Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Florida City Paying $600,000 to End Ransomware Attack
Attacks Against Municipalities ContinueThe city of Riviera Beach, Florida, has agreed to pay hackers about $600,000 in bitcoin to end a ransomware attack that crippled the city's IT infrastructure for nearly a month.
See Also: Gartner Guide for Digital Forensics and Incident Response
Riviera Beach is one of several governmental units hit by ransomware attacks during the last several months. For example, Baltimore is still recovering from a May 7 attack that has cost $18 million for recovery so far. But it chose not to pay a ransom.
Ransomware Investigation
City officials did not reveal many details about the ransomware attack, other than to note it's under investigation by local police and the FBI. Interim City Manager Deirdre Jacobs noted at a Monday city council meeting where the ransom payment was approved that the city plans to issue a report when the investigation is complete.
It's not clear what strain of ransomware affected the city's network, although the Palm Beach Post reports that it started when someone in the city's police department opened up a phishing email on May 29.
The city did not disclose the attack until June 5, when it posted a small notice on its website explaining that the municipality was experiencing a "data security event.”
City officials did not immediately respond to Information Security Media Group’s requests for comment.
Besides agreeing to pay the ransom, the city council voted earlier to pay $900,000 to buy new computers and equipment, according to news reports. At the Monday council meeting, Justin Williams, the city's interim IT manager, noted the city's websites and email had been restored along with the financial systems and software, but several other systems were not yet restored, including back-up systems.
City officials said at the Monday meeting that the city’s insurance would cover the ransom payment. The Palm Beach Post says insurance also would cover $300,000 worth of equipment expenses.
Local Governments Under Attack
Riviera Beach is the latest example of a growing trend of ransomware attacks targeting units of government.
In May, threat-intelligence firm Recorded Future published a study that found an increase in ransomware attacks against local governments, with 53 incidents in 2018 and over 20 attacks so far this year (see: Ransomware Increasingly Hits State and Local Governments).
Since Recorded Future published its findings, there has been a slight uptick in the number of ransomware attacks when comparing 2018 to 2019, Allan Liska, a threat intelligence analyst and the author of the report, tells ISMG.
The FBI generally advises organizations that are victims of ransomware to avoid paying ransoms because it may encourage other attacks – and sometimes attackers don’t come through on their promise to provide a decryption key.
So far, Baltimore has resisted paying a ransom, with Mayor Bernard C. "Jack" Young saying that option is not on the table. But some units of government, including Jackson County, Georgia, have paid a ransom to restore systems (see: Georgia County Pays $400,000 to Ransomware Attackers).
Deciding whether a governmental unit should pay a ransom can sometimes involve making a difficult choice between restoring vital services or contributing to encouraging more attacks, Liska acknowledges. And governments face other related costs as well.
"Paying the ransom does not mean there aren't millions of dollars in recovery costs as IT and security teams still have to work to restore services and put in protections to ensure the attack is not repeated, as happened to the Colorado Department of Transportation in 2017," Liska says.
The attack in Baltimore sparked a national conversation about whether the federal government should do more to help local officials deal with ransomware attacks. Many hackers apparently have used the so-called EternalBlue vulnerability in Windows to create these large-scale attacks; an exploit of that vulnerability was developed by the U.S. National Security Agency and later stolen and distributed on the internet (see: Baltimore Ransomware Attack Triggers Blame Game).
Some security researchers, however, have noted that no EternalBlue code has appeared in the ransomware attack in Baltimore, which was hit by a strain of malware called RobbinHood.
Beware of Phishing
While ransomware grabs most of the headlines, it's not the only cybersecurity danger facing local governments.
On June 13, the city of Burlington in Ontario, Canada, disclosed that a phishing scheme caused the city to lose $500,000 to fraudsters when government employees transferred money to an account controlled by the hackers. That case is still under investigation.