Sophos Cloud Optix
It’s easy to assume that ransomware has become so unstoppable that criminals can almost name their price to reverse attacks.
While there is evidence that many victims pay up, it looks as if a growing number don’t, either negotiating a smaller ransom or simply refusing to play ball.
One organisation that decided it wanted to be in the latter camp is the city of New Bedford in Massachusetts, which has released details of an attack by a variant of the Ryuk ransomware in the early hours of 5 July 2019.
The attack quickly encrypted 158 workstations (4% of the city’s computers) but would have been even worse had it struck later in the day when more computers were turned on, the City now admits.
Departments such as fire, police and emergency 911 dispatch were unaffected, helped by engineers quickly disconnecting other systems to stop the infection spreading. Even so, that left the arduous task of rebuilding the network and restoring applications – that still continues two months on.
When consultants employed by the City reached out to the attackers by email, they were met with a demand for Bitcoins equivalent to $5.3 million. New Bedford Mayor, Jon Mitchel, said in a video account of the attack:
While I am generally averse to engaging in negotiations of this kind, I concluded it would be irresponsible to dismiss out of hand the possibility of obtaining a decryption key.
The City had insurance coverage for ransom payments, he said, and reasoned that negotiations would buy time to mitigate any follow-up attack.
When he made a counteroffer of $400,000 in line with the current going rate of ransomware attacks of this kind, the attackers stuck to their original, inflated demand.
Result? Negotiations stopped, the attackers got nothing, and the City resolved to undo the damage on its own.
The devil rides out
Since appearing in 2018, variants of Ryuk (named after a character in the manga series Death Note) have been blamed for numerous attacks in the US and beyond and there is no sign of them slowing down.
Defenders can tip the balance in their favour by having a plan to cope with ransomware, for example, by mandating that staff disconnect valuable systems immediately and ensuring they’ve segmented their networks to minimise its spread. They can also resort to backups – but even when available, getting these back up and running can be a time-consuming process.
However, as the City of New Bedford incident underlines, ransomware’s success always depends on how victims react to the often steep ransoms.
The obvious example is the March 2018 ransom attack on the City of Atlanta, which eventually decided not to pay the ransom and instead take a reported hit of up to $9.5 million in clean up costs.
It was a brave decision that didn’t go unnoticed. After years of rising ransom demands, has Atlanta’s unexpected revolt steeled others in the US to take a stand?
Instead of paying $52,000 to the hackers, Atlanta spent $9.5 million. This is not a “brave” decision. It’s one that is made possible only because it was taxpayer money. You can only afford to do this if it’s someone else’s money.
A lot of victims now buy insurance which covers most of the ransom and see it as value for money to call on it in a time of need. Whether this tactic of treating ransomware as just another IT cost is wise in the long run is a different matter.
Does North Korean back the insurance too? Kinda like the old mob days.. Sure would be a shame if a fire would happen.. but, if you pay us, it will be protected. The government agencies need to get real and understand they (and US tax payers) are under attack (cyber war) and get real IT personnel hired to handle the systems. This is kiddie hacking, this is government sponsored warfare!
How does that make sense?
If I understand correctly, some victims have paid the ransom and also NOT received encryption keys. That could have happened in Atlanta or the Maryland case. There are no guarantees that the bad guys will honor any arrangements which would ultimately cost even more out of pocket. So, the question is, should the victims take a chance, negotiate with and pay the bad guys further encouraging them? Or take a stand, pay for and learn from the mistakes made and possibly make ransomware less lucrative?
If you pay a ransom, even though it is cheaper, you are rewarding crime. This encourages criminals. If no-one pays ransoms, it isn’t a profitable business even for criminals. It is the same as all the spam email – it may only garner a very low response rate of 0.01% but on millions of emails, which cost almost nothing to generate, you can get a good return. Same goes for ransomware. You could look at it that every ransom paid makes the rest of us more vulnerable. Of course, if cities did not have their IT budgets squeezed so hard, they could afford more modern IT software and systems that would protect them better in the first place.
Flagstaff Arizona shuts down the school because of malware.
[URL removed]
No real information, typical. It’s supposed to open tomorrow, been down since last Thursday, 5 days.
First, make it illegal to pay the ransom. The criminals will know they are very unlikely to get anything before they start. Most of the victims are governments or public institutions so it would be hard to pay and keep it secret. This would also increase the incentive for the victims to get their house in order and do those things they should have been doing all along to avoid this situation.
Second, contribute to a fund which would offer a reward (a large one) for information leading to the conviction of the perps. If all the victims and potential victims contributed what they would have paid in insurance that would be a substantial amount.