The city of Riviera Beach, Florida, last week agreed to pay hackers $600,000 to regain control of its computers and data, after being struck by a ransomware attack that disrupted systems handing email, payroll, accounts payable, and various aspects of an emergency response system, among others, and forced staff to revert to pen and paper for various management tasks.
The local council for the community of 35,000 people voted unanimously to pay off the hackers, doing so, according to Spokeswoman Rose Anne Brown, after hiring outside security consultants who advised the Council to yield to the hackers’ demands. Brown conceded that, as pointed out in the January 2018 article, Ransomware: Why It Will Cause Even More Damage and Destruction in the Future, many criminals today do not adhere to what was once the ransomware criminal’s “code of ethics,” and, that, as a result, there are no guarantees that the hackers involved will actually release the city’s data even after having been paid off.
As is so often the case with malware attacks, the ransomware afflicting Riviera Beach apparently infected the city’s IT infrastructure after an employee clicked on a link in an email message sent by the criminals. People have been, are, and will remain, for the foreseeable future, the Achilles Heel of cybersecurity.
Officially, the FBI “does not support” paying ransomware demands, but, of course, the FBI is not the party that suffers the consequences if criminals destroy kidnapped data rather than returning it; in fact, multiple FBI agents have acknowledged to me privately that sometimes paying ransomware ransoms is, by far, the best option for victims.
While paying the ransom was likely in the interest of Riviera Beach, and Riviera Beach is not the first government body to pay off criminals under such circumstances, its payments do increase the danger to every other American town – every time that a municipality yields to criminals’ demands and gets its data back by paying a ransom, it encourages future attacks on other municipalities. Furthermore, such payments also increase the resources available to criminals for the R&D needed to create new generations of increasingly powerful ransomware.Every time that a municipality yields to criminals’ demands and gets its data back by paying a ransom, it encourages future attacks on other municipalities. Click To Tweet
In fact, one of the primary reasons that ransomware ransom amounts have skyrocketed in recent years is precisely because criminals have learned that governments, hospitals, and others with deep pockets frequently agree to pay large ransoms to recover data and systems, and, as a result, such evildoers have increasingly focused their attention on such parties, launching sophisticated, targeted ransomware attacks against those with deep pockets rather than attempting to spread ransomware en masse to many random individual victims. While sophisticated, targeted attacks cost significantly more to execute than do general attacks, the dramatically richer payoffs dwarf any such drawbacks.
Problems with incentives and the assignment of responsibility also contribute heavily to the problem of ransomware: Because, in many states, municipalities are responsible for their own IT infrastructures and make their own decisions vis-à-vis paying ransoms, the collective interest of every other municipality is not necessary a factor in decisions whether or not to pay ransoms. Furthermore, the inefficiency created by relegating responsibility for technology to thousands of small teams ensures that relatively few towns have an adequate information security program. In some states the number of governmental bodies that bear responsibility for independent IT systems is mindboggling: in my own home state of New Jersey there are 565 independent municipalities, 21 counties, and 555 school districts, in addition to the State government and its many agencies. Is there anyone rational who believes that every one of those 1100+ entities is fully up to par when it comes to information security?
Perhaps cybersecurity will accomplish what cloud technology has not yet done: incentivize state governments to more effectively centralize computer systems and their management – or, perhaps, the powers that be still will not see the need, and it will take many expensive ransom payments to criminals before politicians awaken to the need for a long overdue change.
(Thank you to Michael Geiger for the title image.)