A Florida city, hit by a ransomware attack that crippled its computer systems for three weeks, voted this week to pay the attackers the requested ransom of $600,000.
Riviera Beach, a city in Florida populated by 35,000, was hit by the ransomware attack May 29 after a city employee clicked on a malicious link in an email, according to local reports. Attackers behind the malware, which spread throughout the city’s network and shut down its computer systems, asked for a ransom of 65 Bitcoin (worth around $600,000) in exchange for unlocking the computers.
In a Monday meeting, the city council voted unanimously to authorize its insurer to pay the $600,000 ransom. The security community for its part has argued that the city is taking a “big gamble” in paying the ransom.
“The Riviera Beach City Council has taken a big gamble by paying the ransom as there are no guarantees the attackers will return any of the data, which could leave the city in an even worse situation,” Shlomie Liberow, technical program manager at HackerOne, said in an email. “By paying the ransom, the council also encourages more of these types of attacks as it makes it more profitable for attackers.”
Ransomware: Juggling Risks
The stakes of a ransomware attack are high: In the case of Riviera Beach, systems controlling the water utility were offline, government email and phones systems wouldn’t work, and 911 calls couldn’t enter into computer records. According to local reports, the computer systems controlling city finances and water utility pump stations are partially bank online.
These factors and more can be important when a ransomware victim is determining the timeline and damage stemming from paying a ransom – versus not paying.
“The answer is never as black and white as we’d like it to be,” Rick McElroy, head of security strategy at Carbon Black, told Threatpost. For instance, a healthcare organization (such as Hancock Health) that was attacked and is unable to access patient data for care, putting lives at risk, might be facing different risks when it comes to paying a ransom versus the time it takes to fully recover all systems, he said.
“FBI recommends that ransomware victims not pay – that’s been well established,” he said. “However, it’s very difficult to unequivocally stick to that.”
In the case of Riviera Beach, “unfortunately, there is no right or wrong answer here,” Mark Orlando, CTO of cyber protection solutions at Raytheon, told Threatpost.
“However, organizations need to be equipped to handle situations like this one,” he said. “From knowing how to engage with law enforcement to understanding the risks of payment or non-payment. Organizations must weigh the costs and benefits of paying the ransom and make the decision that is best for them.”
The Price of Paying
Riviera Beach is only the latest in a string of costly ransomware attacks targeting city governments. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted the municipality for $51,000. And The city of Baltimore is another recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, demanding a $76,000 ransom.
Many other cities who fell victim to ransomware chose not to pay off the ransom – but were still left with crippling costs. Atlanta ended up spending $2.6 million in recovery costs, including incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise; while Baltimore dished out $18.2 million in restoration costs and lost revenue.
However, experts warn that paying the ransom in a ransomware attack could end up causing more turmoil for victims – as well as inspire other cybercriminals to launch ransomware attacks.
“Organizations have to consider whether or not they have backups in place, or if restoration of services would cost more than paying the ransom,” McElroy said. “Each organization must make their own decision, but I typically recommend that companies don’t pay the ransom to discourage cybercrime and disrupt the economics behind cyber extortion.”
Ionut Nechita, threat labs senior analyst at Comodo Cybersecurity, agreed that as “a default rule, organizations should never pay ransomware as it only encourages future criminal activity.”
“There’s never a guarantee that files will be restored after payment especially if the malware is programmed to delete files,” said Nechita in an email. “To prevent against further damage, system administrators should considering restricting normal users access, so when ransomware is accidentally started, it cannot do as much damage from a limited account. Given ransomware is typically known to target and delete backups, having a backup of critical data, ideally in a different location, can keep your data away from attackers.”
Ultimately, the best practice doesn’t come down to paying a ransom versus not: But instead preventing the cyberattack from happening altogether, researchers agree.
“Preparation is the cure for ransomware,” stressed McElroy. “Preventing attacks starts with understanding what the attackers are doing and how. Organizations need visibility into attackers’ behaviors and the malware that’s in use. They also need to do the security basics well: patching, backups, and testing. Application whitelisting is also great prevention against ransomware.”