Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Florida Town Pays $600K to Ransomware Operators

Riviera Beach's decision to pay ransom to criminals might get files back, but it almost guarantees greater attacks against other governments.

Paying the ransom for ransomware is rarely recommended, but that didn't stop Riviera Beach, Florida — a town with a population of around 35,000, north of West Palm Beach — from authorizing a payment of 65 Bitcoin, worth more than $600,000, to criminals in the hope that municipal data would be unlocked.

The attack, which began on May 29 when a police department employee opened a malicious email attachment, ultimately disabled all of the city's online systems, including email, a water utility pumping station, some phones, and the ability to accept utility payments online or by credit card.

Ilia Kolochenko, founder and CEO of ImmuniWeb, says that the payment could have far-reaching consequences. "This is very alarming news that will likely spur an unprecedented spike of ransomware attacks on the critical infrastructure of small cities that are unable to duly protect themselves." This means that "cities, municipalities, and smaller governmental entities are a low-hanging fruit for insatiable and smart cybercriminals."

And those criminals may have begun ramping up their activities even before Riviera Beach showed that there can be significant profit. "Cyber extortion is a growing type of attack, with a questionable effectiveness," says Allan Liska, an intelligence analyst at Recorded Future. "While there are a lot of these attacks occurring, most of them are simply bluffs. There aren't as many cases of a legitimate cybercriminal with legitimate access to the target organization using this technique. It is an interesting area to watch for potential growth."

"Cybercriminals always try to get maximum profit doing the least effort," says Cesar Cerrudo, chief technology officer of IOActive and founder of Securing Smart Cities. "That's why targeting city technology is a good business opportunity to them as the private sector is becoming more secure and difficult to hack, while most city systems are easier to hack.

"There is a lack of cybersecurity knowledge and skilled resources in most cities around the world, while technology adoption and dependence keep increasing," Cerrudo adds, pointing out that the combination creates an especially dangerous opportunity for criminals. And things could get worse. "So far, the consequences have been mostly financial, but soon attacks could end up putting human lives at risk," he says.

In addition to the ransom payment, Riviera Beach moved purchase of $900,000 in new computer hardware forward a year in order to replace infected systems. And all of the expense could have been avoided, according to some security professionals. "Bad actors are rational. They will invest time and effort into attacks that work," says Unman Rahim, digital security and operations manager for The Media Trust. "The takeaway from this and other similar attacks is this: All businesses should back up their data and train their employees on how to avoid such cyberattacks."

Sam McLane, chief technology services officer at Arctic Wolf Networks, gets even more specific with his recommendations for municipal governments. "First, having good backup and recovery is essential to counter ransomware. If malware slips through your defenses, you need the ability to revert to a recent backup and avoid the pain that the City of Riviera Beach is encountering," McLane says. "Second, organizations also need to have detection technology like network monitoring via intrusion detection or endpoint detection and response. And third, organizations must monitor the entire environment to detect and respond when something slips through."

As of press time, Riviera Beach has not reported whether it has been given the key to decrypt the locked files.

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 3:19:05 PM
Segmentation is something they don't do
The attack, which began on May 29 when a police department employee opened a malicious email attachment, ultimately disabled all of the city's online systems, including email, a water utility pumping station, some phones, and the ability to accept utility payments online or by credit card.

Hmm, there are a few questions that cause me to pause:
  • If they have AV or Email AV, shouldn't the software catch this?
  • Also, shouldn't the email and water utility system be separate from one another
  • And the online payment system, shouldn't that have been in the DMZ and the DB in Zone 0 or isolated from the rest

Sounds to me from the application, network, web, Db and credit card groups failed to understand the concept of network segmentation. Where was the Enterprise Archictect in this endeavor and what happened to the planning stages associated with DR (doesn't GDPR get involved with this issue and shouldn't they be penalized for this attrocity)?

Todd
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/24/2019 | 2:31:27 PM
Re: Beautiful Train Wreck
What the does the DJs post have to do with this subject?
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
6/21/2019 | 1:47:50 PM
Re: Beautiful Train Wreck
Couldn't agree more. Plus you are operating under the assumption that the malicious actor is now going to act ethically, decrypt your data and leave you alone.

I would posit a guess that even with this occurence barely anything will change in the way they run the shop. I would like to be more optimistic but the data doesn't lie.
djrequired001
0%
100%
djrequired001,
User Rank: Apprentice
6/21/2019 | 10:23:39 AM
Re: Beautiful Train Wreck
DJ gigs London, DJ agency UK

Dj Required has been setup by a mixed group of London's finest Dj's, a top photographer and cameraman. Together we take on Dj's, Photographers and Cameramen with skills and the ability required to entertain and provide the best quality service and end product. We supply Bars, Clubs and Pubs with Dj's, Photographers, and Cameramen. We also supply for private hire and other Occasions. Our Dj's, Photographers and Cameramen of your choice, we have handpicked the people we work with
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/20/2019 | 3:23:39 PM
Beautiful Train Wreck
Everything wrong in this one beyond decision to pay.  Well let's start with what was protecting them and where did the infection come from - usually stupid user opening bad email.  Education!!!!   We have heard alot of that in this forum and there is a vidoe on the very subject here.  Then what about backup protocols and data recovery protocols, of which - usually - none or last updated July of 2003.  And redundancy?   What if this was just a failed data center issue???   So be bad and pay the ransom and off the thieves go to more hell and fun.  Everything just wrong wrong wrong here. 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16978
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
CVE-2019-16979
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16980
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
CVE-2019-16990
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
CVE-2019-16530
PUBLISHED: 2019-10-21
Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution.