A small Florida city paid an extraordinary $600,000 in ransom this week to hackers who had locked up the city’s computer systems — highlighting an increasingly common dilemma for city leaders across the country.
Cities have been hit with an increase in ransomware attacks in recent years since tight budgets have left them with outdated and hackable computer systems. But paying the ransoms to reverse the attack means putting money — taxpayer money — into the hands of nefarious hacking groups who probably will use it to target other victims.
If they refuse to pay up, though, they could be saddled with an even bigger bill to get their cities back online. And they may have to deal with lasting consequences — like in Baltimore, where city leaders decided against paying the ransom and still hasn’t restored all its city services six weeks after a devastating attack.
“When you pay the ransom, you’re making the bad guys better,” says Allan Liska, a threat intelligence analyst at cybersecurity firm Recorded Future. “But, from a strictly business perspective, sometimes you have to pay the ransom because the cost of not paying it is going to be much, much more.”
But cities, of course, are not just businesses – they have citizens who don’t want their tax dollars wasted and leaders who want to get re-elected. Given there are taxpayer costs to either choice, this is both a practical and moral question for city leaders.
“It’s their constituents’ money and it’s taxpayer money, so that’s very different,” Liska tells me.
Not to mention, there could also be career and electoral consequences for city officials who don’t stand up to bad guys. “No politician wants to go on record as having paid a ransom to a cybercriminal,” Liska said.
Already on Thursday, the payout had registered in Washington, where Sen. Marco Rubio (R-Fla.) said he’s working on ways the federal government can help.
A study from Recorded Future found that cities are actually slightly less likely to pay off ransomware hackers than other victims. Just 17 percent of the cities struck with ransomware in the study paid compared with about 45 percent of ransomware victims overall.
That figure could change, though, as city officials draw lessons from major ransomware attacks in cities that didn’t pay. In Baltimore, officials expect to pay about $18 million after refusing to pay a ransom demand of just about $70,000, and a 2018 attack in Atlanta cost the city about $2.6 million to recover from.
In the case of Riviera Beach, Fla., the city suffered through three weeks during which city workers couldn’t access their email accounts and emergency dispatchers couldn’t log calls into computers, my colleague Rachel Siegel reported. Ultimately, the city council voted unanimously to pay the hackers 65 bitcoin, which amounts to about $592,000.
Price tags like that are bound to make city officials think twice about whether they can refuse a ransom demand, Joe Hall, chief technologist at the Center for Democracy and Technology, told me.
“You’d think the incentive would be to pay as little as possible,” he said.
Ransom payments and ransomware recovery costs are sometimes covered by insurance, but insurance rarely covers all the costs and a big payout will raise cities’ insurance rates.
Another lesson cities are hopefully taking from the Baltimore, Atlanta and Riviera Beach examples, however, is that they should be better protecting their computer systems against hackers before the ransomware strikes, Tad McGalliard, director of research and policy at the International City/County Management Association, told me.
That includes installing basic protections such as guarding against phishing emails and requiring extra verification before people can access computer systems, he said. It also includes making sure that all the city’s vital records are backed up someplace offline where hackers can’t seize them and lock them up.
“We’re likely to see a continuing increase in ransomware attacks on local governments, but I hope we also see local governments taking note of this and doing everything in their power to bulk up their cyber defenses,” McGalliard said.
Article Credit: Washington Post