Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/16/2019
11:10 AM
100%
0%

US Mayors Commit to Just Saying No to Ransomware

The group of more than 1,400 top elected municipal officials takes the admirable, recommended stance against paying ransoms. However, can towns and cities secure their information technology infrastructure to withstand attacks?

From small towns such as Lake City, Florida, to large metropolises such as Baltimore, Maryland, municipalities have become a major target for ransomware groups. Now, more than 1,400 US mayors have taken a stance against paying out ransoms to the cybercriminals that target their systems and data. 

In a resolution signed at the US Conference of Mayors earlier this month, the top elected officials of every city of more than 30,000 citizens committed to not paying ransoms to the cybercriminals that encrypt data and demand payment to unlock the information. The resolution came just days after Lake City, a town of 12,000, paid $460,000 and weeks after Riviera Beach, Florida, a town of 35,000, paid $600,0000 to regain access to their respective systems.

In the resolution, the US Conference of Mayors estimated that at least 170 county, city and state governments had suffered a ransomware attack since 2013, with 22 of those attacks occurring just this year.

"[P]aying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit [and] the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," the group said in its resolution to refuse to pay ransoms.

The pledge to not pay comes as municipalities are being explicitly targeted by ransomware gangs. The list of towns and cities suffering from ransomware include large metropolises, such as Baltimore and Atlanta, and small towns, such as Lake City and West Haven, Connecticut.

While law enforcement officials and security experts have long recommended that ransomware victims do not pay the cybercriminals, they have accepted that some organizations have to pay to recover from a ransomware disaster. As municipalities, counties, businesses, and government agencies have increasingly been successfully targeted, however, some security professionals have accepted that they will eventually need to pay. Analysts have even urged companies to be ready for the eventuality that they will have to pay ransoms

That makes the mayors' announcement stand out that much more, says Akshay Bhargava, senior vice president of cybersecurity firm Malwarebytes. "I really respect the mayors and cities for taking this stance," he says. "Victims are going to have to take a stronger position, and this is an important first step."

Whether or not towns and cities will be able to secure their networks and systems enough to be ready for ransomware is another question. Attackers called on Atlanta to pay $52,000 to unlock systems two years ago. The city refused, and then paid at least $2.6 million to fix its corrupted systems

Yet such will is needed to remove the incentive for attackers to go after specific industries or government agencies, says Monique Becenti, product and channel specialist at SiteLock. "Until every organization can make a pact refusing to pay ransomers, there is always going to be that one organization that will be willing to pay a high-dollar amount to retrieve their stolen data all because they never had a backup," she says. 

The key to not paying a ransom is to be able to quickly and completely recover after an attack, Mickey Bresman, CEO of Semperis, a provider of identity-based security, said in a statement. "Having the right type of disaster recovery plan, with a cyber recovery first approach, will allow local government to have better ability to bounce back and not be a helpless victim," he said. "Recovery plans combining clean and validated backups with automation will hopefully make the ransomware crime unprofitable and a thing of the past."

But even organizations that could recover from a ransomware attack often choose to pay the ransom instead because recovering from secondary storage can take a long time and require a great deal of manpower. To really be ready for a ransomware attack, organizations must have the ability to quickly recover from backups.

"Businesses of every size need to invest in protecting their data from ransomware and other attacks," Becenti says. "They can do this by implementing a viable backup solution for all internal data that is being collected electronically.... Having solid data backup in place takes away any leverage attackers have over you."

Still, even organizations that pay ransoms should have a backup solution because ransomware attackers cannot always recover the data that they encrypted, she adds.

The fact that municipalities have committed to not paying ransoms will likely cause others to follow suit, says Malwarebytes' Bhargava.

"I do think this is a start of a trend, not a one-off," he says. "More and more, you will see other governments, states, around the globe, and organizations saying, we want to take a strong stance."

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/17/2019 | 8:59:40 AM
Re: Correct response
Let us see if these same people commit to hiring QUALIFIED IT PROFESSIONALS and maintain a tested disaster recovery and backup plan??   Betcha a bunch won't do that and claim cost as an issue.
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/17/2019 | 7:58:25 AM
Re: Correct response

I agree, but the problem with Georgia or Florida agencies (government) is they did not have the resources in place to address the problem (ransom payments 10K, 600K and 450K). It would have taken them months to recover (time-sensitive, case and healthcare situations). In the instance of one agency, they spent 1.2 million to recover, put in mitigating procedures but the ransom was only 50K (they lost in countless areas; did they really address the problem?).


 

In certain instances, you have to weigh the cost, there was an instance where the captors provided a way to recover part of their data (proof). So it is hard to determine if they are telling the truth or not, in this instance, they obtained proof. But in the case of the FBI (https://www.fbi.gov/investigate/cyber), they say not to pay them but when the mayor or governor is asking for pertinent court or hospital information that could affect the lives of others, I don't think it is so cut and dry, you have to weigh your options (in this case the Mayor stood by his beliefs).

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/16/2019 | 2:20:20 PM
Correct response
This is always the correct response. You operate under two assumptions if you don't. You expect your non-ethical attackers to act ethically and return your data after payment. Secondly, that they won't try to sell that data even after its provided to you. They could also maintain their foothold and just compromise your data all over again. Rinse and repeat. Always smartest to cut your losses and look to mitigate their present entry and proactively ensure that you do not end up in this situation again.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...