Ransomware Attacks Create Dilemma For Cities: Pay Up Or Resist?

Enlarge this image toggle caption Andrew Brookes/Getty Images/Cultura RF Andrew Brookes/Getty Images/Cultura RF

It's been a bad summer so far for government information systems. Hackers have used ransomware to attack the data networks of Baltimore, the Georgia courts system and Lake City, Fla., to name a few. And the decision as to whether to pay the extortionists ransom is fraught. Pay them, get the decryption key and get your data and network back in fairly short order. Or refuse to cooperate with criminals and have it cost untold millions of dollars and create significant aggravation.

That's the conundrum that the town of Lake City suddenly found itself in in June. It started out as a nice, normal Monday morning at city hall. But then someone in IT noticed something was wrong, says Mike Lee, a sergeant with the Lake City Police Department.

"They immediately brought everything off line," Lee said. "They turned off the servers. They literally went room through room through city hall, unplugging people's networks cables and turning off all the computers."

After everything was disconnected, there remained a sliver of hope-- maybe they caught it before everything was encrypted. But Lee says that hope turned out to be forlorn.

"The riot ransomware attack, quietly makes its way through the entire system and then it encrypts everything at once and sends you a ransom," he explained. "So we kind of cut it off partway through. But you know a lot of the damage had already been done. We just didn't know it yet."

Business at city hall didn't so much grind to a halt as end like a finger snap. And how much did the crooks want for the decryption key that would restore Lake City's information systems?

"Their payment request was for 42 bitcoins," said Lee. "At the time of the purchase, it was roughly $460,000."

Lake City officials notified state and federal law enforcement personnel and then called their insurance company, the Florida League of Cities.

"We talked to them to try find out as much as we could about what they thought happened, said Eric Hartwell, insurance counsel at the 500-plus member League. "And then we put them in touch with the cybersecurity firm that would essentially pick up the reins and, you know, walk them through the process."

Hartwell says the decision about whether or not to pay the ransom is rooted in each city's particular situation, "Every city is kind of like a business," he said. "They've got to evaluate what data is missing, what kind of backup information do we have is reliable. Whether or not to cooperate with what the demand has been or whether or not to stand pat."

Not paying often means replacing equipment and starting over. That's usually a lot more costly than paying the ransom. The city of Baltimore decided not to pay the 13 Bitcoin ransom demand, roughly $75,000 when its systems were hacked with RobbinHood ransomware. The cost of Mayor Jack Young's principled stand has topped 18 million dollars.

Lee says Lake City was advised to pay the hackers. "We have received the decryption key and we are slowly making our way through our systems a little at a time," he said. "And at this point that key has proven successful where we've used it."

The Lake City taxpayers had to pick up the $10,000 deductible but the rest, $450,000, was paid by insurance.

Ransomware crime is many times more lucrative than say, bank robbery, with the advantage of no weapons, disguises, getaway cars, police chases. In fact, practically no risk of getting caught at all. "We see these types of attacks happen every day all across the country," said Amanda Videll of the FBI's Jacksonville Division, which is investigating Lake City's attack.

Videll says even though ransomware hacks are more common than is generally understood, the official numbers are nevertheless an under-representation. That's because businesses sometimes decide not to report they were targeted. Getting hacked carries a stigma that victimizes the target even further. Videll urges ransomware victims to report the crime to the FBI so they try to get an accurate read on this criminal trend and help where they can.

"We are trying to encourage any victim of ransomware, whether it be a business or an individual or a city agency or a government agency to report that to the FBI directly, before they decide to take any action, basically, whether or not to pay," Videll said.

From the FBI's point of view, paying ransom only encourages more hacking. And when private businesses don't report ransomware attacks, it's an added boon for the extortionists. The FBI says it's not unsympathetic toward the victims' plight and dilemma, but paying data hostage takers has to stop or the attacks never will.

And the attacks keep coming. The city of Key Biscayne became the latest Florida victim when an employee opened an attachment in an email. All three Florida city's networks were infected when employees opened email attachments. For public employees conducting public business it's a particularly difficult situation.

Last week, the Administrative Office of the Georgia Courts had its data encrypted by ransomware. That follows on the heels of last year's attack on the City of Atlanta's computer network, where the hackers demanded $51,000. To the FBI's satisfaction, Atlanta refused to pay. But the resulting damage has been estimated to cost around $17 million.