Cyber Incident Victim: City of New Bedford

The ransomware incident impacting the City of New Bedford, Massachusetts, began on the night between July 4 and July 5, 2019, when attackers breached the municipal IT network and deployed Ryuk ransomware. This malware encrypted files on 158 workstations, representing 4% of the city’s total PC inventory. The timing of the attack during overnight hours limited its spread, as most city systems were powered down, preventing broader network compromise. City IT personnel discovered the encryption activity upon returning to work on July 5 and immediately implemented containment measures by disconnecting affected devices from the network. Forensic analysis confirmed the ransomware strain as Ryuk, which security researchers identified as a prevalent threat in targeted attacks during that period.

Through intermediaries, the city established contact with the attackers via a provided email address, initiating negotiations while continuing system stabilization efforts. The threat actors demanded a payment of $5.3 million in Bitcoin in exchange for decryption keys, which would have constituted the largest publicly disclosed ransomware payment at the time. Facing budgetary constraints and citing precedent from other municipal ransomware cases, the city counteroffered $400,000 using available insurance funds. The attackers rejected this proposal without providing a revised demand. With critical systems unaffected and backups verified as intact, New Bedford officials opted to restore encrypted systems from backups rather than prolong negotiations. Mayor Jon Mitchell publicly disclosed these events on September 4, 2019, emphasizing that the containment strategy prevented operational disruption to essential city services. The incident occurred amid a broader surge in ransomware attacks against U.S. municipalities, including contemporaneous incidents in Texas, Louisiana, and Florida where several local governments paid ransoms ranging from $400,000 to $600,000.