Why Cities Shouldn’t Pay Ransomware Criminals

October 10, 2019
| |
5 min read

Cities, local governments, and other institutions such as schools and hospitals are increasingly targeted by cybercriminals, with approximately 170 U.S. cities hit by ransomware since 2013, according to the U.S. Conference of Mayors. What’s contributing to this trend, and what can be done to mitigate the damages?

Ransomware is not a new threat, but there has been an upward trend of destructive variants that intentionally wipe away data and render systems inoperable. If there is a silver lining, it is that the increasing prevalence of destructive ransomware may be making ransomware victims appear less likely to pay the ransom.

Our team of cyber first responders and threat researchers at IBM X-Force Incident Response and Intelligence Services (IRIS), along with IBM Security, has studied ransomware trends for several years. In 2016, we reported that 70 percent of ransomware victims in our study had paid a ransom. Fast-forward to 2019, and local governments and citizens appear to be turning against paying ransoms, even if it means dealing with greater costs to restore systems and recover data from backups.

The U.S. Conference of Mayors resolved in early 2019 that its members should not pay ransoms, citing the probability that paying a ransom merely incentivizes future ransomware attacks by financing the attackers and proving that victims will pay. Furthermore, in a survey of U.S. residents conducted by Morning Consult on behalf of IBM Security, 63 percent of respondents said they would rather pay the cost of recovery from ransomware than pay a ransom.

A recent attack on a major American city shows just how costly it can be to clean up after ransomware strikes. Baltimore’s IT infrastructure was badly damaged after the city was hit by a ransomware attack in May 2019, but city leaders refused to pay the ransom of 13 bitcoins, worth about $75,000 at that time. Instead, the city paid a price many times the original ransom to restore IT services. As of July 2019, the city disclosed that it had spent more than $5.3 million to replace damaged equipment and software, hire technicians to install new equipment, pay overtime to existing staff, and contract with security firms to conduct forensic analysis and harden the city’s IT security defenses.

However, there are still organizations, individuals and governments that make the decision to pay a ransom. Two municipalities in Florida recently paid ransomware criminals: Lake City paid a ransom of $460,000 and Riviera Beach paid $600,000 in ransom, according to MSSP Alert. It’s understandable that some organizations and governments, especially small ones without resources to recover from a ransomware attack, could make the calculation that paying the ransom is the lesser of two evils.

But it begs the question, is paying the ransom really worth it? There are measures that organizations and governments can put in place to help mitigate the potential damages from ransomware so they don’t have to pay the price.

Why Are Cities So Vulnerable?

Ransomware attacks on cities and governments can potentially reach massive scales due to the size of their populations, their dispersed nature, the number of workers they employ and the variety of agencies providing services.

The size of Los Angeles County puts it on par with large multinational businesses, with 107,000 employees and an economy that is bigger than the gross domestic product of Norway, Sweden, Belgium or Poland. The city of Los Angeles employs 62,000 municipal workers and police and has a budget of almost $10 billion.

For smaller cities and towns, the problem isn’t so much the size of the attack surface, but a skills shortage that can make it hard to recruit and retain security staff who are trained to handle threats and keep computer systems up to date. Security professionals in governments of all sizes may lack the budget to properly track, report and act on vulnerabilities — nearly half of U.S. states do not have a cybersecurity budget line item. Meanwhile, attracting and retaining cybersecurity talent is a challenge for cities and small organizations. Some big companies can afford to pay chief information security officer (CISO) salaries that can reach into the millions of dollars, according to Cybersecurity Ventures. By comparison, the IT director of the city of Palo Alto (home to some of wealthiest tech companies in the world) made $255,800 in 2018.

To complicate matters even more, low budgets can translate to very little room for technology advancement. Four in 10 state and local IT leaders said they don’t have the proper tools to combat attacks, according to a study conducted by CyberScoop and StateScoop. And while this might be cost-effective, outdated tools can make the job easier for hackers looking to make a profit.

To Pay or Not to Pay?

It’s a common misconception that paying a ransom means the end of dealing with a ransomware incident. In reality, whether or not a ransom is paid, the cost of paying the ransom is still a small price of what an organization or city will pay to recover. After an attack, someone typically needs to manually decrypt infected devices to restore the data — and it’s still not guaranteed that the files will seamlessly decrypt or even decrypt at all. Additionally, organizations should fix whatever security issues allowed the attackers to infect them in the first place.

In line with this mindset, in its Aug. 21, 2019 bulletin titled “CISA Insights-Ransomware Outbreak,” the Department of Homeland Security (DHS) stated that the public should “consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network.”

Besides, there’s no guarantee the criminals will actually honor the deal if you pay. There’s nothing to stop them from taking your money, continuing to hold your files or systems hostage, and holding out their hand for more. Finally, giving cybercriminals a pay day can enable them to infect more organizations. It’s time to break this vicious cycle.

What Can Be Done to Deal With the Threat of Ransomware?

IBM X-Force IRIS cyber first responders see ransomware infections regularly. As we seek to help clients recover from ransomware, the whole process could take weeks — or, in the case of the more destructive malware varieties, months — to rebuild IT infrastructure. The length of response time depends on many factors, including the preparedness of the client and how well it responded to the initial indicators of compromise (IoCs).

Our team recommends a few best practices to potentially prevent a ransomware infection, or at least mitigate the effects. Some of these recommendations may sound familiar because they are not unique to ransomware, but are best practices for dealing with many types of security threats.

For example, common initial infection vectors for ransomware include phishing emails and compromised third-party websites. Proactive defenses, including using multifactor authentication (MFA), can help prevent an initial infection. And because attackers can leverage credentials to move laterally in the environment, it’s important to reduce credentials theft with MFA as well.

Beyond those essentials, an advanced approach to prevention includes threat hunting, which helps security teams discover actors who might have already infiltrated the environment, so responders can identify and address them before they execute their malware. Probing your own systems for weaknesses using ethical hackers can help identify gaps in your defenses.

Organizations should also have a well-documented incident response plan in preparation for an attack. But that plan can’t sit on a shelf until it’s needed. Organizations should rehearse and test their incident response plans so security teams, department heads from human resources, public relations, finance and other key leaders can experience the potential impact of a breach and understand what they need to do to respond effectively.

Finally, no ransomware plan is complete without backups. As a last resort, tested and offline backups can help your organization get back up and running after a ransomware attack.

Wendi Whitmore
Global Lead for X-Force IRIS, IBM

Wendi Whitmore is a technical leader with 15 years of diverse experience in incident response, proactive and strategic information security services, intelli...
read more