Should cities pay a ransomware demand?

December 15, 2019 | Sam Bocetta

UPDATE: In a “ripped from the headlines” moment, we have real world confirmation of the growing risk discussed in this article. Breaking news over the weekend revealed that both the city of New Orleans and New Jersey's largest hospital network are in the midst of dealing with serious ransomware attacks.

When you hear about data breaches and cyberattacks in the news, it's usually in connection with a large company and has affected users across the globe. But that gives the impression that hackers only target huge enterprises when planning their next attack. The truth is just the opposite.

Because small organizations, like city and town governments, are forced to work with tight IT budgets but still need to comply with all rules and regulations, they often can't afford to hire cybersecurity experts or invest in expensive software solutions. Hackers know this and focus their efforts on trying to compromise their systems to profit from the damage.

In this article, we'll look specifically at the trend of ransomware and how organizations should respond when they are attacked.

How ransomware works

When a data breach occurs, hackers often seize stolen information from a back-end system and look to sell it on the dark web. But more recently, cybercriminals have realized that they can make money without having to execute a transaction at all. They simply need to hold the stolen data as ransom.

Ransomware attacks can begin through a number of different means. Hackers may infiltrate a government's network through social engineering, a phishing scam, or by finding a flaw in access controls. Once inside, they will deploy a form of malware that encrypts all of the files on a local hard drive so that users cannot open, access, or transfer them. These pieces of malware are evolving all the time, which makes it tough for antivirus tools to keep up.

For the individuals working in the office, they'll typically see a suspicious screen appear telling them that they have fallen victim to ransomware. The hackers will set a specific financial amount, usually in Bitcoin, to be paid in exchange for releasing the lock on the files.

Ransomware isn’t just limited to private companies, public medical infrastructure are common targets of these kinds of attacks. Some companies allow employees to work from home, one access from an unprotected home device that has spy malware installed unknowingly puts the company at risk. Outdated technology is another huge issue.

Public hospital systems operate on outdated technology with antiquated data protection software. Even third-party appointment setting software can be targeted to gain access to private health care record and patient databases.

The risks of paying

Municipal governments rely on their IT systems to sustain operations on a daily basis. Losing access to a server or database can bring everything to a standstill and hurt the citizens who rely on government services. So in the event of a ransomware attack, it's understandable that the organization would seek to resolve the issue quickly, by whatever means necessary, to avoid becoming another victim of ransomware.

In certain instances, paying the specified ransom to the hackers will end the attack right away. The criminals will unlock the files and give users full access again. But how can you guarantee that the hackers have exited from your network entirely? There's a good chance they will simply wait a few hours or days and then execute another attack to extort your organization for more money. Remember, they are criminals. It’s what they do.

Plus, there is no way to be sure that a ransom payment will resolve the situation. The hackers may have other motives and might take the money without decrypting the files. In that case, the local government has wasted part of their budget and remains in the same mess as before. Trying to negotiate with cybercriminals is never a good tactic, as they will interpret it as desperation and use it against you.

Protection from the cloud

For municipal governments that operate their own data center, full responsibility during a ransomware attack sits with the IT team. But the trend in web hosting is towards content management systems and cloud-based, SaaS organizations, which means that security help in the aftermath of a ransomware attack will likely have to come from somewhere else. In choosing amongst the best web hosting providers, look for one that offers around-the-clock customer support, including recovery from incidents and cyberattacks.

After a virus has been detected, the first thing cloud hosts will do is to disconnect the affected hardware from the rest of your network. This ensures that the scope of the ransomware remains limited, as hackers often develop viruses that will automatically spread and infect more machines.

If a hacker uses a common form of malware that has been detected before, there may actually be a known fix that the cloud host can implement. Sometimes it is as simple as inserting the correct decryption key to reverse the damage that the hackers have done to your systems.

The other place where cloud providers can add value is in diagnosing the root cause of the ransomware and recommending solutions to block attacks in the future. They will have a full view of your network and dependencies, as well as logs that might indicate how and when the hackers first infiltrated your systems. Investing in a high-power firewall is a great preventative step to take, as it will monitor all incoming traffic.

Preparing for disaster

Before bringing any new IT system online and connecting it to the open internet, municipal governments need to ensure that their cybersecurity strategy is sound. That means having the right antivirus tools to prevent an outbreak of malware across the network and always using a VPN to unblock sites, by doing so, you protect your system from unwanted attacks as your location is masked from hackers.

But even if every precaution is taken, there is still the chance of hackers finding a vulnerability that was previously unknown. This is especially true in today's world, where municipal governments often use various third-party software applications from different developers. A single bug in one line of code could open a path for a ransomware attack.

Instituting the practice of disaster recovery is crucial for organizations of all sizes. It involves assigning roles and responsibilities to individuals in the event of a cyberattack or major outage. That way, people know how to respond and can start reacting right away instead of waiting to be told what to do.

Final thoughts

When a government employee clicks on a suspicious link or an email attachment, it opens up a world of dangerous possibilities. Many cybercriminals are focusing their efforts on ransomware schemes because of the ease in executing them and the large financial gains they can bring.

From the municipal government point of view, paying a ransom for encrypted files is usually not the best idea. The data might never be unlocked and it's impossible to sue an anonymous hacker. Instead, plan ahead with regular system backups and intrusion detection systems so that you are better equipped to handle an attack.

Sam Bocetta

About the Author: Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.

Read more posts from Sam Bocetta ›

‹ BACK TO ALL BLOGS