When he came into work one January morning two years ago, Lt. James Graham discovered the Bedford Police Department was under attack.
Dispatchers couldn't log any new incidents in the records management system. Then Graham found an ominous message on his computer screen.
Hackers had seized control of the department's electronic records. They were holding them hostage, and time was ticking; the longer the town waited to pay up, the higher the ransom demand would climb.
“It was heartbreaking when I first saw it,” Graham recalled. “I’m like, ‘Oh, we’re done.’”
It was a harrowing moment, but one that quickly passed. Bedford managed to recover the police department’s files in a matter of hours by restoring them from a backup.
Police had to manually document some incidents that occurred overnight by listening to calls and radio transmissions. But having a cyber security plan in place may have saved the town a hefty sum; without the electronic backup, it faced a choice between paying cyber criminals to unlock its files or losing records that date back more than 20 years, Graham said.
“It would have been quite a blow,” he said. “We would have been starting from scratch again.”
Local officials across the state have faced similar predicaments as they wrestle with a new breed of cyber attacks designed to extort money from victims.
Hackers use malicious code known as ransomware to encrypt computer files, then demand money to unlock the data.
In recent years, organizations across the globe have been hit by crippling ransomware attacks, ranging from major companies to hospitals, nonprofits and local governments.
Experts say the public sector is especially vulnerable because governments tend to have outdated computer systems, and they maintain crucial, sensitive data.
Inside the Bay State, a handful of attacks against cities and towns have garnered widespread attention, though the problem may be more prevalent than many imagine. Records obtained by the NBC10 Boston Investigators show dozens of Massachusetts communities have quietly negotiated ransomware attacks, sometimes taking days or weeks to recover, or paying large sums to reclaim their data.
In a broad survey last year, NBC10 requested records regarding ransomware attacks from each city and town in Massachusetts. More than 260 responded, and the results show at least one out of every six communities in Massachusetts has been infected by ransomware.
In most cases, town leaders were able to recover their files from backups without paying a ransom, the records show.
But at least 10 communities handed over taxpayer money to hackers, paying bitcoin — an encrypted, digital currency that experts say is all but impossible to trace. Ransom payments ranged from $300 to more than $11,000, the records show.
Several other communities refused to disclose whether they’d been hacked, saying that information is too sensitive to release.
Even in cases where towns recovered their files, the attacks proved costly.
In Douglas, records show the police department considered paying a $750 ransom when it got hacked a few years ago. They restored from backups instead, but lost six days’ worth of police log entries. They had to recreate the information from arrest and crash reports, the records show.
In another South Coast community, town officials got a ransom demand for more than $4,600. They couldn’t get the money together in time, so a police officer had to transfer cash from his personal bank account to pay the hackers, according to records obtained by NBC10. The town later paid him back.
Jeremy Kurtz, chief technology officer at RetroFit Technologies, a Milford company that provides cyber security services for dozens of cities and towns, said the results of the NBC10 survey aren’t surprising, given the number of cyber threats the company encounters on a daily basis.
“It can shut down municipalities very quickly,” he said, “so the town managers get, I’ll say the word antsy when something is hitting and they can’t control what’s going on because of the financial loss to the town or city.”
Kurtz said many attacks start off in ways that really aren’t that sophisticated: sometimes malware gets inside a town’s computer network via an email that appears to be from a trusted contact, like a coworker or boss. Opening an attachment or visiting a link in the message gives hackers a foot in the door, and they can quickly infect computers across the entire network.
In one Massachusetts community, Kurtz said, leaders didn’t have enough money to pay the ransom demand, nor did they have a way to restore their files. The town wound up losing a trove of data, ranging from personnel files to building records, he said.
“If you do your backups … 95 percent of the time you don’t pay because you can recover all of your data,” Kurtz said. “If you don’t, then you have to weigh the options. Do I lose all of my data, and what’s the cost of that versus going out and paying to get your data back?”
Federal officials tracked a major increase in ransomware attacks during the period from 2015 to 2016, although the occurrence of indiscriminate ransomware campaigns has sharply declined since early 2018, according to an announcement last fall from the FBI.
Still, financial losses from ransomware attacks increased significantly during that time, according to the FBI, which reported receiving 2,047 complaints identified as ransomware with adjusted losses of over $8.9 million.
David Farrell, assistant special agent in charge of counterintelligence and cyber programs at the FBI’s Boston office, said ransomware remains one of the agency’s top cyber security concerns.
“We don’t suggest ever paying,” he said. “The more and more people pay, the more and more it entices the ransomware criminals to keep on going.”