When it comes to ransomware attacks this year, it’s been a tale of three cities.
In May, the city of Baltimore suffered a massive ransomware attack that took many of its systems down for weeks — restricting employees’ access to email, closing online payment portals and even preventing parking enforcement officials from writing parking tickets. After the attack, the city’s mayor said several times the city would not be paying the extortion request, but it’s still expected to cost the city more than $10 million to recover.
But two cities — albeit smaller ones — in Florida chose to take a different route. Last month, the governments in Lake City and Riviera Beach chose to pay off their attackers in exchange for the return of their data after ransomware attacks, though they still face some work in decrypting the stolen data.
The cities paid the hackers a combined $1 million in Bitcoin — and researchers say these kinds of attacks aren’t going to slow down. So when the next city or state government gets hit, should they pay up, or start the long process of manually recovering their data? We asked experts from Cisco Talos and Cisco Security to weigh in.
We asked all of them the same question: Should city governments be paying ransoms in ransomware attacks? What are the benefits of paying ransoms? What are some of the potential drawbacks? Their answers are below and have been edited for clarity.
It’s worth noting that, in many cases, it makes more fiduciary sense for cities to pay the ransom and spend time decrypting their data than spending the money to restore all of their systems. For example, last year, Atlanta spent roughly $17 million to recover from a ransomware attack when the attackers had initially requested an extortion payment of $52,000.
Be sure to tune into the next Beers with Talos podcast, where the hosts will discuss some of their answers and the reasoning behind them.
Craig Williams, director, Talos Global Outreach: Paying the ransom should be the last resort of any cybercrime victim for several reasons. This is especially scary from a health care perspective. If a government actor could tamper with a primary target’s medical record under the guise of a ransomware campaign, for example, they may be able to get away with harming the primary targets undetected. How do you know the data has not been accidentally corrupted? There are several things that could go wrong even if the ransomware author is trying to do the right thing. The fact that you cannot verify the data’s integrity should be of concern.
Another negative impact around paying the ransom is that you are literally funding the budget for the people attempting to compromise you. It might be more cost-effective to bite the bullet, shut down the network, and redesign it with proper security architecture in mind.
Joel Esler, senior manager, Talos Communities Division: Paying ransom is essentially aiding the enemy. You're funding the bad guys with absolutely no guarantee that you will get your files back, or that the attacker hasn't left a backdoor to come back in again.
Additionally, the vulnerability that caused the attacker to infect your systems in the first place is still present. It is far preferable to have a good backup strategy now before you get hit. Then, if you do get hit, wipe the computers, restore the backups, and before bringing everything back online, patch your systems, perform remedial user training, etc. Ransomware or not, the computer is no longer trusted after a cyber attack.
Mitch Neff, senior marketing manager, Talos Communities Division: I learned an important first lesson in business back when “business” was cutting grass and slinging newspapers: It is easier to generate revenue from existing customers than it is to find new ones. If you let me cut your grass for $10, I would keep my eyes on your lawn and show back up as soon as it looked shaggy. The only sure-fire way to keep me gone once you paid me was to spend a lot more than I was charging on a new lawn care plan.
Paying the ransom makes you a customer of the threat actor, and other actors will compete for your (unwilling) business. The ransom itself is only the initial cost and doesn’t advance you any further than you were at the moment of the breach. Notifications, security training, and retooling security platforms to address the root cause will be much more expensive. An ounce of current backups and disaster recovery planning is worth a pound of ransom money.
Brad Garnett, manager, Cisco Incident Response: We generally do not recommend organizations pay the ransom. First, ransomware is often the byproduct of an ongoing compromise spanning weeks, months, or even years. Ransomware continues to evolve and so does its anti-forensic capabilities that allow the adversary to clear event logs and destroy other critical forensic evidence. Next, paying the ransom does not remove the adversary from your environment, nor fix security underlying security issues that the adversary may have leveraged to gain an initial foothold on your network.
There's a recent uptick in municipalities and local government entities falling victim to ransomware attacks and paying the ransom to recover data. The decision to pay a ransom should only be considered in the most extreme cases and this should be viewed as a business continuity/disaster recovery workflow (not a forensic investigation, nor the fast-track to recovering an environment).
Chris Marshall, director, Cisco Talos: I must look at this beyond the view of just a security leader. Victim businesses that find themselves in that difficult situation must determine in a very short time frame if their own staff, incident response capabilities and partner vendors can right the ship to get it all sailing again. The risk must be judged to see if the cost is worth the attempt to get that data back or if these resources can do it within a reasonable timeframe. There are no guarantees in either direction. While the majority opinion seems to be to not pay, to not fund the malicious actor, to not take the gamble of a possible recovery, sometimes it’s worth the risk to that business.
Nigel Houghton, director, Cisco Talos Operations Division: This is a business decision. There are things that need to happen simultaneously after an infection is discovered: An external security team needs to be brought in to do forensics, assess the damage, validate findings and more at the same time in-house IT security need to be working on restoring backups (if possible) and fixing the entry vectors identified by the forensics team. Meanwhile, another external resource needs to be engaged to deal with the criminals demanding the ransom. At some point, all parties involved need to come together with lawyers and executive leadership, possibly including law enforcement, to determine the best course of action, basically to pay the negotiated ransom or not. This is not a simple “never pay the ransom” or “just pay the ransom” resolution.