What do these Massachusetts communities have in common: Melrose, Tewksbury and Lemonister? Besides being difficult to pronounce, all these places have been hit by ransomware attacks. Over the last six years, nearly a dozen cities and towns in Massachusetts have had their systems attacked, with hackers asking for bitcoin in exchange for their data. Nationwide, hundreds of police departments, schools and municipalities have faced ransomware attacks.
To help combat this, professors at MIT have founded a cybersecurity clinic to help public agencies across the country prepare for ransomware attacks. One of those professors is Larry Susskind from MIT's Department of Urban Studies and Planning. Suskind spoke with WGBH All Things Considered host Arun Rath about what's at stake for public agencies when it comes to cybersecurity and ransomware. This transcript has been edited for clarity.
Arun Rath: So first off, let's talk through the basics. What do we know about ransomware attacks? Who are the hackers and how are they getting into networks?
Larry Susskind: Well, the hacking is going on everywhere. There are literally thousands of attacks a day. And the hackers appear to be not local. These are predominantly people working with robots and computers in North Korea, Iran, Russia, with long lists of possible addresses, and they're going after them until they find one with a weakness. And at that point, they plant malware. And then a note follows that says, If you ever want to access, once again, to all of your data, you will pay so much in bitcoin. It's hostage taking. And it's by hackers, we think, most of whom are primarily interested in promoting chaos.
Rath: So it's not about the money, not traditional criminal behavior?
Susskind: I would say they don't mind making money, because they keep increasing the amount of the ransoms. The way they've attributed some of these hackers to particular state-sponsored interests is by the particular software that they use, but they can't find the individuals.
Read more: Ransomware Cyberattacks On Baltimore Put City Services Offline
Rath: Well, say I've received the electronic version of a ransom note. What would you recommend I do next?
Susskind: Well, it's too late to be talking to us at that point. We're talking with places before this happens so it doesn't happen. We want to help cities assess their vulnerabilities and correct them so they don't get hit. If somebody is hit, there are very sophisticated cybersecurity firms that will come and help — mostly figure out how to get your data back or, if you do get it back, how to scan it to make sure it doesn't contain even worse things now that it's coming back to you.
Rath: And at that point, when things are too late, is it smart to negotiate? You said the FBI stance was that you should not give in?
Susskind: You should not pay ransom because you're helping the terrorists, who will then just expand their operation. There have been examples where cities have been able to reduce the amount of ransom by engaging, instead of just sending the bitcoin that's required, you say, 'I don't have that much.' And then you might get an exchange and you might pay less and get your data back. You might pay it and not get your data back. You might pay it and get your data back in a corrupted form.
Rath: There's a cost-benefit analysis to be done here.
Read more: As Atlanta Seeks To Restore Services, Ransomware Attacks Are On The Rise
Susskind: That is exactly the right way to put it. And you really need to know what's most critical here for your operations. And you need to have thought, What are we going to do if we're out of action in our transit system for a week? No revenue can be collected, no operations can work. What if our water system is shut down or our electric system is shut down? If a hospital is hit and in the middle of an operation, everything goes down, you can't get information about the patient on the table and their blood type. Lives are going to be lost.
Rath: Do you think it's just a matter of time before an attack like that could happen?
Susskind: I do. And so before this happens, let's talk about preparedness. We're not talking about elaborate encryption. We're not talking about spending a huge amount of money, although I understand backup might cost some money. But we're not saying you need to spend a lot. We're saying, When Microsoft sends your city agency a patch on your operating system, you should install it, because not installing it means that one place of vulnerability is known by all the hackers everywhere. And they just go through, looking for that hole into the system.
And then, at least train all your new employees so that they don't open various attachments on e-mails where they don't know if it's from a trusted source. And if you don't know whether it's phishing or not, don't open it. But it means people have to be alerted for this to work. For preparedness to work, it can't be the job of the IT guy. Everyone who works in that agency has a bit of the responsibility.