The small city of Riviera Beach, Florida, has agreed to pay attackers over $600,000 three weeks after its systems were crippled by ransomware.
The city council has authorised its insurance company to pay 65 bitcoins to the cybercriminals who infected their system on 29 May 2019.
The Palm Beach Post reported that an employee in the City Police Department infected machines across its network by opening an email.
The attack on the city, a suburb of West Palm Beach with a population of 35,000, took all its operations offline. Email went down and officials had to resort to hand-printed cheques to pay employees. 911 dispatchers were also unable to enter calls into computer systems, said reports.
On 5 June 2019 the City posted a terse online notice reporting a ‘data security event’. No further updates appeared on its website or Twitter account.
Councillors had already authorized $941,000 to pay for 310 new desktop computers and 90 laptops after the attack, expediting an already overdue refresh of old equipment.
In paying the ransom, the council is relying on advice from external security consultants, said spokesperson Rose Anne Brown, adding that there was no guarantee the files would be restored.
Waiting to make the payment has cost Riviera Beach even more money. On 30 May 2019, the day after the infection, the ransom equated to $540,765 at Bitcoin’s closing price (via CoinMarketCap). As of yesterday, 20 June 2019, it amounted to $619,265. Bitcoin’s volatility can make an already tense situation even more problematic for victims.
Coveware, which advises companies on ransomware recovery, said in its Q1 2019 report that 96% of companies paying a ransom received a working decryption tool, but the recovery success rate varied according to the type of ransomware used. GandCrab’s attackers issued the decryption tool reliably (their system was automated), while Dharma was much riskier. On average, decryption tools recovered 93% of the decrypted data, again varying by ransomware type.
Email phishing – the technique that nobbled Riviera Beach – accounted for 30.4% of ransomware infections during Q1, Coveware added.
This attack follows a ransomware attack on the City of Baltimore, which refused to pay its attackers 13 bitcoins (worth about US $100,000 at the time). The attack will ultimately cost over $18m, including lost or deferred revenue due to slowed payments.
Successful attacks on local governments in the US demonstrate a need for better cybersecurity. In 2016, the International City/County Management Association (ICMA) surveyed 2,423 local US governments and got 411 responses. It found that only 34% had a formal, written breach recovery plan and only 48% had a formal, written cybersecurity plan. The biggest barrier to effective cybersecurity was a lack of funds.
This isn’t the only cyberattack this month on a Florida community. The State’s Lake City suffered a malware infection on 10 June 2019, which used three attack methods in concert. The attack, which was not followed by a ransom demand, took down city email systems, landline phones and credit card services according to a statement from the City. Two days later, it was recovering from the attack and had emails back online.
Sophos products can help
Sophos Intercept X Advanced protects against ransomware. Learn how it detects and blocks attacks over on Sophos News.
Denise
Why would you pay the ransom! Absolutely absorb! If you pay the ransom you’re only giving them permission to do it again! Wake up people!
Marc
Any information on what security preventions they had in place? Firewall/AV etc…
Would be nice to know how the attacks are getting through sytems
Josh
With an email based attack like this one the firewall mostly wont help (maybe some geo blocking for email on the way in or command and control on the way out but unlikely out of the box functionality), the anti virus wont help, it is trivially easy to defeat signature based antivirus by modifying the file slightly to create a virus that has never been seen before.
There are some AV products which do behaviour monitoring and other fancy acronym’s which can help (I think Sophos has one called intercept X?) but attempting to block the ransomware should only be part of the defence strategy, you really need layers including proper separation of permissions and networks, proper offsite backups which cannot be accessed by normal users, network behaviour monitoring systems and devices (if the network is big enough to allow) etc.
Relying at any stage on a single product no matter how good is not a security strategy in this day and age.
Mark Stockley
I agree with everything you said after “attempting to block the ransomware should only be part of the defence strategy”. Security software needs to operate as part of a defence in depth strategy. No layer is perfect and different layers help in different ways, so multiple overlapping layers are needed.
We tend not to bring Sophos products into our articles, but since you mentioned them let me elaborate: yes, the Sophos virus engine has included various forms of heuristics such as suspicious behaviour detection and monitoring, and generic virus family matching, for at least a decade and a half. In addition to this, CryptoGuard spots ransomware-like behaviour, stops it and rolls it back. In addition to that, Intercept X breaks with the signature-based-and-then-some tradition and uses sophisticated artificial intelligence to detect malware and exploits. Application Control and Potentially Unwanted Application rules help you control who can use the off-the-shelf software that modern attackers rely on, that isn’t malware, such as PSExec and PowerShell.
Obviously a Firewall won’t stop an email coming in (an email gateway might) but XG Firewall can isolate an infected machine.
Mahhn
Since criminals know they will pay, this will cost them much much more in the following years. Never negotiate with terrorist. Once you give in, they own you.
Tom Lund
How does this keep happening? I know from experience that many organizations think of tech as an unnecessary expense, When I worked as a sysadmin I had backups of backups, onsite (connected only to the device when running a backup), in the cloud, on NAS devices and departmental backups. I lived in dread of a ransomware attack. I analyzed network traffic for unusual activity. I’m pretty sure that’s what sysadmins are supposed to be doing. So what are all these places that get hit missing?
Mahhn
The most likely thing missing is people using common sense (with Email).
When a hacker emails a link, and it goes to a site that has a clean reputation (and maybe redirected after) that was converted to a delivery system, most if not all web filters will miss it. If the code was written that day or very recently and maybe was auto downloaded encrypted or zipped, it bypasses AV and FW detonators. Bam. All because Kenny didn’t look at the Sender (do you know them), or notice crap grammar, or wondered what would happen since his AV should magically protect him from stupidity. No Kenny, its not the AV or web filters fault, its yours. So Kenny got a virus and died, Kyle, Cartman and Stan will miss him, until the next episode.
Josh
If your systems are in a state where you are relying on users to do the right thing 100% of the time you are in trouble. This is not your home computer your talking about this is a 200 + user network
Anonymous
Same thing I’m wondering. We’re out here in Africa, and we know the importance of backups of backups. We’ve only been hit twice and we told them to f off because we had successful backups running.
Epic_Null
Maybe a better preview mode for email attachments could help reduce the chances of someone opening a malicious attchment, since an effective preview mode would allow the contents of PDFs to be viewed but not run? There are multiple legitimate reasons for people to view PDFs from unknown emails (For example, if said PDFs contain forms that need to be filled out by clients and submitted to the company), and email spoofing is still very much a problem, but not many reasons to have non-text/image objects in PDFs.
IT-GUY
It continues to astound me that people responsible for these systems appear to have no data recovery processes to mitigate these activities!
Brian Shorten
I agree with Tom. Disconnect from the internet to prevent further malware, purge the infected machines or buy new, restore from backups, rescan all machines, reconnect to the internet, increase your security including raising staff awareness. I’m not a techie so am I missing something?
anonymous coward
Yeah, don’t reconnect to the Internet. There is really no reason why most municipal computers need Internet access. Connect them to an intranet for communicating with other workers and transferring files, but stay off the Internet. It will also help productivity by keeping municipal workers away from distractions.
Glock Durkel
1. Ever heard of data backup?
2. TRAIN your stupid end-users, if they’re un-trainable, get rid of them, they’re clearly a very expensive, realized liability..
3. NEVER, I mean NEVER negotiate with Terrorists of any kind.