Blog
← Back to Blog
May 20, 2019 cybersecurity

Ransomware Is Taking Down Entire Cities. Your Practice Isn't Immune.

Ransomware attack visualization City skyline representing municipal infrastructure

Baltimore's city government has been paralyzed by ransomware for the past two weeks. City employees can't access email. Real estate transactions are frozen. Water billing is offline. The attackers are demanding $76,000 in Bitcoin. The city has refused to pay. Recovery costs are estimated at $18 million.

Baltimore isn't alone. Atlanta lost $17 million to ransomware last year. Riviera Beach, Florida paid $600,000. Lake City, Florida paid $460,000. Dozens of smaller municipalities have been hit in 2019.

If ransomware can take down a city, it can take down your practice.

Why Cities Are Getting Hit

Municipal governments share the same vulnerabilities as small practices:

  • Outdated systems. Baltimore was running Windows XP and Server 2003 on critical systems. Cities, like practices, stretch hardware and software budgets as far as they'll go.
  • Understaffed IT. Most cities don't have dedicated cybersecurity teams. Their IT departments are focused on keeping systems running, not securing them.
  • Flat networks. No segmentation means one compromised machine can spread ransomware everywhere.
  • Inadequate backups. Atlanta's backup infrastructure was connected to the same network and was encrypted along with everything else.

The Cost Math

Baltimore refused to pay the $76,000 ransom. Their recovery cost: $18 million. That includes: forensic investigation, system rebuilding, lost revenue from offline services, overtime for staff working on recovery, and replacement hardware and software.

For a dental practice, the math scales down but the ratio holds. A $5,000 ransom demand can turn into $50,000-100,000 in recovery costs if you don't have good backups. Downtime alone, at $2,000-5,000 per day in lost revenue, adds up fast.

Lessons from the Municipal Disasters

1. Don't Pay (If You Have Backups)

Both Atlanta and Baltimore refused to pay. Recovery was expensive and slow but ultimately successful. Paying doesn't guarantee recovery and funds criminal operations. Having clean, tested backups gives you the option to refuse.

2. Segmentation Limits Damage

In every major ransomware incident, flat network architecture allowed the attack to spread everywhere. Segmenting your network, separating workstations from servers from backups from IoT devices, limits the blast radius.

3. Offline Backups Are Non-Negotiable

Atlanta's backups were on the same network. They were encrypted along with everything else. Your backup must be isolated from the production network. Cloud backup with separate credentials. Air-gapped local backup. Something the ransomware can't reach.

4. Patch or Pay

Baltimore's RobbinHood ransomware exploited a known vulnerability. Patches existed. They weren't applied. This is the same story as WannaCry, NotPetya, and Equifax. Patch or pay. Those are the options.

5. Cyber Insurance Matters

Baltimore did not have cyber insurance. $18 million came out of the city budget. A practice without cyber insurance faces the same proportional risk. A $1,000/year policy could save you from a six-figure loss.

Cities have budgets, IT departments, and (theoretically) governance. They still get destroyed by ransomware. A 10-person dental practice with no IT staff and no security budget is an easier target. Invest accordingly.