A Florida city has agreed to pay cyber-criminals $600,000 to regain access to computer systems encrypted with ransomware, highlighting the continued threat to organizations from extortion-based attacks.

The Riviera Beach City Council voted unanimously to pay off the hackers, after security consultants hired to help recommended the extreme course of action, which runs at odds to advice from law enforcement.

The council had already voted to spend $900,000 on new computers after the attack struck three weeks ago, bringing the total outlay for the city of 32,000 residents to $1.5m.

The attack appears to have begun with a classic phishing email which a city employee clicked on. According to AP, the unnamed ransomware variant crippled email systems, forced city employees and suppliers to be paid by cheque, and even interfered with 911 dispatches.

The incident is just the latest in a long line of successful ransomware attacks targeting US cities. Most recently, Baltimore suffered major outages which are said to be costing the city $18m. Another ransomware blitz forced employees in Del Rio back to pen and paper.

However, both of those cities refused to pay the ransom. Paying up is generally discouraged by law enforcers as there’s no guarantee that victims will regain access to their data and it means they may be singled out as easy targets in future raids.

According to the FBI, there were just 1493 reported victims of ransomware last year with attacks costing them a little over $3.6m. However, these figures are likely to be a significant under-estimate, given many attacks won’t be reported and the figure for losses doesn’t include “lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim.”

Cyber-criminals appear to be focusing their efforts increasingly on businesses. The number of ransomware detections targeting consumers dropped 10% quarter-on-quarter in Q1, whereas attacks against corporates surged 195%, according to Malwarebytes.