Image: Jp Valery

Special feature Special report: A winning strategy for cybersecurity (free PDF) This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets. Read More

Two New York state senators have proposed two bills last week to ban local municipalities and other government entities from using taxpayer money for paying ransomware demands.

The first bill (S7246) was proposed by Republican NY Senator Phil Boyle on January 14. The second bill (S7289) was introduced by Democrat NY Senator David Carlucci, two days later, on January 16.

Both bills are under discussion in committee, and is unclear which will move forward to a vote on the Senate floor.

Both S7246 and S7289 have similar texts. The only difference between the two is that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture.

"The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities

with a population of one million or less for the purpose of upgrading the cyber security of their local government," the text of the S746 bill reads.

First of its kind

Across the US, this is the first time that state authorities have proposed a law that explicitly forbids paying the ransom following a ransomware attack.

In July, the US Conference of Mayors unanimously adopted a resolution not to pay any ransom demands to hackers following ransomware infections, however, this was only an informal and meaningless declaration.

"We are supportive of this legislation as it creates a debate and raises awareness to this problem," said Bill Siegel, CEO and co-founder of Coverware, a cyber-security company that helps victims recover from ransomware attacks and sometimes negotiates payments on behalf of the victims.

"I do not think it will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations," Siegel told ZDNet.

"If a state where to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered. 1) What happens if a NY based municipal hospital is attacked, and the downtime causes the loss of life that could have been avoided if they were allowed to pay? 2) Are the state's municipal organizations adequately staffed and budgeted with DR [disaster recovery] plans, backup systems, and security programs to effectively repel and recover from an attack without creating material interruption to civic operations?," Siegel added.

The office of NY Senator Boyle could not be reached for comment. The office of NY Senator Carlucci did not return a request for comment before this article's publication.

The Coveware CEO said he couldn't disclose if his company helped any New York state government organizations, due to confidentiality agreements.

However, Siegel said that they assisted municipal organizations in the majority of US states recover from ransomware attacks.

"On a quarterly basis, they are generally about 10% of the cases we handle," he said.

Ransomware attacks in New York state

According to antivirus vendor Emsisoft, 113 US state and municipal governments and agencies were hit by ransomware in 2019. While we don't have exact numbers for the state of New York, there have been several major ransomware incidents reported last year and in 2020 in the state of New York.

In April 2019, ransomware hit the network of the town of Albany. The town opted to spend $300,000 to rebuild its entire IT network, rather than pay the ransom.

In July 2019, libraries across Onondaga County had to shut down their computer network following a ransomware infection. The Watertown School District was hit the same month.

In September 2019, the Monroe-Woodbury School District delayed the start of the school year because of a ransomware infection.

During Christmas 2019, ransomware infected the network of the Albany County Airport Authority, which chose to pay the ransom demand, described as "under six figures."

Ransomware also hit the town of Colonie in early 2020, but authorities were prepared for a cyber-attack and the town IT staff is currently restoring data from backups.