Ransomware Attack! Making the Hard Decisions

Sarasota, Florida, City Manager Tom Barwin reflects on lessons from a ransomware attack.

Oct 31, 2016 | ARTICLE

A ransomware attack on city computers in Sarasota, Florida, and perspectives from City Manager Tom Barwin appeared as examples in a lengthy article about cyberattacks on government computers.* We spoke with Barwin, a 35-year ICMA member, to learn more.

The Attack

Early in 2016, Sarasota experienced a ransomware attack when a city staff member inadvertently opened an e-mail with a malicious attachment. The attack corrupted the staff intranet—the internally hosted file-sharing and storage network—and the e-mail demanded a ransom of half a bitcoin per file. Since an estimated 160,000 files were affected, that amounted to about $33 million at that time (it would have been more today, when a bitcoin is valued at about $650).

The attack occurred despite staff training and education about the dangers of spam, malware, and cybercrime, and cautions about phony e-mails and scams. The information technology (IT) and city management staff quickly analyzed the situation to determine the best course of action. According to Barwin, IT was “on top of things,” identified the problem right away, had backup systems in place, and was able to take the servers down and restore the system within a single workday. They made the decision to shut down the intranet long enough to restore the data—and not to pay the ransom.

Sarasota was fortunate that the attack did not affect sensitive information about employees or residents, and the impact on the public was minimal or nonexistent. So there was no decision to communicate about it publicly.


Sarasota, Florida, City Manager Tom Barwin

Other cities and counties have not been so lucky, and some have (reluctantly) met criminals’ demands to regain access to records, retrieve data that has not been properly backed up, or restore the functionality of critical systems that have been “held hostage.”

Takeaways from the Attack

Asked to reflect on the attack and its aftermath, Barwin said his biggest takeaways were these:

  • The attack revealed that the city’s systems needed a higher level of protection and improved ability to rebound, so the city invested in additional firewall and virus protection, moved some backups to the cloud, and improved the speed and capacity of the servers to improve recovery if necessary.
  • Even more important, Barwin noted the need for continuous employee training, and the vital importance of taking cybercrime seriously and establishing relationships with law enforcement organizations, particularly state and federal agencies focused on cyber incidents. The city did report the attack to the FBI, but he said all ransomware attacks should be reported immediately, without delay, to the FBI. Plans to segregate malware and preserve it for law enforcement should be pre-thought out. Immediate reporting and investigation can improve the odds of catching cyber criminals and increase the chances that the attacker(s) could be identified and future scams shut down.

Reporting Ransomware Attacks

The FBI issued a public service announcement in September 2016 urging ransomware victims to report incidents to federal law enforcement. It says, in part, “Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment.”

The announcement reinforces the seriousness of the ransomware threat, provides a description of the information it needs in a report, lists recommended precautions that can reduce the risk of a ransomware attack, and provides a link to locations of FBI field offices throughout the United States.


* Criminals Increasingly Hold Government Computers for Ransom,” by Jenni Bergal, originally in Stateline, an initiative of The Pew Charitable Trusts.


You may also be interested in