Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Fleming Shi
Fleming Shi
Connect Directly
E-Mail vvv

Ransomware Attacks: Why It Should Be Illegal to Pay the Ransom

For cities, states and towns, paying up is short-sighted and only makes the problem worse.

When it comes to ransomware attacks on municipalities, paying hackers isn't the right solution. First, there's no guarantee hackers will return sensitive data. Second, there's no guarantee cybercriminals won't leverage and monetize the data anyway, returned or not. To effectively fight back, we need to make ransomware payments illegal, and develop a strong industry of cyber professionals, a digital army of sorts, to proactively increase security awareness and data protection.

Ransomware attacks on municipal governments, from large cities to small towns, have been crippling their IT operations nationwide, disrupting civilian lives and costing millions of dollars. Cybercriminals use malicious software, delivered as an email attachment or link, to infect the network and lock email, data and other critical files until a ransom is paid. These evolving and sophisticated attacks are damaging and costly. They shut down day-to-day operations, cause chaos, and result in financial losses from downtime, ransom payments, recovery costs, and other unbudgeted and unanticipated expenses.

While ransomware has been around for about 20 years, its popularity has been growing rapidly as of late, especially when it comes to attacks on governments. As of August 2019, more than 70 state and local governments had been hit with ransomware that year alone. Local, county and state governments have all been targets, including schools, libraries, courts, and other municipal entities.

In 2019, some smaller government entities paid ransoms, including two town governments and one county government. In Florida, Lake City paid roughly $500,000 (42 Bitcoin) and Riviera Beach paid about $600,000 (65 Bitcoin) after trying and failing to recover their data. In Indiana, La Porte County paid $130,000 to recover its data.

So far, none of the cities attacked in 2019 have paid a ransom, including Baltimore, which spent $18 million to recover from an attack. Unfortunately, Baltimore has been the victim of two ransomware attacks. In response to these attacks, Baltimore did something different from other cities, including Atlanta and Albany, NY, which have also fallen prey to advanced attacks recently. According to an October article in the Baltimore Sun, the city bought $20 million in cyber liability insurance to cover any additional disruptions to city networks over the next year. The first plan, for $10 million in liability coverage from Chubb Insurance, will cost $500,103 in premiums. The second, for $10 million in excess coverage, will be provided by AXA XL Insurance for $335,000.

Ransom payments fuel the efforts of the cybercriminals. Hackers use that money to become more capable, commit more crimes, and expand their operations. This helps feed into the activities of the Dark Web economy.

Organizations that pay the ransom are also at a higher risk for additional attacks. It's a winning situation for the hacker when the ransom is paid, so they are likely to target the same organization and individuals over and over again to get additional payments. Hackers purposely target the valuable personal records held by the government and other organizations, such as legal records, financial data, and construction applications, as well as assets critical to the day-to-day functions, such as database files, audit logs, and more. As long as the opportunity for payout remains, they will continue to target these organizations.

No organization, whether it's a municipal government or a private company, should lose sight of the fact that insurance isn't a replacement for trying to prevent attacks in the first place. Insurance is meaningless when it comes to solving the problem; it just helps pay the bill. It's also likely to increase the amount of ransom, especially in cases where the amount of cyber liability insurance coverage has been made public.

After a ransomware payment, and the potential reclamation of your data, hackers still have the information and will try to leverage and monetize it. That's why organizations handling the personal information of consumers — such as credit card information, Social Security numbers, and addresses — shouldn't be allowed to pay ransoms. It should be illegal to fund the bad actors, since paying up is ultimately the sale of personal and sensitive information, albeit an unwilling exchange.

Government leaders and executives should be held accountable for the safety of the data. There's a lack of interest and competence when it comes to defending data, yet our private information and our digital identities must be protected.

Defending Against Ransomware Attacks
Government organizations at all levels need preventative and defensive strategies in place, along with disaster and recovery capabilities. The rapidly evolving email threat environment requires advanced inbound and outbound security techniques that go beyond the traditional gateway. Government security professionals must work on closing the technical and human gaps, to maximize security and minimize the risk of falling victim to sophisticated ransomware attacks.

There are a number of solutions to help defend against ransomware attacks (Editor's note: The author's company is one of a number of companies that offer some of these services):

  • Spam Filters/Phishing-Detection Systems
    Spam filters, phishing-detection systems, and related security software can help block potentially threatening messages and attachments.
  • Advanced Firewall
    If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall provides a chance to stop the attack by flagging the executable as it tries to pass through.
  • Malware Detection
    For emails with malicious attachments, static and dynamic analysis can detect indicators that the document is trying to download and run an executable file.
  • User-Awareness Training
    Make phishing simulation part of security awareness training.
  • Backup
    If an attack happens, cloud backup can get your systems restored quickly.

Instead of paying ransoms, we need to build awareness and empower a workforce to help us digitally defend ourselves. This is an opportunity for America to lead the way in cyber protection and to build a strong industry of cybersecurity leaders by creating a variety of new jobs and opportunities to help us protect the data and build a stronger infrastructure.

Cybercriminals are going to keep launching attacks. More talent, skills, and training are needed to protect our governments, businesses, and individual citizens. It's time to think about cybersecurity in a new way.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "AppSec Concerns Drove 61% of Businesses to Change Applications."

Fleming Shi serves as Chief Technology Officer at Barracuda Networks. Fleming joined Barracuda in 2004 as the founding engineer for the company's web security product offerings, helping to create the first version of Barracuda's message archiving product and paving the way ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/6/2020 | 7:58:44 PM
Re: Bad Advice from a Non-Involved Vendor
Making it illegal will make it less likely that attacks will be reported to authorities. Organizations will pay up and keep it quiet to avoid legal ramifications.   
User Rank: Author
2/5/2020 | 11:37:53 PM
Re: Bad Advice from a Non-Involved Vendor
It is always a business decision first
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...