Getty Images/iStockphoto

Ransomware attacks ravaged municipal governments in March

Many municipalities across the U.S. faced network outages, data breaches and large ransom demands following a flurry of ransomware attacks last month.

Ransomware attacks caused prolonged disruptions for several municipalities in March, impairing public services and forcing government workers to use pen and paper.

Despite recent law enforcement actions, including a takedown operation against the LockBit ransomware gang in February, the threat continued last month. Municipalities took the brunt of attacks, with the Medusa ransomware gang claiming responsibility for two of them. Following the attacks, cities and counties across the U.S. struggled to restore services; for some municipalities, it wasn't the first time they were disrupted by ransomware.

On March 26, government officials in Gilmer County, Ga., disclosed that multiple services were down following a ransomware attack. Officials posted a notice on the city's website to warn residents of the disruptions, though it has since been taken down. The Record reported that the notice stated the county "recently detected and responded to a ransomware incident and has taken affected systems offline." Officials warned residents to expect delays as the city worked to restore services. Gilmer has not released an official statement.

One day prior, the police department for the city of St. Cloud, Fla., disclosed through Facebook that the city was experiencing a ransomware attack. While it confirmed 911 lines remained operational, residents were instructed to make payments to the city in cash only due to affected systems.

The city posted additional information on the St. Cloud website, though it referred to the incident as a cyberattack and did not mention ransomware. The statement confirmed law enforcement was investigating the attack and that the city implemented additional measures to continue services while systems remained down. While the transfer station remained open and accepted cash payments, the Toho Water Authority's customer service office at City Hall was closed.

Veronica Miller, St. Cloud city manager, issued an update on Tuesday that revealed the city was still "working to determine the full nature, scope and any impacted data." She emphasized the incident did cause disruptions but applauded the IT staff for their rapid response.

On March 22, The Record reported that Henry County, Ill., was hit by ransomware on March 18. Mat Schnepple, director of the emergency management office for Henry County, told The Record that the city forced systems offline and engaged law enforcement following the attack. Medusa claimed responsibility for the attack through its public leak site and demanded $500,000.

Municipality attacks continue

Tarrant County in Texas suffered a ransomware attack on March 21 that it disclosed on March 22. The attack forced its website offline, so the city provided information through the city of Haslet, Texas. The statement confirmed Tarrant County suffered disruptions due to ransomware and that an investigation was ongoing.

Fox 4 News reported that Vince Puente, chairman of the Tarrant Appraisal District, led an emergency meeting on March 25 where he revealed Medusa was behind the attack and demanded $700,000 to resume operations.

Bernalillo County, N.M., disclosed it responded to a ransomware attack on March 15. Disruptions affected at least three district attorney's offices, according to the statement. Government officials implemented security measures in an attempt to limit the attack scope. "These measures include blocking suspicious email; disabling inbound network access from DAs offices; and disabling the public defender's office Wi-Fi at the Metropolitan Detention Center," Bernalillo County wrote in the statement.

March's incident marked the county's second ransomware attack in two years. In June 2022, the Albuquerque Journal reported that the county's Metropolitan Detention Center was forced to close due to ransomware.

On March 16, Pensacola, Fla. experienced its second ransomware attack since 2019. City officials posted updates to its Facebook page beginning on March 18, confirming phone disruptions across all departments. On March 27, the city said phone systems were fully restored but online bill pay services remained down. On April 2, the city confirmed the attack led to a data breach, though it is unclear what information and how many individuals are affected.

Birmingham, Ala. experienced weeks of disruptions following an attack last month. Government officials disclosed in a Facebook post on March 6 that the city was experiencing a network disruption. While they confirmed emergency services were unaffected, some in-person and online services such as the 311-call center were down. A temporary number was established for the call center on March 22.

On Tuesday, AL.com reported that outages continued, and Birmingham city officials were forced to continue using pen and paper to conduct business. The Birmingham-based news outlet also said "multiple officials" confirmed the network disruption was the result of ransomware.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Data security and privacy