In this Oct. 8, 2019, file photo, a woman works at a computer in New York. Credit: Jenny Kane / AP

Even small Maine towns and cities are not immune from a recent high-profile wave of cyberattacks that has disrupted supply chains and netted cybercriminals millions of dollars in ransom payments.  

Small-town governments are attractive targets for cybercriminals looking to make many minor scores, experts said. But with limited resources, municipalities are often not doing enough to guard against increasingly sophisticated hackers who demand payment for the return of stolen data.

“Town and city governments find it exceptionally difficult to acquire products and advanced skills to match all of the potential threats,” said Frank Appum, professor of information technology management at Thomas College in Waterville. 

Recent hacks in Maine came amid high-profile ransomware attacks that highlighted the vulnerability of critical systems in both the private and public sectors, including those supported by large IT security budgets and teams. Large organizations such as New York’s Metropolitan Transportation Authority, the largest meat producer in the world and the company responsible for operating the U.S.’s largest pipeline have all been hacked in recent months, following an estimated 65,000 ransomware attacks in the U.S. last year

In April, hackers used a ransomware program called Avaddon to infiltrate the Presque Isle Police Department. Earlier this month, hackers also used that program to access Freeport’s network. In both cases, the hackers locked the organizations out of their data and threatened to release or delete it if a ransom wasn’t paid. 

Both organizations had backups they used to restart their systems. But the Presque Isle Police Department’s data were published to the dark web. Presque Isle Town Manager Martin Puckett declined to say whether the police department had changed its practices because of the data dump or whether the release of confidential files had hindered operations.

After attacking Presque Isle and Freeport, the hacker gang behind the Avaddon software seemed to call it quits last week, shutting down associated websites and releasing nearly 3,000 virtual keys that allowed victims to recover their locked stolen data. 

Still, the threat of cyberattacks against municipal governments by an increasingly sophisticated and specialized industry of hackers is only growing as the practice becomes more lucrative. The average ransom paid to hackers in late 2018 was $6,733, but it skyrocketed to $220,298 in 2021, according to CoveWare, a ransomware response and negotiation company. 

Municipalities are attractive to hackers because they often don’t have the sophisticated defenses of large companies and their employees’ email addresses are publicly available on the internet, Appum said. Hackers can send large volumes of emails to addresses across the world to entice someone to click on a link or download a file that can compromise an entire network. 

Meanwhile, the attacks have become more specialized in recent years. For example, the Avaddon ransomware allows hackers to target high value data instead of encrypting whatever it happens to find on a particular computer, said Erich Kron of KnowBe4, a publicly traded provider of cybersecurity resources. As a result, the ransom amounts demanded by hackers are getting higher.

“The devastation caused by these attacks is much worse,” Kron said. 

Many experts recommend against paying ransoms, because they only encourage more attacks and there is no guarantee hackers will turn over control once money has been transferred. But victims often do pay hackers. 

In some cases, the cost of the ransom can be much less than the recovery. For example, in 2018, Atlanta refused to pay a $51,000 ransom, but eventually spent nearly $3 million to help get systems back online

If large cities like Atlanta can’t stay safe from attacks, it could be even harder for smaller cities and towns with limited IT budgets to do so. 

“It’s a difficult thing to ensure that we’re on the right path,” said Ryan Pinheiro, Saco’s IT director and a cybersecurity analyst for the Air Force. “The problem is we have to be right 100 percent of the time, and hackers only have to be right one time.”

The Maine Municipal Association recently launched a cybersecurity insurance program that has enrolled 372 of Maine’s 487 municipalities, spokesperson Eric Conrad said.

The state has also struggled with data security. Maine scored 39 out of 100 on a third-party assessment of the state’s IT security last year, said Kelsey Goldsmith, spokesperson for the Maine Department of Administrative and Financial Services. But the state has also taken steps to improve cybersecurity in recent months. Earlier this year, Gov. Janet Mills launched the Maine Cybersecurity Advisory Council and earmarked $4.8 million in COVID-19 relief funds for cybersecurity enhancements. 

For municipalities that can’t afford sophisticated defenses, the most important purchase they can make is backups of their data, Appum said. 

Likewise, training employees on cybersecurity practices and procedures is relatively cheap. Many ransomware attacks are from employees reusing passwords or clicking on links they shouldn’t trust, Cron said.