Cyber criminals recently hacked the municipal computers of Rockport, Maine, demanding $1,200 in Bitcoin to unlock them. That’s just one example of a surge of ransomware aimed at municipal computer systems, both large and small, including the city of Atlanta and a St. Louis library system. According to Ponemon Institute, an information systems research firm, these kinds of public sector hacks are increasing faster than those on private ones. City officials are often unprepared to deal with the consequences.

The Wall Street Journal reports that, “Ponemon estimates 38 percent of the public entities it samples will suffer a ransomware attack this year, based on reports through May, up from 31 percent last year and 13 percent in 2016.” To arrive at this finding, Ponemon samples “roughly 300 to 400 public-sector entities each year.”

“We’re right at the front end of this,” said Public Risk Management Association executive director Marshall Davies, who added that hackers are “just now coming after the public entities,” after “hitting the businesses for years.”

Hackers look for vulnerability rather than target specific cities, say the experts. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” said Department of Homeland Security senior official Christopher Krebs, who spoke to a mayors’ conference. “You’re not special.”

Hackers targeting cities tend to be cyber criminals, not nation states, said Krebs, and typically demand payment in Bitcoin. The hackers that attacked Rockport “offered a ‘customer service’ chat window and offered tips on how to acquire cryptocurrency.” The FBI “advises against paying, and warns that ‘some individuals or organizations are never provided with decryption keys after paying a ransom’.”

Rockport didn’t pay the hackers but rather recovered files from a compromised backup server. However, it still “ultimately paid about $10,000 to cover the immediate restoration work, plus another $28,000 to $30,000 on security improvements, including a cloud-based backup system.”

Other municipalities paid, such as Leeds, Alabama, which regained most of its files. Cities are typically less prepared for these hacks than private companies, since they can’t afford top cybersecurity talent.

Although hackers might calibrate ransom demands to what they think a city can pay, that isn’t always the case: Hackers demanded $250,000 from Spring Hill, Tennessee, home to 38,000 people, “nearly five times the amount hackers tried to pilfer from Atlanta.” Both cities refused to pay, and Spring Hill’s restoration efforts, still unfolding, may cost about $100,000.