We put the IT in city®

CitySmart Blog

Wednesday, January 24, 2018
Jeff Durden, Senior Engineer and Team Lead

Jeff DurdenThe city of Spring Hill, Tennessee experienced a ransomware attack in early November that shut down many city operations for weeks. According to SC Media on November 16, 2017:

“The attack has essentially stopped the city from being able to conduct many of its usual functions as its IT department attempts to rebuild the database from backed up files. The attack has locked city workers out of their email accounts, and residents are unable to make online payments, use payment cards to pay utility bills and court fines, or conduct any other business transaction.”

An update on November 30, 2017 from the Columbia Daily Herald said, “The city’s financial software remains offline…” Almost a month after the attack, a major piece of software was still inoperable. While this and other articles do not give many details about what exactly happened, why, and what steps the city took to recover, we can deduce some problem areas in this situation that cities may be able to avoid. There are ways to more quickly recover from ransomware rather than letting it affect you for weeks or even months as in the case of Spring Hill.

1. Build a highly available data backup and disaster recovery solution.

A recent study shows that “Almost all (99 percent) of the professionals surveyed admitted to conducting at least one potentially dangerous action, from sharing and storing login credentials to sending work documents to personal email accounts.” Your employees pose the biggest risk for allowing ransomware into your organization—so you need to first prepare for the worst.

Modern data backup and disaster recovery solutions allow you to create “snapshots” of your data and systems at a given point in time. If the ransomware began to affect your organization at 2:30 p.m. on a Tuesday, you can restore all your data to a point in time before the infection hit that moment on Tuesday.

While Spring Hill lost two days of data, it’s also significant that it took them weeks to rebuild and, in some cases, more than a month for their financial systems software. That raises the question of whether the right data backup system was in place. Can you afford to be down that long? Most organizations cannot…and survive.

2. Monitor systems to proactively detect issues and contain damage.

It’s unknown how the ransomware entered the city’s systems and how long it festered. However, we can note that it affected a large variety of systems: email, online payments, 911, public safety, etc. That’s very widespread.

The earlier you catch ransomware, the likelier you can contain damage to a single computer, server, or area. Ways to prevent such widespread damage include:

  • Proactive monitoring and alerting of systems. When IT professionals—with the help of 24/7/365 automated software—monitor your systems and get alerts when something is wrong, then you are more likely to detect a virus or ransomware. Suspicious activity usually sends up a red flag if you’re proactively monitoring systems—and you can catch an incident much sooner.
  • Enterprise-grade antivirus: Relying on free or consumer-grade antivirus is not enough to fully protect you from dangerous ransomware. With enterprise-grade antivirus, IT professionals can manage the platform to receive alerts in real-time, more effectively block attacks, and analyze better where ransomware has specifically infected your systems.

3. Modernize and maintain software.

Older software has more likelihood of containing security vulnerabilities and crumbling under a security issue. We don’t know the age of the software at Spring Hill, but many cities often have older versions of software that lack vendor support or security features to protect against new forms of viruses like ransomware.

In addition, many software platforms are often not regularly patched and updated by cities. Altogether, this leads to situations where software becomes extremely vulnerable to ransomware when it spreads. In the case of Spring Hill, ransomware affected software across a surprisingly variety of functions—email, online payments, 911, and public safety.

4. Separate critical systems from less critical systems.

It’s interesting that 911 and public safety were affected along with city email and online payments. If departments share servers or systems and they go down, everyone goes down with the ship. When possible, segment and separate critical systems. This way, ransomware may have limited impact on fewer systems.


While Spring Hill survived their ransomware attack, it sounded quite rough according to the news reports. Be best prepared by following the tips outlined above, along with other recommendations we have shared in earlier posts, so that you don’t become the latest ransomware victim on the front page news.

Worried about how you may recover from a ransomware attack? Reach out to us today.