So what do you do if you are the manager or elected official of a small municipality or rural county and your IT infrastructure, storage data and services are incapacitated by a ransomware attack? That is a question that management, mayors, councils and board members need to start asking themselves.
The town of Riviera Beach, Florida recently paid $600,000 in ransom to hackers that had breached their system and encrypted all of the city’s records. The attack took place on May 29, when an employee within the city’s police department opened an email attachment laced with malware that initiated the ransomware attack. The infestation took down email, phones and police records before spreading to the public works department, the city attorney’s office, library, and other local government offices.
With city services shut down, including 911, the city council voted to authorize the city’s insurance company to negotiate ransom terms with the perpetrators of the attack. The final agreed amount was 65 bitcoins (a value of $600,000), upon which the hackers were to provide the decryption key to regain access to the data. At this time, it has not been reported as to whether the key has been obtained or not.
Why did the City Pay?
The question of whether to pay the extortion demand for a ransomware attack is hotly debated. The FBI and most IT professionals recommend that victimized organizations not make any ransom payments whatsoever. There are several valid reasons not to pay the ransom:
- There is no guarantee that the hackers will send the promised encryption key
- Payment may encourage repeated strikes against the organization in the future
- Successful ransomware attacks inspire more hackers to get involved in this type of extortion
While these are certainly valid points, choosing not to pay can have disastrous consequences. The City of Atlanta has spent $17 million on a ransomware attack it endured over a year ago after refusing to pay the $52,000 ransom. Similarly, the City of Baltimore refused to pay a $75,000 ransomware, a decision which has cost them over $18 million in the cleanup. Besides the extravagant financial costs, residents of both cities were denied key government services and information access for weeks on end. Unlike these large metropolitan cities that are supported by large diverse tax bases, however, towns such as Riviera Beach don’t have the financial means nor the expertise on hand to recover from these types of attacks themselves. Rivera Beach has a 22 percent poverty rate so the town has to maximize every dollar it brings in. In fact, the city council said that it had been working with outside security consultants who recommended it be paid.
The Perfect Storm
The hackers picked their target well. The coastal town of roughly 35,000 residents had been besieged by constant turnover in its management as well as a series of scandals that brought about a voting referendum to oust four of the five city council members and the mayor. At the time of the attack, the city was under the management of its second IT Interim Manager in a row as well as its third Interim City Manager. As a result of the constant turnover, a cybersecurity contract had been allowed to elapse which left the city unprotected. What’s more, the city’s data infrastructure had not been upgraded since 2012 and had reached End of Life (EOL). Although the city had taken the steps to alleviate all of this upon discovery, like many municipalities, the purchase and implementation process is slow. At the time of the attack, the new system had not yet been implemented.
Unfortunately, the story of Riviera Beach is not uncommon. The fact is that due to budgetary issues and a lack of cybersecurity or even basic IT talent, many municipalities and counties fall short in protecting their cyber assets. When one considers the hundreds of counties, school districts and incorporated towns within a single state in the U.S., the realization that all of these government entities are responsible for their own cybersecurity begins to look daunting. It is the inherent weaknesses of municipalities that make them such ideal targets for hackers. Compound this with the fact that corporations and businesses have put intense focus on better cybersecurity hygiene to deter these types of attacks, and it’s easy to see why local government have become low hanging fruit for cybercriminals.
Hackers are no different than the rest of us, they pursue and follow opportunity and rewards. The ease at which the perpetrators of this attack were able to obtain so much money in a single attack is sure to encourage more attacks like this in the future. Caving into the extortion is certainly not in the collective interest of statewide municipalities, but unfortunately, these entities must act out of their own self-interest in these circumstances. It’s a good bet that the latter half of 2019 will see a substantial increase in these types of targeted attacks and the leadership of smaller local governments need to begin to plan accordingly, with the first question, are we willing to pay a ransom?
Basic Email Security Could Have Saved Florida Towns at least $1 Million in One Month
Just days after the attack, the City of Riviera Beach, agreed to pay $600,000 for the decryption key. In May, Lake City Florida announced that it too had experienced a ransomware attack. The attack featured a trio culmination of nasty malware strains that included Emotet, TrickBot, and Ryuk. Ryuk is targeted ransomware that was originally linked to a North Korean hacking organization but has now been adopted by non-state affiliated hacking groups as well. The attack encrypted all types of data including city permits, email messages, payroll documents, and historical data.
Because the City of Riviera Beach had a cybersecurity policy with an insurance company, it was only liable for its $10,000 deductible in this instance. Because this was far cheaper than not paying the ransom and dealing with the massive undertaking of restore and cleanup, the city council voted to pay the ransom which was negotiated down to $450,000 by the insurance company. The city confirmed that the decryption key had been sent to them within 24 hours of payment and systems were being returned to normal.
The Common Thread of both Attacks
While the malware strains involved in the attacks on Rivera Beach and Lake City were different, there are many similarities between the two attacks. Both municipalities were small and not equipped to defend against a fully committed cyber-attack. They also lacked the resources necessary to remediate the aftermath themselves. Finally, there is one more common thread; they were both launched via a phishing attack.
In both cases, an employee clicked a malware infected attachment that launched the malware infestation. In the case of Lake City, the infected computer then began spamming the contact list of the employee, thus infecting other city computers. Once the infection was dispersed, Ryuk was then launched throughout.
What may have Prevented the Attacks
Two mouse clicks resulted in over $1 million dollars of paid extortion. Unfortunately, this story is starting to be too common as Jackson County, Georgia relented to pay a ransom of $450,000 back in March under similar circumstances. Although we do not know what type of defense systems the two municipalities used, a multilayered approach utilizing the basic email security tools may have prevented these two extravagant paydays for the hackers.
In order to combat ransomware, it all starts with an email filtering solution. For small-town municipalities with limited staff and knowledge base, a cloud-based solution such as SpamTitan Cloud is ideal. Cloud-based systems are automatically updated by the vendor so that customers always have the most up-to-date solution, with no required steps on their part.
Paying Ransomware Extortion doesn’t have to be a Reality
It’s been reported a third Florida municipality has been struck by ransomware. The village of Key Biscayne reported that they were also hit by Ryuk and were diligently working to restore operations. While the threat of ransomware and other cybersecurity attacks is part of the new reality all organizations must deal with today, exorbitant ransomware payments don’t have to be the reality. The email and web security solutions are available and local, state and national governments must work at finding how these solutions to prevent these million dollar losses in the future.
In order to stop ransomware, an email protection system must be able to intelligently identify and strip away malware. This makes it serve as an antivirus gateway as well. Because so many smaller organizations use cloud-based email solutions such as Office 365, it is important to have a solution that is designed to fill in the missing security gaps that continue to plague these cloud-based service offerings.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a critical component to combat phishing attacks. DMARC incorporates Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) along with DNS records to determine if an email server is registered and authorized to send email for a designated organization. DMARC can be very effective in stopping the spoofing of internal accounts such as managers and HR personnel that organizational members are likely to respond to. While DMARC can be confusing for those unfamiliar with it, TitanHQ makes it easy as it is an integrated part of its protection suite.
With more than a million new malware threats are introduced each and every day, this has necessitated the need for organizations to incorporate some type of sandboxing solution into their security layer. Emails with email attachments or embedded links can be isolated in a quarantined environment where they undergo sophisticated analysis to determine if they are indeed safe or not. This is why TitanHQ now offers sandboxing as an integrated part of the SpamTitan email filtering service to its customers.