Real-Case Analysis #18: Cleveland City Hall Under Ransomware Attack

Cleveland City Hall was subjected to a severe cyberattack, resulting in an interruption of activities. Cleveland is the largest city in the United States to experience such interruption as a result of a cyber incident.

Highlights

• The cyberattack was detected over the weekend of June 8-9, 2024.
• The city publicly disclosed the attack on June 10, 2024.

Overview of the Cyberattack

The cyberattack on Cleveland City Hall was confirmed as a ransomware attack. Ransomware is a sort of malicious software that encrypts the victim's data and makes it unavailable until the perpetrators are paid a ransom. This form of attack has become increasingly popular, targeting many institutions, including local governments, because of their sometimes obsolete security systems and vital requirement for operational continuity.

While specifics about the initial attack vector and the exact vulnerabilities exploited have not been revealed, the attempt was spotted as part of the city's usual IT activities. Despite recent cybersecurity efforts, the city's IT systems remained vulnerable to this complex attack. The incident highlights the persistence and evolution of cyberthreats, which can exploit even well-protected systems.

The cyberattack was discovered on the evening of Saturday, June 8, 2024, when anomalies were discovered in the city's IT ecosystem. By Sunday, June 9, the city had taken precautions by shutting down affected IT systems to reduce further damage and allow for an inquiry. On Monday, June 10, Mayor Justin Bibb and IT Commissioner Kim Roy Wilson held a press conference to discuss the incident, which confirmed the closure of City Hall and some city offices. The city worked to restore systems all week, with City Hall reopening to employees on Wednesday, June 12, but remained closed to the public. The entire scope of the attack and the restoration of all services were still ongoing as of June 14, 2024.

Currently, no single cybercriminal gang has claimed credit for the attack on Cleveland City Hall. However, the nature of the attack shows it was carried out by a skilled ransomware outfit, possibly for financial benefit. Ransomware attacks are often used to extort money from victims by keeping their data hostage. The growing frequency of such attacks on local governments emphasizes the profitable nature of these operations for cybercriminals, who frequently target institutions with essential data and services that are more likely to pay a ransom to restore operations quickly.

Impact Analysis

Operation Disruptions

The Cleveland City Hall ransomware outbreak caused serious delays to operations. Beginning on June 10, 2024, City Hall and the Erieview Tower, which houses numerous city offices, were off-limits to the public for a few days. Numerous city services, such as the issuance of birth and death certificates and the processing of building permits, were impacted by this interruption. Essential services like the police, fire department, ambulance, and utilities like Cleveland Public Power and Water continued to run well in spite of these disturbances.

Public Service and Resident Impact

Residents faced considerable inconvenience due to the shutdown of city services. Critical documents such as birth and death certificates could not be issued, and residents were directed to neighboring cities like Parma and Lakewood for these services. The inability to process payments, permits, and applications for the Building and Housing Department further compounded the disruption. The city's website and email systems, however, remained operational, allowing for some level of communication and service continuity.

Financial and Economic Impact

The financial impact of the cyberattack is still being determined, but such occurrences often result in large costs for system restoration, cybersecurity enhancements, and potential ransom payments. Cleveland does not have a specialized cyber attack insurance coverage, so the city is mostly self-insured and will absorb the financial burden directly. Historical data from such situations, such as the 2019 Baltimore attack, suggests that recovery expenses can be in the millions of dollars, even if no ransom is paid.

Lessons Learned

Importance of Cybersecurity Preparedness

The cyberattack on Cleveland City Hall demonstrates the crucial necessity for strong cybersecurity measures. Despite recent investments in cybersecurity, the city's systems remained vulnerable to complex ransomware attacks. This incident emphasizes the significance of continual monitoring, regular updates, and thorough security processes in protecting against developing cyberthreats.

Incident Response and Containment

The rapid response of Cleveland's IT department to detect and control the attack was critical in preventing more damage. The city responded quickly to the ransomware attack by shutting down the impacted systems, as is typical in such cases. This containment method helped to protect critical systems while also preventing an outbreak from spreading. The engagement of third-party cybersecurity professionals and law enforcement in the investigation highlights the significance of teamwork in addressing cyber events.

Communication and Transparency

Cleveland's response relied heavily on effective communication with the public. City officials offered regular updates to citizens via social media and other channels, keeping them informed about the status of services and the investigation. This transparency helps to temper public expectations while also providing clear advice on alternate ways to access key services.