Earlier this week, the city of Riviera Beach, Florida, faced a $600,000 demand from ransomware operators in order to regain access to the city's data. The ransom was an order of magnitude larger than the ransom demanded by the attackers that struck Baltimore's city government in May. Against the advice of the Federal Bureau of Investigation, however, the Riviera Beach city council voted to pay the ransom—more than $300,000 of it covered by the city's insurance policy.

Baltimore had refused to pay $76,000 worth of Bitcoin despite facing an estimated ransomware cost of more than $18 million, of which $8 million was from lost or deferred revenue. Baltimore lacked cyber insurance to cover those costs.

Riviera Beach is much smaller than Baltimore—with an IT department of 10 people, according to the city's most recent budget, and an annual budget of $2.5 million to support a total city government of 550 employees. (Baltimore has about 50 IT staffers supporting more than 13,000 employees by comparison.) It's not a surprise that Riviera Beach's leadership decided to pay, given that a full incident response and recovery would have likely cost two to three times what they've agreed to pay the ransomware operators, and half of that price tag is covered by insurance. So, Riviera Beach's decision to pay looks like the easiest way out. It's a decision that has been made by many local governmental organizations and businesses alike over the past few years.

Except, it probably isn't an easy way forward. Riviera Beach will still face the costs of fixing the security issues exploited by a phishing email opened by a police department employee. There's no guarantee that data was not stolen from the network, as apparently happened in Baltimore. And the paying of the ransom indicates the city doesn't have an effective disaster recovery plan. Without major upgrades, Riviera Beach could soon end up in the crosshairs of another ransomware attack—especially now that they've shown they'll pay.

Both the Riviera Beach and Baltimore ransomware attacks, along with the half-dozen known recent ransomware attacks against local governments, are indicative of just how unprepared many governments (and businesses) are for ransomware. Over the past few years, ransomware has exploded: data shared by the FBI shows that another organization is hit by ransomware every 14 seconds, on average. [That figure apparently comes from a prediction in a Cybersecurity Ventures report in 2017, according to Cybersecurity Ventures editor-in-chief Steve Morgan, though no details on how that figure was predicted were provided.] And this trend shows no signs of slowing—in fact, a new trend of targeted ransomware, seeking even bigger payouts, is emerging, in which more sophisticated organizations go specifically after businesses and other organizations more likely to pay out.

The dismal science of ransomware

"Ransomware before was mostly opportunistic," said Flashpoint Director of Intelligence Christopher Elisan. "But what the threat actor groups realized is that when they affected hundreds of thousands of users, it was difficult to manage."

Traditionally, Tor-based ransomware "panels" have allowed attackers to communicate with victims and prove they had the keys to unlock files, offering "try before you buy" decryption of a few files as proof. Dealing with large numbers of victims for relatively small payouts wasn't scalable with this approach. "Imagine you're the threat actor group," explained Elisan, "and you open the panel and you have hundreds of thousands of people submitting samples and reaching out on chat. For 100,000 infections, 10% would pay $200 to $300 in Bitcoin. The time and effort to manage all those infections is massive, and the payout is not that big."

The operators of these more opportunistic ransomware attacks—frequently using ransomware-as-a-service tools sold on forums—often have to hire English speakers to do "customer support." Some small organizations have talked these attackers down to fractions of their initial demands as well, meaning ransomware groups often have to discount their offers. If all that wasn't hassle enough, sometimes these attackers are even providing technical support in decrypting files. "So they started moving to more targeted attacks," Elisan said.

Targeted attacks mean only having to manage a few "customers"—two or three organizations a week—with much bigger potential takes. Some targeted demands have aimed for payouts as large as $6 million. Targeted attacks often don't have a deadline associated with them, but the ransom demands are priced to make companies pay up, based on the reconnaissance by the attacker. A demand might be for a significant fraction of the revenue a victim might lose in a day, for example.

In most cases, these attacks have moved away from using a Web panel for communications with victims and instead opted for communication through email. This approach makes payouts easier by keeping things quieter—a victim organization is more likely to pay out if it can keep the whole thing quiet. "If you don't have a Web link, it's only the threat actors and the victim company that knows what's going on," Elisan explained.

The science of selling yourself out

If organizations had effective disaster recovery plans that have actually been tested and verified, with full and incremental backups ready to load, good patch management, and other security practices, then ransomware attacks would be mostly a containable annoyance. But that is a very big "if," it turns out.

Baltimore's mayor claimed the city had backups, but the city did not have a concrete disaster recovery (DR) plan. Baltimore's CIO—who came to the city after being a sales and marketing executive at Intel and has no experience in IT operations—had been working on some form of a disaster recovery plan intended mostly for dealing with power outages, not total data loss. Despite pleas from an IT security manager, the city did not even have insurance to cover the cost of an IT system recovery.

Riviera Beach's IT budget is focused mostly on desktop and printer support, with some payment systems hosted internally (along with the city police department's website). The city's disaster recovery plan has been more focused on hurricanes than ransomware, using off-site mail hosting. Until the ransomware struck, the city hosted its mail on GoDaddy's SecureServer.net rather than on internal networks. (The mail handling address has since moved to Microsoft's Outlook hosting service.) So the city wasn't exactly well-positioned to deal with a ransomware attack. Doing forensic analysis to see if data was actually lost before the attack will require expensive external help.

Both of these situations are more the norm than the exception in local governments and midsized companies—this likely goes for larger organizations, too. Backups fail. Offsite recovery is expensive, and offsite backups can disappear. Infrastructure upgrades can render updates unusable. People click on things.

In 2017, the information security conference Black Hat USA surveyed attendees and found that 58% believed their organizations didn't have sufficient budget to recover from a ransomware attack or other breach. Twelve percent said that ransomware response was the biggest demand on their time during an average day. And there's a wealth of data from research (mostly funded by disaster recovery companies) that suggests most organizations are more confident in their data recovery plans than they should be, if they even have one.

Ransomware succeeds, in short, because organizations are still running their IT operations like it's 1999 and because the products they buy are too difficult for underfunded and undermanned organizations to properly configure and maintain. Until there's a significant change in how cities, towns, and companies buy and run IT, there will continue to be Baltimores and Riviera Beaches. And ransomware operators will continue to rake in the rewards of a fundamentally broken way of using technology.