How New Orleans Defeated
June 30, 2021
In the early hours of a Friday in December 2019, the team
monitoring the computer network handling governmental operations
for New Orleans noticed something suspicious.
"At first, it didn't seem like anything too worrying," Kim
Walker LaGrue, chief information officer for the City of New
Orleans, told VOA. "It looked like a user with the wrong
credentials was trying to access our data center, but that could
have been one of our administrators doing some early morning
work. We didn't think it was anything malicious."
That was at 5 a.m. Within a few hours, similar activity was
affecting multiple users, and the service desk was called to
From there, it didn't take long for LaGrue's team to figure out
what was going on.
"We identified a ransomware attack was being launched against
the city," she said.
Ransomware is malicious software that is planted in a computer
network to seek out sensitive data. Once that information is
located, hackers threaten to either publish the data or prevent
it from being used until a ransom is paid.
And this type of attack was not unfamiliar to New Orleans' City
Hall. A month earlier, Louisiana — the state in which New
Orleans is located — had been the target of another ransomware
In fact, in 2019, 106 city and county governments were targets
of ransomware attacks. And the problem seems to only be getting
worse. Last year, the United States suffered more than 65,000
similar attacks. Recent high-profile ransomware hacks have
targeted a U.S. oil pipeline and a major meat processing outfit.
"Am I surprised? Not at all," explained Vince Gremillion, owner
and founder of Restech Information Services, a cybersecurity
firm based in the New Orleans area.
"Ransomware attacks can be extremely profitable for the
attackers, and the victims are often ill-equipped to stop them.
If I'm surprised by anything, it's that this doesn't happen even
Attack started with phishing
Phishing is the practice of sending emails pretending to be from
a reputable company in order to get people to reveal personal
information such as passwords. This is often done by inducing
victims to click a link in the email.
This is how the New Orleans attack began.
"It's something that gets ramped up over the course of several
days," LaGrue explained. "Days before we detected anything, one
of our employees on the network clicked on a link they thought
Gremillion said email is just one way criminals attempt to hack
into a system.
"You might think I'm exaggerating, but every time a new internet
connection is established, that connection is being probed for
vulnerabilities," he said. "It's all automated, and they're just
looking for weak passwords they can take advantage of.
Unfortunately, there are many weak passwords."
While Gremillion says attacks can come from anyone and anywhere,
he and experts like Andrew Wolfe, Loyola University's
cybersecurity degree program director, say many come from
countries such as Iran, North Korea, former members of the
Soviet Union and even China.
"Attacks aren't coming directly from a foreign government, and
it's not just some nasty guy in a Siberian hut," Wolfe told VOA.
"There's a real blurring of the lines between individual hackers
U.S. authorities have traced several recent high-profile
ransomware attacks to Russia. Russian President Vladimir Putin
has not denied that ransomware attacks originate in his country.
But he has steadfastly denied any Russian government involvement
or coordination with hackers.
Wolfe said an entire industry has developed around these
"Some people are focused on developing the ransomware, while
others are executing the attacks," he said. "Some are creating
new and better ways to collect ransom and launder the money
while others are providing actual customer service to the
criminals. A whole dark supply chain exists now."
"When the employee clicked on the malicious link, it allowed
attackers access to our network," LaGrue explained.
She said the attackers began uninstalling antivirus software
that could detect attacks. They meticulously removed layers of
security protecting the system.
Gremillion said the speed at which hackers can gain access to a
vulnerable system is staggering.
"I've seen instances where Russian hackers can gain
administration-level access to a system in 20 minutes," he said.
"It's so fast, and that was a couple of years ago. It's probably
even faster now."
After a criminal has that level of access, they set their sights
on the organization's confidential data so they can use it to
extract a ransom.
Local governments are frequently targeted for ransomware
attacks, and Wolfe said there are several reasons for that.
"One is that they really need this data," Wolfe said." Cities do
so many essential tasks — public health, public safety, taxes
and so much more — that they can't afford to lose access to that
data. Attackers know this, but they also know local governments
don't have a great reputation for having the most competent IT
staff when it comes to system security."
Lax security protecting valuable data -- plus the increased
possibility that insurance companies will agree to pay the
ransom on behalf of their local government clients -- are all
reasons attackers focus on cities like New Orleans.
A changing situation
"Now, if we're being fair, the way New Orleans handled its
ransomware attack was a near-best-case scenario," Wolfe said.
By the time system administrators realized what was going on,
the criminal hackers were already well on their way to gaining
control of the data they would need to demand a ransom. That's
when city officials made a decision that experts celebrated as
"Mayor (LaToya) Cantrell made a declaration of emergency, and we
instructed all our employees to shut down and unplug their
computers as well as to disconnect from the internet," LaGrue
The mass shutdown brought many of the functions of city
government to a temporary halt, but it also made it impossible
for the hackers to continue their attack.
“I don’t want to understate how difficult and burdensome it was
for our city’s agencies to do so much of their work manually,”
LaGrue said, “but cyberattacks have become more frequent and we
knew we had to prepare. Once we identified the issue, we
executed our plan.”
But even a well-executed plan proved costly. LaGrue said
recovering from even the unsuccessful attack they sustained had
a price tag of approximately $5.2 million.
That's well under the $17 million Atlanta, Georgia, spent after
the city suffered a ransomware attack in 2018, and less than the
$18.2 million recovery of Baltimore, Maryland, in 2019. Still,
the cost for New Orleans was substantial.
"Most of that was replacing inventory," LaGrue said. "We had to
replace about 600 devices — or nearly 25% of our inventory — to
ensure all of our computers were clean of the virus."
And it wasn't just a financial cost. In addition to cleaning
those devices, the city assessed and cleaned more than 3,000
computers and 200 virtual servers. It also built new storage and
security infrastructures. Recovery stretched on for months.
During that time, according to Wolfe, the city had to pause or
delay basic municipal functions.
"They were able to still carry out essential functions like
public safety," he said. "But there were stretches where things
like, for example, paying parking tickets or getting a building
permit were really difficult to do."
LaGrue acknowledged there were some priorities the city had to
put on hold while it recovered from the attack, but she felt
City Hall is stronger having gone through this process.
"It allowed us to improve our cybersecurity infrastructure in a
way we probably wouldn't have if it weren't for the attack," she
said. "For example, the improvements made it possible for us to
allow our employees to securely work from home far quicker than
we otherwise could have."
The city also better understands the importance of ongoing
cybersecurity training for its employees.
we have 4,000 employees, that means we have 4,000 potential
cybersecurity vulnerabilities," LaGrue said. "We need to make
them better aware of the threats they are likely to encounter
Experts such as Gremillion say they are happy to see
improvements but would like to see organizations secure their
network before a crisis.
"Half of all internet traffic is malicious, but IT departments
don't seem to act like that's the case," he said. "The priority
seems to be to strip away things — such as making you wait to
log in if you type your password incorrectly several times. IT
staff get rid of those things because it's inconvenient for
employees who want to get online and send emails, but those
'inconveniences' keep your network safe."
Gremillion believes security measures like this are essential to
avoid painful and costly attacks down the road. They range from
the complex security layers that can take a day or two to
implement to the very simple.
"Don't get me started on passwords. If you're still using your
initials or 'password' as your password, what are you doing?
Cybercriminals are getting more advanced. The good news is the
systems used to repel those criminals are getting more advanced
as well. So we need to educate ourselves, and we need to do
better, because the consequences if we don't are so much worse."