Ransomware: The new cost of doing business Watch Now

The US Conference of Mayors unanimously adopted yesterday a resolution not to pay any more ransom demands to hackers following ransomware infections.

"Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," the adopted resolution reads.

"The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," it said.

"NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach."

The resolution adopted this week at the 87th annual meeting of the US Conference of Mayors doesn't have any legal binding, but can be used as an official position to justify administrative actions, for both federal authorities and taxpayers alike.

22 municipalities infected with ransomware in 2019

The Conference of Mayors includes over 1,400 mayors from across the US, representing cities with a population of over 30,000.

The organization said that "at least 170 county, city, or state government systems have experienced a ransomware attack since 2013," and "22 of those attacks have occurred in 2019 alone."

A report by US cyber-security firm Recorded Future published in May supports the organization's numbers and highlights a spike in ransomware attacks targeting US cities.

Previous victims include Lynn, Massachusetts, Cartersville, Georgia, Jackson County, Georgia, and Key Biscayne, Florida, just to name a few. Just this week, the city of Richmond Heights, Ohio, fell victim to a ransomware attack.

The resolution was put forward by the mayor of Baltimore, Bernard Young, whose city's IT network was infected with ransomware in May this year.

Hackers asked for a $75,000 ransom, but the city declined to pay and restored from backups and rebuilt its IT network. Costs eventually ballooned at over $18 million.

But many of these ransomware infections have been successful in extracting ransoms. Two Florida cities paid a combined $1 million to hackers for decryption keys to unlock and recover their data.

Lack of backups helps attackers

Hackers exploit the fact that some cities fail in backing up their data, and are left with no choice but paying to recover crucial documents or face huge fines.

Both the FBI and cyber-security experts usually advise against paying the ransom demand, unless there's no other way to recover data. Everyone is urging municipalities to set up basic data back-up routines.

Most cities pay ransom demands via cyber-insurance policies.

Cities then have to rebuild networks, which usually costs more than paying the ransom, and is a step they would have had to go through even if they paid the ransom or not. This is how and why most ransomware incidents end up costing millions of US dollars, and many argue a part of that money should never end up in cybercriminals' hands.

"Paying ransom is essentially aiding the enemy," said Joel Esler, senior manager, Talos Communities Division.

"I learned an important first lesson in business back when 'business' was cutting grass and slinging newspapers: It is easier to generate revenue from existing customers than it is to find new ones," said Mitch Neff, senior marketing manager, Talos Communities Division.

"Paying the ransom makes you a customer of the threat actor, and other actors will compete for your (unwilling) business. The ransom itself is only the initial cost and doesn't advance you any further than you were at the moment of the breach," Neff added.

"Notifications, security training, and retooling security platforms to address the root cause will be much more expensive. An ounce of current backups and disaster recovery planning is worth a pound of ransom money."

But the sad reality is that most victims, regardless if they're municipalities or home users, end up paying.

According to a report shared with ZDNet today that cyber-security firm Coveware plans to publish next Tuesday, July 16, the average ransom amount paid in Q2 2019 was $36,295, up 184% from Q1.

The report also confirms the previously mentioned Recorded Future report and highlights that public sector organizations have been increasingly targeted in Q2 2019.

Related malware and cybercrime coverage: