Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Florida Town Pays $600K to Ransomware Operators

Riviera Beach's decision to pay ransom to criminals might get files back, but it almost guarantees greater attacks against other governments.

Paying the ransom for ransomware is rarely recommended, but that didn't stop Riviera Beach, Florida — a town with a population of around 35,000, north of West Palm Beach — from authorizing a payment of 65 Bitcoin, worth more than $600,000, to criminals in the hope that municipal data would be unlocked.

The attack, which began on May 29 when a police department employee opened a malicious email attachment, ultimately disabled all of the city's online systems, including email, a water utility pumping station, some phones, and the ability to accept utility payments online or by credit card.

Ilia Kolochenko, founder and CEO of ImmuniWeb, says that the payment could have far-reaching consequences. "This is very alarming news that will likely spur an unprecedented spike of ransomware attacks on the critical infrastructure of small cities that are unable to duly protect themselves." This means that "cities, municipalities, and smaller governmental entities are a low-hanging fruit for insatiable and smart cybercriminals."

And those criminals may have begun ramping up their activities even before Riviera Beach showed that there can be significant profit. "Cyber extortion is a growing type of attack, with a questionable effectiveness," says Allan Liska, an intelligence analyst at Recorded Future. "While there are a lot of these attacks occurring, most of them are simply bluffs. There aren't as many cases of a legitimate cybercriminal with legitimate access to the target organization using this technique. It is an interesting area to watch for potential growth."

"Cybercriminals always try to get maximum profit doing the least effort," says Cesar Cerrudo, chief technology officer of IOActive and founder of Securing Smart Cities. "That's why targeting city technology is a good business opportunity to them as the private sector is becoming more secure and difficult to hack, while most city systems are easier to hack.

"There is a lack of cybersecurity knowledge and skilled resources in most cities around the world, while technology adoption and dependence keep increasing," Cerrudo adds, pointing out that the combination creates an especially dangerous opportunity for criminals. And things could get worse. "So far, the consequences have been mostly financial, but soon attacks could end up putting human lives at risk," he says.

In addition to the ransom payment, Riviera Beach moved purchase of $900,000 in new computer hardware forward a year in order to replace infected systems. And all of the expense could have been avoided, according to some security professionals. "Bad actors are rational. They will invest time and effort into attacks that work," says Unman Rahim, digital security and operations manager for The Media Trust. "The takeaway from this and other similar attacks is this: All businesses should back up their data and train their employees on how to avoid such cyberattacks."

Sam McLane, chief technology services officer at Arctic Wolf Networks, gets even more specific with his recommendations for municipal governments. "First, having good backup and recovery is essential to counter ransomware. If malware slips through your defenses, you need the ability to revert to a recent backup and avoid the pain that the City of Riviera Beach is encountering," McLane says. "Second, organizations also need to have detection technology like network monitoring via intrusion detection or endpoint detection and response. And third, organizations must monitor the entire environment to detect and respond when something slips through."

As of press time, Riviera Beach has not reported whether it has been given the key to decrypt the locked files.

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 3:19:05 PM
Segmentation is something they don't do
The attack, which began on May 29 when a police department employee opened a malicious email attachment, ultimately disabled all of the city's online systems, including email, a water utility pumping station, some phones, and the ability to accept utility payments online or by credit card.

Hmm, there are a few questions that cause me to pause:
  • If they have AV or Email AV, shouldn't the software catch this?
  • Also, shouldn't the email and water utility system be separate from one another
  • And the online payment system, shouldn't that have been in the DMZ and the DB in Zone 0 or isolated from the rest

Sounds to me from the application, network, web, Db and credit card groups failed to understand the concept of network segmentation. Where was the Enterprise Archictect in this endeavor and what happened to the planning stages associated with DR (doesn't GDPR get involved with this issue and shouldn't they be penalized for this attrocity)?

Todd
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/24/2019 | 2:31:27 PM
Re: Beautiful Train Wreck
What the does the DJs post have to do with this subject?
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
6/21/2019 | 1:47:50 PM
Re: Beautiful Train Wreck
Couldn't agree more. Plus you are operating under the assumption that the malicious actor is now going to act ethically, decrypt your data and leave you alone.

I would posit a guess that even with this occurence barely anything will change in the way they run the shop. I would like to be more optimistic but the data doesn't lie.
djrequired001
0%
100%
djrequired001,
User Rank: Apprentice
6/21/2019 | 10:23:39 AM
Re: Beautiful Train Wreck
DJ gigs London, DJ agency UK

Dj Required has been setup by a mixed group of London's finest Dj's, a top photographer and cameraman. Together we take on Dj's, Photographers and Cameramen with skills and the ability required to entertain and provide the best quality service and end product. We supply Bars, Clubs and Pubs with Dj's, Photographers, and Cameramen. We also supply for private hire and other Occasions. Our Dj's, Photographers and Cameramen of your choice, we have handpicked the people we work with
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/20/2019 | 3:23:39 PM
Beautiful Train Wreck
Everything wrong in this one beyond decision to pay.  Well let's start with what was protecting them and where did the infection come from - usually stupid user opening bad email.  Education!!!!   We have heard alot of that in this forum and there is a vidoe on the very subject here.  Then what about backup protocols and data recovery protocols, of which - usually - none or last updated July of 2003.  And redundancy?   What if this was just a failed data center issue???   So be bad and pay the ransom and off the thieves go to more hell and fun.  Everything just wrong wrong wrong here. 
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
8 Infosec Page-Turners for Days Spent Indoors
Kelly Sheridan, Staff Editor, Dark Reading,  3/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5527
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
CVE-2020-5551
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.