A Florida city has agreed to an astonishing $600,000 ransom payout to hackers that took over its systems three weeks ago.
According to AP, Riviera Beach City Council voted unanimously to give in to cybercriminals’ demands to free the records encrypted by the hackers. The council had already voted to spend almost $1 million on new computers and hardware following the incident.
And the records weren’t the only issue–the email system had been disabled, employees and vendors were being paid by check and 911 dispatchers weren’t able to enter calls into the computer.
It is thought the hackers accessed the city’s system after an employee clicked on a phishing email link.
Huge payout
It is one of the largest known payouts, but it’s not the biggest. In 2017, a South Korean web host agreed to pay the equivalent of $1 million when ransomware attacked more than 153 Linux servers the provider hosted, locking over 3,400 websites.
While the FBI didn’t provide a comment on the Riviera Beach attack, it has confirmed that 1,493 ransomware attacks were reported last year. This saw a total of $3.6 million being paid to hackers—about $2,400 per attack. This latest ransom will add significantly to that figure.
Paying the ransom certainly isn’t ideal, since it encourages criminals to perform more attacks. But the council said it had been working with outside security consultants, who recommended the ransom be paid. The payment will be covered by insurance.
The FBI in the U.S. and the National Cyber Security Center in the U.K. advise against paying out to ransom hackers. As AP points out, Baltimore refused to pay hackers $76,000 after an attack last month.
However, many firms and organizations have given in to cybercriminals’ demands. They see it as the only way to release valuable data, especially if they don’t have backups of the relevant information.
Naaman Hart, cloud services security architect at Digital Guardian says: “I can say with almost certainty that this isn’t the largest ransom pay out. Individual government organizations and businesses don’t routinely release this information as it’s highly embarrassing.”
Part of the cybercrime problem
Ian Thornton-Trump, security head at AMTrust Europe, says by paying the ransom, the council becomes part of the cybercrime problem. “They have now provided venture capital directly into the hands of the criminals. It’s appalling and in my opinion should be illegal.”
This incident is another warning that organizations need to shore up their defenses and have sensible backup procedures in place, says Chris Boyd, malware analyst at Malwarebytes
He points out that by not having backups, organizations are attracting “bigger and better attacks”, given that hackers know that municipal hijacks are “where the big money lies.”
Boyd adds: “It's also hard to advise consumers not to pay up when they see councils and businesses handing over large sums of money. It almost legitimizes the process, ensuring that we'll never be rid of ransomware threats while criminals continue to profit from it.”
Even without large ransom payments, it can still cost a fortune to clean up an attack. “When the city of Atlanta couldn't pay a $50,000 ransom, they eventually burnt through at least $2.6m in emergency response, clean up, forensics, additional staff, and more,” Boyd says.
“The message is clear–take these threats seriously because multiple big payments guarantee that hackers will keep coming back for more."
Indeed, Thornton-Trump says this latest mega-payout sets a very bad precedent. “Do you know how much programming skill can be purchased when ransoms like this are being paid out?
"In developing countries $600,000 could buy a malicious programmer army and it will lead to more dangerous malware–more sophisticated and prevalent. It’s a vicious circle: the input is ransoms and the output is higher risk.”
Update: June 26 08:33 ET
Another Florida city has decided to pay a ransom to hackers to regain control over computer systems. The mayor of Lake City told CBS 47 Action News Jax on Tuesday that the small city in northern Florida would give hackers $460,000 to hand back control of email and other servers seized two weeks ago. Added to the $600,000 Riviera Beach City Council payment, the total ransom payout for the two Florida cities has now hit $1 million in just over a week.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb says: “With such lucrative and easy stakes on the table, cybercriminals will now willingly invest to prepare sophisticated, hardly-detectable and well-targeted campaigns. Worse still, such cybercrimes are almost uninvestigable due to technical issues and payments in cryptocurrency. It’s a paradise for black hats.
Kolochenko advises potential victims to start seeking additional funding to “protect themselves without delay.”
