Ransomware payments might seem like a quick solution to get back on your feet after an attack. But paying the attackers just makes the problem worse.
The original version of this post was published in Forbes.
OK, maybe you can’t say the two cities in Florida hit with ransomware a few weeks ago dodged a bullet, but at least they dodged the digital equivalent of a cruise missile … right?
Riviera Beach and Lake City both paid the ransom. For Lake City, which lost access to its phone and email systems for a couple of weeks, the ransomware payment was 42 bitcoin, worth $573,300 according to one report and $460,000 according to another. Riviera Beach paid 65 bitcoin, worth $897,650, after three weeks of no access to its computer systems.
Yes, that’s a lot of money. Yes, they took a bullet. But hey, it’s not even close to the estimated $17 million Atlanta is spending to recover from a ransomware attack in March 2018. Or the something north of $18 million it will cost Baltimore to do the same after an attack this past May.
Those Florida city officials can declare, accurately, that they’ve saved their taxpayers a bundle, even if it did mean rolling over for common criminals who likely will never be caught, prosecuted or even identified.
But that gain may be short-lived. They may be setting themselves and other municipalities up for a ransomware tsunami. As any economist will tell you, people respond to incentives. In this case, a thief or band of thieves raked in a payday from one digital holdup that’s enough to put at least one of them into the 1 percent income bracket without even breaking a sweat.
And, of course, the value of those ransomware payments wasn’t eroded by any deductions—taxes, Medicare, Social Security. The gross was the net.
That’s the kind of thing other common criminals notice. Hit a local government with ransomware and your chances are pretty good that they’ll fork over $500,000 or more so they can get back in business as quickly as possible.
Graham Cluley, independent blogger and cohost of the Smashing Security podcast, made that point in a recent post carried on Tripwire. “Every time an organization gives in to a ransomware demand, and cybercriminals learn that it is easy to earn such lucrative profits, hackers invest more effort into future attacks,” he wrote.
Indeed, about a week after word of the Lake City and Riviera Beach ransomware payments, a third Florida city, Key Biscayne, reported it had been hit as well, by malware called Ryuk, the same one used to attack Lake City. Ryuk is the third piece of the so-called “Triple Threat” attack. The other two are called Emotet and Trickbot.
And this week, officials with the Georgia courts acknowledged that a portion of its digital information systems had been taken down by ransomware. At the time, there was no information on how much the attackers demanded.
Obviously, those officials thought they were doing what was in the best interest of their constituents. And law enforcement officials and security experts acknowledge that there are times when the only option is to pay the ransom.
As Bob Maley, CSO at NormShield and former CISO for the state of Pennsylvania, put it, if a victim organization has no recovery plan or any idea of what the impact of losing everything that has been encrypted, “then the decision becomes one of desperation.”
And the cost to cities like Baltimore and Atlanta for refusing to pay can make that desperation much greater.
“We have seen municipalities across the country attempt to hold off paying ransoms only to suffer incredibly, ultimately end up paying after serious disruption of services, or pay an exorbitant amount of money to avoid paying,” said Kiersten Todt, managing director of the Cyber Readiness Institute.
“That’s especially true if human life is at risk from impaired emergency response,” added Phil Reitinger, president and CEO of the Global Cyber Alliance (GCA). “I will throw no stones at a city CISO or mayor who finds that paying thousands in ransom is acceptable rather than suffering millions in recovery expenses, especially given the other significant nonmonetary costs from a paralyzed city.”
But all that still doesn’t make ransomware payments a good option—for the victim or other potential victims.
For starters, those same attackers could hit the same cities again. Tim Mackey, technical evangelist at Synopsys, noted that ransomware victims are dealing with people they don’t know and will probably never see.
“Payment of a ransom is a trust issue,” he said. “Do you effectively trust that the data will be recoverable following payment? While it’s in the best interests of the attacker to release encrypted files following payment, receipt of encryption keys isn’t the end of it.
“For example, can you ensure the data weren’t corrupted or tampered with? Are you confident the attackers didn’t make copies? Have you taken steps to ensure the attacker doesn’t simply attack you again and demand further payment? In reality, the actual ransom payment may be the least of the incident response costs,” he said.
A vastly better—and what would seem to be obvious—option would be to make those attacks much more difficult. Create negative incentives. Make it hard for cyber criminals. Yes, doing that will cost money and time, but vastly less than what it costs to pay a ransom or recover from an attack.
As Morgan Wright, a former senior advisor in the U.S. State Department Antiterrorism Assistance Program, sardonically put it in a post on The Hill after the Atlanta attack, “There’s never enough time and money to do it right. But when government screws up, there’s always time and taxpayer money to do it over, usually at a much higher cost.”
So, how to avoid screwing up? There is no way to be perfect, but there are multiple ways to get much closer.
The most obvious is to do regular backups that are not connected to the network. A backup that is accessible through a breach is, obviously, worthless. But if it’s held separately and survives, an organization can rebuild its system quickly at minimal expense, without paying the ransom.
Then there is making sure your employees are an asset, not a risk factor. The attacks on all three Florida cities were enabled by an employee clicking on an attachment in a phishing email. Which sends a clear message—employees need effective security awareness training.
Most employees, except for a rogue here and there, want to protect the organization’s assets. They just need to be taught how to spot suspicious communications—to develop a healthy paranoia. There are multiple organizations that offer credible programs in that.
“Approximately 91% of all attacks on enterprises are caused by phishing,” Todt said. “There are online phishing training courses that municipalities could offer, which could be a reasonably low-cost way to help inform municipal employees of the cyber risks to which they are exposed.”
Besides training, Mackey said another personnel basic is to apply the “principle of least privilege” to employees throughout an organization. That means “limiting the level of trust a given employee has at any point in time to only the level of access required to perform specific tasks.”
Beyond training and policy, organizations should harden the security of their assets.
One fundamental is to keep strict track of the software components running applications, systems and networks, and keep them up to date. Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.
Maley said organizations should “know the cyber hygiene of their IT ecosystems in the same way the attackers do, then fix the issues before the attacks happen.”
Other ways to be prepared for a ransomware attack, Mackey said, include “having properly patched virtual machine templates, which can be used to restore entire systems using VDI (virtual desktop infrastructure)-style solutions or other remote-access solutions to ensure that sensitive data isn’t accessible from machines easily infected through phishing attacks or drive-by web ads.”
Reitinger said better security hygiene should include “powerful techniques like using a protective DNS (domain name system) service like Quad9. They make a successful attack far less likely, so there is a significant return on investment.”
Of course, while those measures are excellent investments, municipalities do need money to make them, and few have it, according to Todt. “There is not a municipality in the United States that is fully funded to defend its IT networks against cyberattacks,” she said, adding that she believes the feds should provide some of that funding.
“While we have become dependent on the internet for many government services, we have not provided our state and local governments with the capabilities to make these services resilient in the face of persistent cyberattacks,” she said.
“The federal government needs to establish an active coordination and remediation program that is supported by the Department of Homeland Security (DHS) and the National Security Agency (NSA) for municipalities.”
That money, she said, could help local and state governments “in the most important first steps toward cyber resiliency: map the networks they own, understand what is on them and provide assistance to better secure them.”
Yes, of course it could. But that money, while wished for, is not yet a reality. Nor is it likely to become a reality anytime soon. So, as Todt and other experts say, municipalities should set priorities and make trade-offs to get the most important things done.
Those priorities, she said, are raising awareness of the threat and building security and resiliency into the systems.
Because the ransomware threat is not going away. It is increasing.