From small towns such as Lake City, Florida, to large metropolises such as Baltimore, Maryland, municipalities have become a major target for ransomware groups. Now, more than 1,400 US mayors have taken a stance against paying out ransoms to the cybercriminals that target their systems and data.
In a resolution signed at the US Conference of Mayors earlier this month, the top elected officials of every city of more than 30,000 citizens committed to not paying ransoms to the cybercriminals that encrypt data and demand payment to unlock the information. The resolution came just days after Lake City, a town of 12,000, paid $460,000 and weeks after Riviera Beach, Florida, a town of 35,000, paid $600,0000 to regain access to their respective systems.
In the resolution, the US Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year.
"[P]aying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit [and] the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," the group said in its resolution to refuse to pay ransoms.
The pledge to not pay comes as municipalities are being explicitly targeted by ransomware gangs. The list of towns and cities suffering from ransomware include large metropolises, such as Baltimore and Atlanta, and small towns, such as Lake City and West Haven, Connecticut.
While law enforcement officials and security experts have long recommended that ransomware victims do not pay the cybercriminals, they have accepted that some organizations have to pay to recover from a ransomware disaster. As municipalities, counties, businesses, and government agencies have increasingly been successfully targeted, however, some security professionals have accepted that they will eventually need to pay. Analysts have even urged companies to be ready for the eventuality that they will have to pay ransoms.
That makes the mayors' announcement stand out that much more, says Akshay Bhargava, senior vice president of cybersecurity firm Malwarebytes. "I really respect the mayors and cities for taking this stance," he says. "Victims are going to have to take a stronger position, and this is an important first step."
Whether or not towns and cities will be able to secure their networks and systems enough to be ready for ransomware is another question. Attackers called on Atlanta to pay $52,000 to unlock systems two years ago. The city refused, and then paid at least $2.6 million to fix its corrupted systems.
Yet such will is needed to remove the incentive for attackers to go after specific industries or government agencies, says Monique Becenti, product and channel specialist at SiteLock. "Until every organization can make a pact refusing to pay ransomers, there is always going to be that one organization that will be willing to pay a high-dollar amount to retrieve their stolen data all because they never had a backup," she says.
The key to not paying a ransom is to be able to quickly and completely recover after an attack, Mickey Bresman, CEO of Semperis, a provider of identity-based security, said in a statement. "Having the right type of disaster recovery plan, with a cyber recovery first approach, will allow local government to have better ability to bounce back and not be a helpless victim," he said. "Recovery plans combining clean and validated backups with automation will hopefully make the ransomware crime unprofitable and a thing of the past."
But even organizations that could recover from a ransomware attack often choose to pay the ransom instead because recovering from secondary storage can take a long time and require a great deal of manpower. To really be ready for a ransomware attack, organizations must have the ability to quickly recover from backups.
"Businesses of every size need to invest in protecting their data from ransomware and other attacks," Becenti says. "They can do this by implementing a viable backup solution for all internal data that is being collected electronically.... Having solid data backup in place takes away any leverage attackers have over you."
Still, even organizations that pay ransoms should have a backup solution because ransomware attackers cannot always recover the data that they encrypted, she adds.
The fact that municipalities have committed to not paying ransoms will likely cause others to follow suit, says Malwarebytes' Bhargava.
"I do think this is a start of a trend, not a one-off," he says. "More and more, you will see other governments, states, around the globe, and organizations saying, we want to take a strong stance."