It’s easy to assume that ransomware has become so unstoppable that criminals can almost name their price to reverse attacks.
While there is evidence that many victims pay up, it looks as if a growing number don’t, either negotiating a smaller ransom or simply refusing to play ball.
One organisation that decided it wanted to be in the latter camp is the city of New Bedford in Massachusetts, which has released details of an attack by a variant of the Ryuk ransomware in the early hours of 5 July 2019.
The attack quickly encrypted 158 workstations (4% of the city’s computers) but would have been even worse had it struck later in the day when more computers were turned on, the City now admits.
Departments such as fire, police and emergency 911 dispatch were unaffected, helped by engineers quickly disconnecting other systems to stop the infection spreading. Even so, that left the arduous task of rebuilding the network and restoring applications – that still continues two months on.
When consultants employed by the City reached out to the attackers by email, they were met with a demand for Bitcoins equivalent to $5.3 million. New Bedford Mayor, Jon Mitchel, said in a video account of the attack:
While I am generally averse to engaging in negotiations of this kind, I concluded it would be irresponsible to dismiss out of hand the possibility of obtaining a decryption key.
The City had insurance coverage for ransom payments, he said, and reasoned that negotiations would buy time to mitigate any follow-up attack.
When he made a counteroffer of $400,000 in line with the current going rate of ransomware attacks of this kind, the attackers stuck to their original, inflated demand.
Result? Negotiations stopped, the attackers got nothing, and the City resolved to undo the damage on its own.
The devil rides out
Since appearing in 2018, variants of Ryuk (named after a character in the manga series Death Note) have been blamed for numerous attacks in the US and beyond and there is no sign of them slowing down.
Defenders can tip the balance in their favour by having a plan to cope with ransomware, for example, by mandating that staff disconnect valuable systems immediately and ensuring they’ve segmented their networks to minimise its spread. They can also resort to backups – but even when available, getting these back up and running can be a time-consuming process.
However, as the City of New Bedford incident underlines, ransomware’s success always depends on how victims react to the often steep ransoms.
The obvious example is the March 2018 ransom attack on the City of Atlanta, which eventually decided not to pay the ransom and instead take a reported hit of up to $9.5 million in clean up costs.
It was a brave decision that didn’t go unnoticed. After years of rising ransom demands, has Atlanta’s unexpected revolt steeled others in the US to take a stand?