US City Rejects $5.3 Million Ransom Demand and Restores Encrypted Files from Backup

The US city of New Bedford, Massachusetts, has shown how it's done when it comes to dealing with cyber criminals holding a city to ransom. In the process, it avoided paying what would have been a record $5.3 million amount.

Details have only been released about the incident, which occurred on the night of July 4/5 this year when hackers infiltrated the city's IT network with the Ryuk ransomware. Because the attack happened at night, most of the city's systems were turned off and the ransomware was unable to spread. In fact, the ransomware affected only 158 computers, or 4% of the 3,500+ computers used by city workers.

When the ransomware was discovered by IT staff the following day, they disconnected the affected computers from the city's network, thus containing the damage.

As the attack was still unfolding, the city contacted the attacker via an email address that had been provided and were told that a if a $5.3 million Bitcoin ransom was paid, a decryption key would be given to unlock the encrypted files.

The amount was beyond what the city could pay but they didn't tell the attacker this. Instead, the New Bedford Mayor, Jon Mitchell, came back with a counter-offer.

"I decided to make a counter-offer using insurance proceeds in the amount of $400,000, which I determined to be consistent with ransoms recently paid by other municipalities," Mayor Mitchell said during a press conference (image above). "The attacker declined to make a counter-offer, rejecting the city's position outright."

The city kept the attacker 'talking', buying time while its IT department worked to strengthen the city's defenses. When it became obvious the attacker wasn't going to play ball and take the counter offer, the city restored all of the encrypted files and information from the backup systems they have in place. Due to the timing of the attack and the resultant low number of computers affected, no critical systems were impacted and restoring from backup was easy.

Since the attack, the city has installed additional security software and is developing new protocols.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.