The first high-profile incidents of ransomware hit in 2017, most notably when a global outbreak of a variant named WannaCry took down nearly a quarter of a million computer systems in 150 countries, costing around $4 billion in financial losses.
But while WannaCry wreaked havoc across the globe, few organizations actually paid the ransom. Indeed, 72 hours after the attack began, hackers had only been paid about $50,000, and even months later, they appeared to have netted less than $150,000. One reason few paid is that those who did pay did not get their data back, so word quickly spread that paying the ransom was futile.
But attackers have gotten more sophisticated. Instead of randomly targeting victims, as they did with WannaCry, they are now directing their efforts at entities with the resources to pay a hefty ransom. And cities are attractive targets.
In the first half of 2019, there have been at least 22 ransomware attacks against U.S. cities. In Baltimore, for example, the attacks shut down most of the city’s servers, and the attackers demanded 3 bitcoins (about $18,000) to restore each affected system or 13 bitcoins (about $76,000) to restore all the city’s systems. The FBI advised against paying, and the city ultimately decided not to, but the recovery was expensive. The city’s director of finance estimates the attack will cost Baltimore at least $10 million, in addition to another $8 million in lost revenue.
While Baltimore did not pay their ransom, other jurisdictions have — and they have paid a steep price. In March, Jackson County, Ga., paid hackers $400,000 to recover access to its systems after it fell victim to a ransomware attack. In June, Riviera Beach, Fla., paid $600,000 to hackers after a similar attack, and weeks later, Lake City, Fla., paid nearly $500,000 after an attack shut down its phone lines, email system and online payment portal.
Collectively, state and local governments would be better off if none of them ever paid a ransom because attackers would eventually stop engaging in these types of attacks if there was no payoff. Individually, however, they might be better off paying the ransom because it is their systems and data on the line.
Obviously, the best way to address this problem is to avoid getting attacked in the first place. Many of these attacks are caused by the same things: open ports, phishing emails and software vulnerabilities. Properly limiting system and network access, securing accounts with multi-factor authentication, training employees on phishing attacks, and keeping systems updated with the latest patches are the best ways to keep systems secure.
The second-best option is to have a solid disaster recovery plan in place. Backups are essential for restoring data, but unless the recovery plan has been thoroughly tested, the actual process of recovering systems rarely goes as smoothly as hoped, especially when bringing live systems back online.
Finally, governments can use cyberinsurance to reduce recovery costs. When hackers attacked the Georgia Department of Agriculture in late 2017, the state used its $100 million cyberinsurance policy to hire technicians and investigators to wipe and reload its systems. But it did not pay the ransom.
But even with these measures, some governments will still fall prey. And the only way to stop these attacks is if governments make a firm commitment to not pay ransoms. In July, the U.S. Conference of Mayors passed a resolution opposing paying ransoms for IT security breaches, but this pledge has not yet stopped local officials from continuing these payments. It is time for state legislatures to step in and pass laws to tie the hands of city and county officials. Attackers will then turn their attention to more vulnerable and lucrative targets.