Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:10 AM

US Mayors Commit to Just Saying No to Ransomware

The group of more than 1,400 top elected municipal officials takes the admirable, recommended stance against paying ransoms. However, can towns and cities secure their information technology infrastructure to withstand attacks?

From small towns such as Lake City, Florida, to large metropolises such as Baltimore, Maryland, municipalities have become a major target for ransomware groups. Now, more than 1,400 US mayors have taken a stance against paying out ransoms to the cybercriminals that target their systems and data. 

In a resolution signed at the US Conference of Mayors earlier this month, the top elected officials of every city of more than 30,000 citizens committed to not paying ransoms to the cybercriminals that encrypt data and demand payment to unlock the information. The resolution came just days after Lake City, a town of 12,000, paid $460,000 and weeks after Riviera Beach, Florida, a town of 35,000, paid $600,0000 to regain access to their respective systems.

In the resolution, the US Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year.

"[P]aying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit [and] the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," the group said in its resolution to refuse to pay ransoms.

The pledge to not pay comes as municipalities are being explicitly targeted by ransomware gangs. The list of towns and cities suffering from ransomware include large metropolises, such as Baltimore and Atlanta, and small towns, such as Lake City and West Haven, Connecticut.

While law enforcement officials and security experts have long recommended that ransomware victims do not pay the cybercriminals, they have accepted that some organizations have to pay to recover from a ransomware disaster. As municipalities, counties, businesses, and government agencies have increasingly been successfully targeted, however, some security professionals have accepted that they will eventually need to pay. Analysts have even urged companies to be ready for the eventuality that they will have to pay ransoms

That makes the mayors' announcement stand out that much more, says Akshay Bhargava, senior vice president of cybersecurity firm Malwarebytes. "I really respect the mayors and cities for taking this stance," he says. "Victims are going to have to take a stronger position, and this is an important first step."

Whether or not towns and cities will be able to secure their networks and systems enough to be ready for ransomware is another question. Attackers called on Atlanta to pay $52,000 to unlock systems two years ago. The city refused, and then paid at least $2.6 million to fix its corrupted systems

Yet such will is needed to remove the incentive for attackers to go after specific industries or government agencies, says Monique Becenti, product and channel specialist at SiteLock. "Until every organization can make a pact refusing to pay ransomers, there is always going to be that one organization that will be willing to pay a high-dollar amount to retrieve their stolen data all because they never had a backup," she says. 

The key to not paying a ransom is to be able to quickly and completely recover after an attack, Mickey Bresman, CEO of Semperis, a provider of identity-based security, said in a statement. "Having the right type of disaster recovery plan, with a cyber recovery first approach, will allow local government to have better ability to bounce back and not be a helpless victim," he said. "Recovery plans combining clean and validated backups with automation will hopefully make the ransomware crime unprofitable and a thing of the past."

But even organizations that could recover from a ransomware attack often choose to pay the ransom instead because recovering from secondary storage can take a long time and require a great deal of manpower. To really be ready for a ransomware attack, organizations must have the ability to quickly recover from backups.

"Businesses of every size need to invest in protecting their data from ransomware and other attacks," Becenti says. "They can do this by implementing a viable backup solution for all internal data that is being collected electronically.... Having solid data backup in place takes away any leverage attackers have over you."

Still, even organizations that pay ransoms should have a backup solution because ransomware attackers cannot always recover the data that they encrypted, she adds.

The fact that municipalities have committed to not paying ransoms will likely cause others to follow suit, says Malwarebytes' Bhargava.

"I do think this is a start of a trend, not a one-off," he says. "More and more, you will see other governments, states, around the globe, and organizations saying, we want to take a strong stance."

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/17/2019 | 8:59:40 AM
Re: Correct response
Let us see if these same people commit to hiring QUALIFIED IT PROFESSIONALS and maintain a tested disaster recovery and backup plan??   Betcha a bunch won't do that and claim cost as an issue.
User Rank: Ninja
7/17/2019 | 7:58:25 AM
Re: Correct response

I agree, but the problem with Georgia or Florida agencies (government) is they did not have the resources in place to address the problem (ransom payments 10K, 600K and 450K). It would have taken them months to recover (time-sensitive, case and healthcare situations). In the instance of one agency, they spent 1.2 million to recover, put in mitigating procedures but the ransom was only 50K (they lost in countless areas; did they really address the problem?).


In certain instances, you have to weigh the cost, there was an instance where the captors provided a way to recover part of their data (proof). So it is hard to determine if they are telling the truth or not, in this instance, they obtained proof. But in the case of the FBI (https://www.fbi.gov/investigate/cyber), they say not to pay them but when the mayor or governor is asking for pertinent court or hospital information that could affect the lives of others, I don't think it is so cut and dry, you have to weigh your options (in this case the Mayor stood by his beliefs).

User Rank: Ninja
7/16/2019 | 2:20:20 PM
Correct response
This is always the correct response. You operate under two assumptions if you don't. You expect your non-ethical attackers to act ethically and return your data after payment. Secondly, that they won't try to sell that data even after its provided to you. They could also maintain their foothold and just compromise your data all over again. Rinse and repeat. Always smartest to cut your losses and look to mitigate their present entry and proactively ensure that you do not end up in this situation again.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...