This article contains a pitch to buy a
new-fangled ‘next-generation’ firewall (be aware of any vendor claims to be a solution) but is actually a good discussion of the merits of ‘pay-up’ vs. ‘pain of recovery’ approaches:
Ransomware attacks on cities are becoming more prevalent with ransom demands increasing with each attack. Recently, two cities have gone against conventional wisdom and decided to pay the ransom amount demanded by hackers who held their cities hostage. This decision has kickstarted the conversation between groups debating the moral implications of giving in to cybercriminals and the reality that cities need to regain functionality as soon as possible to support citizens.
We decided to take a closer look at the latest cities affected by ransomware cybercriminals and their decisions to utilize cyber-insurance to pay the ransom demands, or not, and we outline six best practices that can be implemented today to help prevent these attacks from crippling the next target city.
Cost Effective Decision to Pay the Ransom Demand
Two Florida cities, Lake City and Riviera Beach, were victims of ransomware attacks this month. These attacks affected city computer systems, including email servers and the ability of 911 to enter dispatch calls into their computer system. Unlike other cities who have fallen victim to cyber attacks, these two cities made the decision to pay the demanded ransom amounts.
The leaders of the Riviera Beach and Lake City, unanimously agreed to have their cyber-insurance companies pay the hackers a combined amount of $1.1 million in bitcoin. Both cities are covered for a majority of these payments, except for a $10,000 deductible that will trickle down to the taxpayers of each city.
For both Florida cities, the decision to quickly regain access to their compromised systems, even against the judgment and recommendation of the FBI, was the most optimal decision for their situation. As outlined in the press release from Lake City, “Based on the input from the City’s IT Director and security vendor working to recover the systems, it was more cost effective to retrieve the key from the attacker than continue with self-recovery efforts.”
The Long (and Expensive) Road to Recovery
In March of 2018, the city of Atlanta was hit with a SamSam Ransomware attack that took down the city’s computer network system. This virus specifically targeted warrant issuances, water requests, new inmate processing, court fee payments, and online bill-pay programs. Cybercriminals demanded $51,000 in bitcoin and Atlanta refused to pay. The attack took the Atlanta city systems offline for weeks. To date, the city has spent $17 million to recover, update, and secure their network infrastructure as outlined in an internal report.
Similarly, Baltimore was the victim of a ransomware attack in May 2019. This cyber attack shut down computers, email, disrupted more than 1,000 real estate sales, water bills, and parking ticket payment systems. Cybercriminals demanded $76,000 in bitcoin. According to cost estimates disclosed during a City Council meeting, the costs associated with this attack are close to $18.2 million.
In both cases, the cities of Atlanta and Baltimore did not pay the demanded ransom fees and chose to incur the immediate costs of system-wide emergency network upgrades, invest in long-term cybersecurity solutions, and the necessary full hardware replacements. As Baltimore Mayor Jack Young stated, “That’s just like us rewarding bank robbers for robbing banks.” Each city Mayor and city council members took responsibility for the slow, hard, expensive system restoration rather than make the un-easy decision of paying the cybercriminals.
What Can We Learn from Both Sides of the (Bit)Coin?
Cities under attack have to make several decisions when addressing cybercriminals and regaining control of their compromised, mission-critical systems. There will always be a moral objection to paying cybercriminals – at its best, a city is negotiating with criminals, and, at its worst, blind payoffs to unknown groups or agencies could be funding nefarious activities.
Beyond morality, there is also the financial toll these attacks take on city governments and ultimately taxpayers.. Between hardware purchases, consultants and cyber-forensics, the widespread cost to regain and fortify these cities have outweighed the initial ransom demand. Some may debate, this fact alone makes it a smart business decision for city leaders to pay initial ransom demands asked of them.
As cities become a prime target for the lucrative ransomware industry, preventative measures can be instituted to secure network access points, train employees to identify suspicious email attachments, and protect sensitive systems today.
What Can Cities Do to Remain Alert and Prepared?
There are several best practices that cities can start to implement as ransomware attacks become more prevalent:
- Invest in cybersecurity and business interruption insurance – Have a strategy in place that covers every user, every device, and every file.
- Lockdown administrative rights – Don’t give users administrative rights, even on their own machines, unless it’s absolutely necessary.
- Stay up to date – Keep systems and apps current with the latest patches to avoid exploits that rely on outdated code.
- Protect at the gateway – Untangle’s NG Firewall can block phishing attempts, viruses, botnets, and other malware attempts. It can also block “phone home” requests made by malicious infected applications.
- Back up data – Ensure business-critical assets are backed up, recoverable and stored in a location that is protected from malicious activities that could compromise it.
- Don’t open attachments – Unless your users are absolutely, positively sure that they recognize both the sender and the file, it’s better to leave attachments alone. If they do open attachments, they should never enable macros or executables. Suggest other ways to share documents that require authentication and have built-in virus scanning.