Ransomware attackers, US mayors say you should go jump in a lake

In May, the US city of Baltimore was partially paralyzed when a ransomware attack seized parts of the government’s computer systems.

The data-kidnappers demanded 13 Bitcoins, worth about US $100,000 at the time.

Would the city cough it up? Or would it tough it out, knowing that lining the attackers’ pockets only encourages them to attack other government systems, and that paying is no guarantee they won’t come back to gouge away more?

At the time, Baltimore Mayor Bernard “Jack” Young said that the city might eventually pay up, but at that point, he was leaning toward the “no” camp.

Eventually, Mayor Young didn’t just lean toward no: he signed up whole hog with the “Go toast yourself” camp, sponsoring a resolution unanimously approved by the US Conference of Mayors last month, calling on cities to not pay ransom to cyberattackers.

Be it resolved: You can go suck on a lemon

There are 1,407 US cities with populations of 30,000 or more that make up the membership of the nonpartisan Conference of Mayors. It’s not binding, but this is the resolution that they all agreed to at their 87th annual meeting last month in Honolulu:

Opposing Payment To Ransomeware [sic] Attack Perpetrators

WHEREAS, targeted ransomware attacks on local US government entities are on the rise; and
WHEREAS, at least 170 county, city, or state government systems have experienced a ransomware attack since 2013; and
WHEREAS, 22 of those attacks have occurred in 2019 alone, including the cities of Baltimore and Albany and the counties of Fisher, Texas and Genesee, Michigan; and
WHEREAS, ransomware attacks can cost localities millions of dollars and lead to months of work to repair disrupted technology systems and files; and
WHEREAS, paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit; and
WHEREAS, the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,
NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.

The Conference of Mayors’ numbers are backed up by a report published in May 2019 by US cybersecurity firm Recorded Future. The report says that ransomware attacks against state and local governments, while on the rise, are underreported.

There’s no ransomware reporting requirement

Such attacks aren’t always publicly reported – there’s no equivalent of the UK’s watchdog, the Information Commissioner’s Office (ICO), or of the General Data Privacy Requirements’ (GDPR’s) strict rules (and breathtaking fines) about reporting breaches to ensure that anybody knows about ransomware attacks against government agencies.

Recorded Future’s Allan Liska gives a shout-out to local reporters on this front:

A lot of the information I was able to find was in local papers or local television news reports, which makes sense – most of these incidents are not ‘big enough’ to be considered national news, so local journalists would be the only ones covering them.

Liska noted that the cut-off for the Recorded Future report was the end of April 2019. But since then, there have been at least three new ransomware attacks against state and local governments: Lynn, Massachusetts (twice: one attack against its schools, and then one against its online parking payment system); an attack against online bill pay in Cartersville, Georgia; and Baltimore, with the May attack being at least the second time the city has been hit. The first (publicly reported) attack was in 2018, when attackers went after Baltimore’s emergency service dispatchers.

Just in Florida alone, we’ve seen these cities get hit over the past few months:

  • Riviera Beach, Florida, which agreed to pay attackers over $600,000 three weeks after its systems were crippled.
  • Lake City, Florida, which was hit on 10 June 2019 by Ryuk ransomware, apparently delivered via Emotet. Lake City officials agreed to pay a ransom of about $490,000 in Bitcoin.
  • Key Biscayne, Florida, which got clobbered by an Emotet-delivered Ryuk attack. The city reportedly hasn’t yet decided if it’s going to pay the ransom.

…and earlier this month, it was Georgia’s court system.

In fact, Liska said, he dug up ransomware attacks in 48 states and the District of Columbia. That leaves only the states of Delaware and Kentucky with no (publicly reported) ransomware attacks.

That doesn’t mean those two states haven’t been attacked, mind you, Liska said. He pointed to an example of a writeup of an attack against a Utah county that said that …

The FBI is aware of other ransomware attacks on other Utah governments.

… but he couldn’t find public reports of attacks against other Utah government agencies.

It’s a good reason to continue to support your local news outlets.

What to do?

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

The bottom line is: if all else fails, you’ll wish you had comprehensive backups, and that they aren’t accessible to attackers who’ve compromised your network. Modern ransomware attacks don’t just encrypt data, they encrypt parts of the computer’s operating system too, so your backup plan needs to account for how you will restore entire machines, not just data.

For more on dealing with ransomware, listen to our Techknow podcast:

(Audio player above not working? Listen on Soundcloud or access via iTunes.)