If you haven’t heard, ransomware attacks are when criminals break into a computer network and then encrypt the entirety of the data within it. The data in that system is held hostage until the monetary demand is paid in cryptocurrency, which makes it untraceable. It’s a textbook case of extortion and it’s happening more and more frequently to local governments. This isn’t happening by mistake — attackers are actively targeting governments because they may not have the cybersecurity protections in place due to outdated solutions or budgetary restraints. In August, 22 towns and cities in Texas were hit at the same time. Attacks are becoming increasingly organized and complex.
Current Trends: According to Coveware, leaders and analysts of ransomware recovery, the average ransom payment in Q2 of 2019 increased by 184 percent to $36,295, as compared to $12,762 in Q1 of 2019. Public-sector victims of ransomware that chose to pay forked over almost 10 times as much money on average as their private-sector counterparts over the second quarter of 2019, according to research published by Coveware, a security firm that specializes in ransomware incidents.
Between April and June, the company found, the average payment from a government victim totaled $338,700. The average payment for all victims was $36,295. Overall, findings suggested that ransomware payments have been rising.
Who has paid?
Many cities don’t have the resources to completely rebuild their network infrastructure from scratch. They’re left with one option, which is agreeing to pay the ransom. This June, officials in Lake City, Fla., voted to pay hackers $460,000 to recover data from a ransomware attack. The mayor of Lake City, Stephen Witt, said that he “would’ve never dreamed this could’ve happened, especially in a small town like this.” That’s common for small towns, but they’re frequently the easiest targets. A week before the Lake City incident, Riviera Beach, Fla., paid $600,000 to unlock its computer systems and restore essential data. It’s not just Florida though; Jackson County, Ga., paid $400,000 shortly before those two incidents.
What if they don’t want to pay?
Cities with large coffers and IT staff might be able to afford not paying ransoms. The cost of saying “no” is almost guaranteed to be more expensive than the ransom. For example, Baltimore, Md., declined to pay the ransom and decided to rebuild from scratch. Those costs added up quickly, ultimately settling at $18 million. The city of Atlanta also chose to not pay a ransom, and it cost almost $3 million to get all its systems back up and running. Saying no is something every city or county wishes they could do, but that comes at an astronomical price if there isn’t a plan in place for data recovery after a disaster like this.
Mayors Vow Not to Pay
Recently, the U.S. Conference of Mayors unanimously adopted a resolution opposing payment to ransomware attack perpetrators. Their reasoning was that “paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”
“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm, therefore, be it resolved that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.” In the resolution, the US Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year.
Some 1,400 mayors of cities whose populations exceed 30,000 make up the Conference, which recently held its 87th annual meeting in Honolulu, Hawaii. The organization said that “at least 170 county, city, or state government systems have experienced a ransomware attack since 2013,” and, “22 of those attacks have occurred in 2019 alone,” pointing specifically to the cities of Baltimore and Albany, N.Y., and the counties of Fisher, Texas, and Genesee, Mich.
Minimizing Damage from Attacks
Cloud backup is a way of minimizing the damage by ensuring that specific data can’t be held hostage. It also ensures that recovery of that data won’t come with a price tag. Cloud backup solutions are a good idea if you want to keep your employees’ personal information safe. Keeping your organization’s personnel data in the cloud can help reduce the pain of an unexpected attack and keep employees calm. Solutions like this often have “versioning,” which means they take snapshots of your data and allow you to roll back a system to a specific date and time (before hackers encrypted it). Cloud backups for personnel and sensitive data can be effective, but there are certain types of data that are less effective to back up. For example, ERP data is constantly changing, which can make versioned backups less effective.
Cyber insurance is another way to dull the pain of an attack; however, that doesn’t come without its own risks. Kimberly Goody, a financial crimes analyst at FireEye, warned that she is expecting to “see some evidence that there is specific targeting of organizations that have insurance.” If that becomes the case, then carrying insurance would also come with risks involved. The foresight to prepare for a ransomware attack before it happens is the best solution to avoiding these attacks. Analyze your organization’s cybersecurity readiness and follow the advice of experts. According to Norton.com, here are some Do’s and Don’ts of ransomware.
- Do use security software. To help protect your data, install and use a trusted security suite that offers more than just antivirus features.
- Do use cloud services. This can help mitigate a ransomware infection, since many cloud services retain previous versions of files, allowing you to “roll back” to the unencrypted form
- Do back up important data to an external hard drive. Backup files allow victims to restore their files once the infection has been cleaned up. Ensure that backups are appropriately protected or stored offline so that attackers can't access them.
- Don’t pay the ransom. Sensing desperation, a cybercriminal could ask you to pay again and again, extorting money from you but never releasing your data.