Winston-Salem Online Services Disrupted by Ransomware Attack

A post-Christmas cyberattack has disrupted Winston-Salem, North Carolina’s digital systems, leaving residents unable to pay utility bills online. City officials announced the incident on December 30, stating they had detected issues shortly after Christmas.  

"We are working diligently to investigate the source of the event with state and local agencies to confirm any impact to city systems and restore full functionality as quickly and securely as possible," the city noted in an online message as reported by The Record.

As a precaution, key systems were taken offline, though fire and police services remain unaffected. Utility bill payments can still be made in person using cash or checks, and no penalties will be imposed for late payments.  

However, the city has provided little additional information since the attack, leaving its 250,000 residents and neighboring Forsyth County in limbo.

Notably, North Carolina has a pioneering 2022 law banning government entities from paying ransoms in cyberattacks. This policy also mandates immediate notification to the North Carolina Department of Information Technology (NCDIT), which aids in incident response.  

Winston-Salem City Manager Pat Pate highlighted that “almost all the other major cities in North Carolina have been hit with an event similar to this,” underlining the widespread threat. Federal agencies and the National Guard are now assisting with recovery efforts.

Takeaway: Ransomware attacks against municipalities across the US have become an alarming trend, exposing the vulnerability of local governments to increasingly sophisticated cybercriminal operations.  

These attacks, often orchestrated by Ransomware-as-a-Service (RaaS) groups employing advanced tactics and tools similar to those used by nation-state actors, disrupt critical public services and impose staggering recovery costs.  

Despite the growing frequency and severity of such incidents, the federal government largely leaves municipalities to face these threats alone, offering guidance to avoid paying ransoms but little direct financial or technical support.

The consequences of this hands-off federal approach are evident in the experiences of cities like Columbus, Ohio, which in 2024 faced a crippling ransomware attack. Attackers locked city systems, halting essential services such as utility billing and online operations.  

Adhering to federal guidelines, Columbus officials refused to pay the ransom and instead partnered with cybersecurity experts to rebuild and secure their systems. The process, however, took weeks and cost millions, burdening the city with significant financial and operational challenges.

That same year, Hoboken, New Jersey, found itself in a similar predicament. A ransomware attack paralyzed municipal services, leaving residents unable to access permits or public records.  

Although critical services like police and fire departments remained functional, the attack underscored the fragility of local infrastructure. Like Columbus, Hoboken declined to pay the ransom, relying on federal cybersecurity agencies to assist with recovery.  

Yet the city, like so many others, bore the brunt of the financial burden, with no substantial relief from federal authorities.

These attacks are not a new phenomenon. Baltimore, Maryland, experienced a devastating ransomware attack in 2019 that shut down email systems and disrupted property sales and water billing for weeks.  

The city refused to pay the $76,000 ransom demand, a decision praised for its integrity but one that came with a staggering $18 million price tag for recovery and lost revenue.  

A year earlier, Atlanta, Georgia, suffered a similarly catastrophic attack, which crippled police records, court services, and utility billing systems. The fallout from that incident cost Atlanta over $17 million, making it one of the most expensive municipal cyberattacks in U.S. history.

Even smaller municipalities have not been spared. Riviera Beach, Florida, and Jackson County, Georgia, have fallen victim to ransomware attacks, with limited cybersecurity resources making them attractive targets. Riviera Beach controversially paid a $600,000 ransom in 2019 to regain access to its systems, a decision that sparked national debates over whether such payments perpetuate the problem.

The common thread across these incidents is the overwhelming burden placed on local governments to handle attacks that resemble the work of national-level adversaries. Attackers often target critical systems—utility billing, public records, and emergency response networks—knowing the disruption will pressure municipalities into action.  

While federal agencies, such as the FBI, discourage ransom payments to avoid funding criminal enterprises, this guidance offers little solace to cities grappling with the immense costs of recovery. Forensic investigations, system upgrades, and employee training frequently result in expenses far exceeding the ransom demands themselves.

In the absence of substantial federal assistance, municipalities are forced to shoulder these challenges largely on their own. Despite adopting robust cybersecurity measures and emergency response plans, cities are increasingly outmatched by the sophistication of RaaS operations.  

The federal government’s current approach, focused on discouraging ransom payments without providing the necessary resources to prevent or recover from attacks, leaves municipalities vulnerable to a relentless and growing threat.  

As these ransomware operators continue to evolve, the need for a coordinated national strategy has never been more urgent.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.