Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance
Infected City Fires IT Manager; New Victims in Florida, Georgia(jeremy_kirk) • July 2, 2019 Photo: Motormille2 via Wikimedia Commons/CCThere's plenty of advice on how to prepare for a ransomware attack, but the message about the importance of backups segregated from the main network doesn't seem to be getting through.
See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys
Organizations may not be able to prevent their employees from clicking malicious phishing links, but robust backups can help restore order quickly. And it appears - at least in the case of Lake City, Fla., there are unpleasant consequences for those at the top.
The small city in central Florida has fired its IT manager, Brian Hawkins, after ransomware disabled its phone and email systems on June 10, according Gainesville-based broadcaster, WCJB TV20.
Hawkins could not be immediately reached for comment via his LinkedIn profile, which says he has been the IT manager there for five years.
Lake City opted to pay the attackers about $530,000, or 42 bitcoins, to restore access to systems and data. According to its fiscal 2019 report, the city's general fund - which pays for administration, police, public work and recreation - is about $16 million.
But the ransom cost was mostly covered by insurance. The city has a policy with the Florida League of Cities and will only have to cover $10,000 out of pocket. The ransom was paid on June 25, and the city then received the decryption key (see Second Florida City Pays Up Following Ransomware Attack).
Pay Up?
Despite advice from the FBI that organizations should not pay ransoms, the decision is increasingly being looked at from a cost/benefit perspective.
Insurance policies may cover ransoms, and the option may look appealing if the cost of recovery is more than the ransom. And as ProPublica reported last month, some forensics firms that claim to be able to resolve a ransomware infection are actually paying the ransom while passing the cost onto their customers.
Plus, there's the vexing question over who is profiting from the ransom. ProPublica traced four ransom payments made by Proven Data Recovery, a firm based in New York. The payments - made to get the decryption key for a SamSam infection - ended up in bitcoin wallets linked to Iran.
The city of Baltimore, however, refused to pay a ransom after a recent attack and endured an estimated $18 million in recovery costs. The city was affected by the Robbinhood ransomware, which forced the city to revert to manual processes (see: Fingerpointing Over Baltimore's Ransomware Attack).
Photo: Riviera Beach, Fla.But another Florida city, Riviera Beach, opted to authorize its insurance company to pay $600,000 in bitcoin to resolve its woes after a ransomware attack that struck on June 5 (see: Florida City Paying $600,000 to End Ransomware Attack).
More Cities Affected
Other security incidents targeting units of government have surfaced in recent days.
Key Biscayne, a barrier island just off Miami, was hit by some sort of security incident last week, according to a report from the local CBS station and the Associated Press. The severity of the attack is unclear, and the village's website is still operating.
The Miami Herald reported on Thursday that Village Manager Andrea Agha confirmed a "data security event" on June 23. However, Agha reportedly said the city's system were back online by June 26, although some systems were being kept offline and other processes were being performed manually.
And in Georgia, WXIA-TV reports that the state's Administrative Office of the Courts and the Judicial Council of Georgia were compromised in a ransomware attack.
A court spokesman, Bruce Shaw, tells WXIA-TV: "Our systems have been compromised, so we have quarantined our servers and shut off our network to the outside." Court officials found a note on their computers but it did not have a ransom demand.
Shaw tells WXIA that the network has been taken offline. The affected system contains public documents and not personal data. Judges reportedly cannot access their information.
The FBI's Advice
Given that ransomware is having a ferocious run, it's good to review the FBI's advice for CISOs. In particular, the agency has a several words of caution around paying a ransom. First, paying a ransom encourages the criminal business model.
Even after paying a ransom, the FBI says some organizations never received a decryption key. Also, some who paid the ransom were then asked for more money before the key was delivered. Hackers have also targeting organizations again after getting a ransom.
"After systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers," the FBI says. "Victims will want to evaluate the technical feasibility, timeliness and cost of restarting systems from backup."