The Lake City attack began on June 10 when an employee clicked on a malicious email and infected the city’s computers with ransomware, according to the mayor. The program, which the city identified as malware known as “Triple Threat,” affected everything but Lake City’s police and fire departments, which are on a separate server.
“As a result, all Emergency services remain intact,” the city said when it disclosed the attack.
Several days went by before the hackers demanded a ransom. At first, the city, which is about 65 miles west of Jacksonville, at the point where Interstate 10 and Interstate 75 meet, had some luck restoring its systems on its own. But then it ran into trouble, so city leaders decided instead to negotiate with its insurance carrier, the Florida League of Cities, to make the ransom payment.
“Any I.T. professional will tell you they’re fending off attacks all the time,” said Eric Hartwell, deputy general counsel and insurance counsel for the Florida league, which began offering cyberattack liability coverage to its hundreds of members a few years ago. “It’s not necessarily a new thing — I just think for whatever reason, the news cycle is now showing municipalities are no different from private corporations.”
There is a chance Lake City could have decrypted the ransomware on its own. A spokesman for the city said the ransomware was a variant of a malware strain called “Ryuk.” Security experts have successfully unscrambled Ryuk ransomware in 3 to 5 percent of cases, according to Emsisoft, a security firm. Part of the problem, said Brett Callow, a spokesman at Emsisoft, is that security experts need better communication channels with victims. His firm created ID Ransomware, a free website that allows victims to upload strains of ransomware so that security experts can help them to decrypt it.
In Europe, similar projects have proved successful. Security experts, law enforcement and local officials are partnering on the No More Ransom Project to share information about attacks in real time, share decryption techniques, and point law enforcement toward attackers’ command and control servers. In Poland last year, the Polish police, Belgian Federal Police and Europol arrested a Polish national suspected of having infected several thousand computers with ransomware. Security experts said they have had similar success working with the Dutch National Police, but have had a harder time connecting with the F.B.I. because the agency has stricter communication protocols.
Mr. Witt said Lake City fired an employee who it deemed had not done enough to protect the computer systems from an intrusion. That employee was not the same person who clicked on the malicious email, he said.
“We’re developing a system with a backup that hopefully won’t be vulnerable,” Mr. Witt said, imploring other small-town mayors to do the same. “Every other town needs to look at their system — today.”
“I have been in office 14 years,” he added. “We’ve had tornadoes. We’ve had hurricanes. We’ve had fires that they told me were going to maybe reach the city limits. But this was unusual. This was different.”