Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/16/2019
11:10 AM
100%
0%

US Mayors Commit to Just Saying No to Ransomware

The group of more than 1,400 top elected municipal officials takes the admirable, recommended stance against paying ransoms. However, can towns and cities secure their information technology infrastructure to withstand attacks?

From small towns such as Lake City, Florida, to large metropolises such as Baltimore, Maryland, municipalities have become a major target for ransomware groups. Now, more than 1,400 US mayors have taken a stance against paying out ransoms to the cybercriminals that target their systems and data. 

In a resolution signed at the US Conference of Mayors earlier this month, the top elected officials of every city of more than 30,000 citizens committed to not paying ransoms to the cybercriminals that encrypt data and demand payment to unlock the information. The resolution came just days after Lake City, a town of 12,000, paid $460,000 and weeks after Riviera Beach, Florida, a town of 35,000, paid $600,0000 to regain access to their respective systems.

In the resolution, the US Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year.

"[P]aying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit [and] the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," the group said in its resolution to refuse to pay ransoms.

The pledge to not pay comes as municipalities are being explicitly targeted by ransomware gangs. The list of towns and cities suffering from ransomware include large metropolises, such as Baltimore and Atlanta, and small towns, such as Lake City and West Haven, Connecticut.

While law enforcement officials and security experts have long recommended that ransomware victims do not pay the cybercriminals, they have accepted that some organizations have to pay to recover from a ransomware disaster. As municipalities, counties, businesses, and government agencies have increasingly been successfully targeted, however, some security professionals have accepted that they will eventually need to pay. Analysts have even urged companies to be ready for the eventuality that they will have to pay ransoms

That makes the mayors' announcement stand out that much more, says Akshay Bhargava, senior vice president of cybersecurity firm Malwarebytes. "I really respect the mayors and cities for taking this stance," he says. "Victims are going to have to take a stronger position, and this is an important first step."

Whether or not towns and cities will be able to secure their networks and systems enough to be ready for ransomware is another question. Attackers called on Atlanta to pay $52,000 to unlock systems two years ago. The city refused, and then paid at least $2.6 million to fix its corrupted systems

Yet such will is needed to remove the incentive for attackers to go after specific industries or government agencies, says Monique Becenti, product and channel specialist at SiteLock. "Until every organization can make a pact refusing to pay ransomers, there is always going to be that one organization that will be willing to pay a high-dollar amount to retrieve their stolen data all because they never had a backup," she says. 

The key to not paying a ransom is to be able to quickly and completely recover after an attack, Mickey Bresman, CEO of Semperis, a provider of identity-based security, said in a statement. "Having the right type of disaster recovery plan, with a cyber recovery first approach, will allow local government to have better ability to bounce back and not be a helpless victim," he said. "Recovery plans combining clean and validated backups with automation will hopefully make the ransomware crime unprofitable and a thing of the past."

But even organizations that could recover from a ransomware attack often choose to pay the ransom instead because recovering from secondary storage can take a long time and require a great deal of manpower. To really be ready for a ransomware attack, organizations must have the ability to quickly recover from backups.

"Businesses of every size need to invest in protecting their data from ransomware and other attacks," Becenti says. "They can do this by implementing a viable backup solution for all internal data that is being collected electronically.... Having solid data backup in place takes away any leverage attackers have over you."

Still, even organizations that pay ransoms should have a backup solution because ransomware attackers cannot always recover the data that they encrypted, she adds.

The fact that municipalities have committed to not paying ransoms will likely cause others to follow suit, says Malwarebytes' Bhargava.

"I do think this is a start of a trend, not a one-off," he says. "More and more, you will see other governments, states, around the globe, and organizations saying, we want to take a strong stance."

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/16/2019 | 2:20:20 PM
Correct response
This is always the correct response. You operate under two assumptions if you don't. You expect your non-ethical attackers to act ethically and return your data after payment. Secondly, that they won't try to sell that data even after its provided to you. They could also maintain their foothold and just compromise your data all over again. Rinse and repeat. Always smartest to cut your losses and look to mitigate their present entry and proactively ensure that you do not end up in this situation again.
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/17/2019 | 7:58:25 AM
Re: Correct response

I agree, but the problem with Georgia or Florida agencies (government) is they did not have the resources in place to address the problem (ransom payments 10K, 600K and 450K). It would have taken them months to recover (time-sensitive, case and healthcare situations). In the instance of one agency, they spent 1.2 million to recover, put in mitigating procedures but the ransom was only 50K (they lost in countless areas; did they really address the problem?).


 

In certain instances, you have to weigh the cost, there was an instance where the captors provided a way to recover part of their data (proof). So it is hard to determine if they are telling the truth or not, in this instance, they obtained proof. But in the case of the FBI (https://www.fbi.gov/investigate/cyber), they say not to pay them but when the mayor or governor is asking for pertinent court or hospital information that could affect the lives of others, I don't think it is so cut and dry, you have to weigh your options (in this case the Mayor stood by his beliefs).

REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/17/2019 | 8:59:40 AM
Re: Correct response
Let us see if these same people commit to hiring QUALIFIED IT PROFESSIONALS and maintain a tested disaster recovery and backup plan??   Betcha a bunch won't do that and claim cost as an issue.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.