This is what happens when ransomware attacks a city government

(Photo: WKRN)

(Photo: WKRN)

Another ransomware attack, another city government. This time Springs Hill City, Tennessee, was struck by ransomware early November 2017. This is not the first incident of this type: Licking County City government was also attacked earlier this year. From the two attacks, we can observe a few common things that are important for understanding why cyber extortionists will continue to target city governments. During such attacks, the city servers are partially or completely down. Here are the top consequences:

  1. 911 services function without computer assistance. This puts pressure on the dispatchers and interferes with the overall operations. Dispatchers must use paper to take notes and cannot benefit from real-time online maps.
    In the case of Licking County incident, paper was used to keep track of inbound calls, while in the case of Spring Hill City, a whiteboard on which the location of la enforcement vehicles was recorded.
    “This keeps track of our active police officers and medics out on a call,” said Director Brandi Smith about the white board.
  2. Police cars are unable to retrieve important information from the city’s servers and usually their mobile data terminals cease functioning. This makes it harder for law enforcement to perform their routine and causes an overhead when dealing with incidents.
  3. Accounting software usually stores data on such servers so in case of such incidents, it is also affected. This means online payments are disrupted or cannot be performed. Usually people use online payments for utilities, taxes, fines, etc.
  4. City employees do not have access to their mail accounts and cannot answer city related requests by citizens. They cannot generate the reports required by internal procedures and generally have difficulties performing their duties.

All the above make city government institutions appealable as targets for ransomware attacks because of the importance of the services they provide. Having such sensitive services disrupted or disabled puts a lot of pressure on city officials and increase the chances that they pay a ransom to restore their systems. The Licking County and Spring Hill attacks come after other similar attacks in Ohio in 2016, and will likely be followed by more attacks in 2018.

The latest attack has been disrupting the activity of Spring Hill City institution for over ten days and the systems are not yet fully restored. It started as one employee opened a malicious attachment. The main systems were disabled with critical files held captive by strong encryption. In this case the cyber-extortionists demanded a rather large ransom, amounting $250,000 and the city officials refused to pay for it.

The restoration of the systems started with the most important servers, delivering functionality for the 911 dispatch systems and continues with the rest of the assets. More reports and updates can be found on the WKRN website.


As we are likely to see more and more ransomware attacks targeted at core public service institutions like hospitals and city governments, it is imperative to raise awareness about why such institutions are desirable targets, especially for employees. More awareness supported by cybersecurity education can significantly protect against the ransomware threats. The use of anti-ransomware technology is also a key component of any security strategy designed to mitigate the ransomware risk.

For more information, follow us on social media and subscribe to our newsletter.