Cleveland City Hall was closed to the public after a ransomware attack. Officials did not immediately share how the attack happened or when City Hall will reopen.
Cleveland City Hall was closed to the public after a ransomware attack. Officials did not immediately share how the attack happened or when City Hall will reopen. Credit: Jeff Haynes / Signal Cleveland

City officials confirmed on Friday that the “cyber incident” first reported earlier that week was a ransomware attack. What does that mean? Here are some answers to a few frequently asked questions.

What is ransomware?

Ransomware is a type of malware (short for malicious software) that allows the hacker who sent it to control access to a network and demand payment to return it. This is typically done by encrypting, or scrambling, the data so that it’s unreadable. The hacker will try to encrypt backups of data too, if possible. The hacker then demands payment, usually in Bitcoin or another cryptocurrency, in exchange for the code that decrypts the data.

In many cases the hacker will also steal valuable data — like personnel records — and either offer to sell it back, sell it elsewhere or both.

The subjects of nearly all ransomware attack targets last year reported getting the encrypted data back, according to “The State of Ransomware 2024,” a report released in April based on surveys by cybersecurity company Sophos. “The two primary ways of recovering data were restoring from backups (68%) and paying the ransom to get the decryption key (56%),” the report stated.

How much are the attackers demanding?

We don’t know. According to the Sophos report, the average demand in an attack on a state or local government in 2023 was $3.3 million, and the average payment among those that chose to pay was $2.2 million.

Negotiating is common but not always successful, and it can backfire. Sophos reports that 20% of state and local governments that paid shelled out the demanded amount, 35% talked the attackers down, and 45% ended up paying more.

Will the city pay the ransom?

As noted above, paying is fairly common. But federal law enforcement always advises against it, according to Lisa Plaggemeir, executive director of the National Cybersecurity Alliance, a nonprofit that works with the public and private sectors.

“You’re putting yourself in a situation where you’re doing business with criminals,” Plaggemeir said in an interview with Signal Cleveland last week, before the nature of the attack on City Hall was known. “So how much do you trust them to actually deliver through that negotiation process on what they’ve promised you?”

And it’s not just a financial crime but also a national security issue, she said. Last year, a U.S. intelligence official revealed that half of the funding for North Korea’s missile program came from cyberattacks (on banks and cryptocurrency firms) launched from within that country.

How did ransomware get into the city’s network?

We don’t know that either. According to the Sophos report, nearly half of successful attacks on state and local governments were the result of a compromised account login. The attackers learned someone’s password, possibly through phishing. Phishing refers to a wide variety of methods that cybercriminals use to trick people into sharing sensitive information, sending money or downloading malware.

Or they could have guessed a password, especially if it was something like “12345” or “password” (this is a lot more common than you may think).

Phishing also could explain how the ransomware got into the city’s network. In one common scenario, the attacker sends a phony email that looks nearly identical to one from a trusted source, like a vendor. But the attachment isn’t really an invoice, it’s the malicious code, and opening the document releases it into the network. This is called spear phishing because it’s targeted.

Another possibility: hackers found a vulnerability in software that the city uses. 

When will this be resolved?

That’s impossible to say, even for the few people at City Hall with up-to-date information. The fallout from a ransomware attack on Dallas last year dragged on for months.

Can ransomware attacks be prevented?

Cybercriminals are clever and relentless, but they’re also businesspeople, and “time is money,” Plaggemeir said. 

The NCA recommends that everyone follow these guidelines at home and at work:

  • Use different passwords for every account. Make them really different – don’t just change a number or letter. See more advice about passwords here.
  • Use two-factor authentication whenever possible.
  • Always apply updates to software promptly. They often contain patches for recently discovered vulnerabilities.
  • Be wary of any email, text or other electronic communication that asks you to share personal information, click a link or open a document. 

“If all of us did those four things consistently,” Plaggemeir said, “we would make a massive dent in this problem.”

Associate Editor and Director of the Editors’ Bureau (he/him)
Important stories are hiding everywhere, and my favorite part of journalism has always been the collaboration, working with colleagues to find the patterns in the information we’re constantly gathering. I don’t care whose name appears in the byline; the work is its own reward. As Batman said to Commissioner Gordon in “The Dark Knight,” “I’m whatever Gotham needs me to be.”