of 65 Bitcoin (worth around $600,000) in exchange for unlocking computers. Like Lake City, Riviera Beach was hit by the ransomware attack May 29 after a city employee clicked on a malicious link in an email.

“This whole thing is so new to me and so foreign and it’s almost where I can’t even believe that this happens but I’m learning that it’s not as uncommon as we would think it is… Every day I’m learning how this even operates, because it just sounds so far fetched to me,” Riviera Beach Council Chairwoman KaShamba Miller-Anderson said told local media.

Despite the cyberattacks seeming “far-fetched” to city officials, ransomware attacks are increasingly targeting state and local cities, experts say.

The Florida cities are only the latest in a string of costly ransomware attacks targeting city governments. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. And the city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, demanding a $76,000 ransom.

In fact, a recent report by Recorded Future threat intel analyst Allan Liska found that it does appear ransomware attacks on state and local governments is on the rise.

While digging through local media reports, Lisa found that in 2017, 38 ransomware attacks were reported, while in 2018, that number jumped to 53. And in the first four months of 2019, there have already been 22 reported attacks so far – a number which is only set to go up, he said.

Ransomware attacks on state and local governments were already on the rise in 2019, but the last month has seen an acceleration in both reported and unreported attacks, Liska told Threatpost.

“At this point, our research doesn’t indicate that these are ‘targeted’ attacks in the traditional sense,” Liska told Threatpost. “It appears they are more targets of opportunity. The unfortunate coincidence appears to be that cities and states like to use the tools that ransomware actors are currently targeting, such as Remote Desktop protocol. That being said, because of the attention these attacks are getting, attackers do focus on these victims when they come across them. Cybercriminals pay attention to the news, and they see these big payouts, which means when they land in a city of state government they will devote extra resources to these attacks.”

Liska hopes the local media attention given to ransomware attacks will translate to more resources being devoted to security, but is not optimistic.

“This is where concerned security professionals can get involved,” he urged. “Go to city council meetings and ask what the plan is in the case of a ransomware attack, ask whether backup systems are regularly checked (or if there are backups at all, hold local governments to account. Understand that the IT/Security teams in these municipalities have been asking for these things for years, but if there is no outside pressure the city leadership may not feel compelled to act.”

McElroy for his part stressed that CISOs of cities should “band together” on the issue of ransomware attacks and apply better security solutions, increased security budgets and better education around the issue for staff.

“It would be a great idea for cities to start using common technology solutions that allow them to, in real time, share threat information with other cities,” he said. “Moreover, cities need to be prepared to increase budgets and recruit good security people. The time for saying ‘it won’t be us’ is over.”

This story was updated on June 27 at 8am to reflect that the city has now reportedly received a decryption key.