You’ve probably heard by now that along with a number of other city governments, hackers recently held the City of Baltimore’s computers hostage. And they did so for two weeks before the City leadership took action. They refused to pay the ransom. But at what cost?
On May 7th, hackers demanded 13 bitcoins (nearly $100,000) to release thousands of Baltimore City’s government computers that they seized during a ransomware attack. This held up many of the services and processes its citizens rely on.
Their systems were for two weeks before the City took steps to revamp their computer systems. How much did this cost? They estimated $18.2 million as they began to restore email accounts.
Should They Have Paid The Ransom?
Why did Democratic Mayor Bernard C. “Jack” Young refuse to pay the ransom? The Baltimore Sun reported that he said:
“We’re not going to pay criminals for bad deeds. That’s not going to happen.” He added that even if the City were to pay the ransom, “there’s no guarantee that if you pay, you reset your system.”
While the estimated cost of recovery is much higher than the ransom, the City still likely would have needed to spend money to bolster its defenses to prevent a future breach.
This is Baltimore’s second ransomware attack in a little over a year. Another shut down their 911 system for a day. Even though they’ve come under scrutiny for their handling of both attacks, they thought it better to spend the money to update their systems than to pay the ransoms.
What Have Other Cities Done?
These and other ransomware infections exemplify the question: Should you pay to get back your computer access or refuse, even if it will cost you more to recover in the long run?
In 2018, hackers held the City of Atlanta’s computers for ransom and demanded they pay about $50,000 in bitcoins. They refused, and according to a report, the attack wound up costing the City $17 million to fix.
A similar attack shut down government computers in Greenville, North Carolina, in April. A spokesperson for Greenville told the Wall Street Journal that the city never wound up paying the ransom. They were able to get their services back online because they were prepared in advance.
Some Believe That You Can Negotiate With Hackers
According to Bloomberg, the payment approach works only when negotiations continue in private even as the target ties its hands in public. They say that it appears Baltimore allowed the costs to mount and that no back-channel negotiations were taking place. They say that absorbing $18 million in losses is not a rational negotiating tactic to reduce a demand of $100,000.
The FBI Says Not To Pay
However, the FBI doesn’t advise that you negotiate or even communicate with cybercriminals after a ransomware attack. Nor do they advise paying the ransom.
They have expressed concerns over the unchallenged growth of ransomware attacks as a result of businesses paying ransoms. They urge victims to not give in to the demand for payments unless all other options are exhausted.
They report that there are serious risks to consider before paying the ransom.
- Paying a ransom doesn’t guarantee that you’ll regain access to your data. In fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
- Some victims who paid the demand have reported being targeted again by cyber actors.
- After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
- Paying could inadvertently encourage this criminal business model.
What Should You Do?
The FBI advises that you prevent ransomware from occurring in the first place. Being prepared is much less costly than paying ransoms or recovering from ransomware.
Here’s what they suggest that CEOs and business owners ask themselves:
1. Backups: Do we back up all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
3. Staff Training: Have we trained staff on cybersecurity best practices?
4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?
5. Application Whitelisting: Do we allow only approved programs to run on our networks?
6. Incident Response: Do we have an incident response plan and have we exercised it?
7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
8. Penetration Testing: Have we attempted to hack into our own systems to test the security of systems and our ability to defend against attacks?
How Should You Respond To A Ransomware Demand?
The FBI advises that you implement a security incident response and business continuity plan. (Your backup and disaster recovery plan set up by your IT service company.)
They say that all organizations should maintain and regularly test backup plans, disaster recovery plans and business continuity procedures.
In the meantime, take steps to maintain your company’s essential functions according to your business continuity plan.
Plus, be sure to contact law enforcement immediately and a local FBI field office to report the ransomware event and ask for assistance.
Did you find this article helpful? If so, check out others in our Tech Journal.