When faced with a ransomware attack, the afflicted organization generally has two options to resolve the situation. Either restore your system from data backups or pay the ransomware and hope the criminals will make good by decrypting your data. Some cities have spent millions trying to recover the data themselves, while others have simply paid up and tried to move on.
As you can probably imagine, it’s not a fun decision for any city mayor to have to make. Either pay up and encourage the illegal behavior, or try and mend your systems from backups (assuming these backups exist and still work). At the recent 87th Annual Conference of U.S. Mayors, 1,400 elected officials decided to take a collective stand and pledged to not to pay a ransom if their cities were attacked by ransomware.
For years, cybersecurity professionals have argued against paying ransoms in the wake of an attack, but many organizations have repeatedly found themselves without any other choice. In early 2018 Hancock Health Regional Hospital in Indiana suffered an attack from SamSam ransomware, the same kind responsible for digital devastation in Atlanta that cost the city almost $2.6 million.
What distinguishes this variant from other versions of ransomware is that SamSam isn’t typically deployed via a phishing email. Hackers using SamSam tend to deploy it after breaching the victim’s network via other means. With a strong foothold already inside the network, the attackers were able to access and delete Hancock Health’s backup files. With patient’s lives (and medical records) on the line, Hancock concluded they had little choice but to pay up to the tune of about $50,000.
While the U.S. Mayors’ promise is certainly admirable, officials need to back it up with action if their pledge is to have any real teeth. In an article posted to cybersecurity news site DARKReading, Robert Lemos writes, “to really be ready for a ransomware attack, organizations must have the ability to quickly recover from backups.” An excellent example is the Barnstable Police Department of Cape Cod. Thanks to their well-tuned disaster recovery plan, the department eradicated a ransomware infection and completely restored afflicted systems within 40 minutes of the initial phishing attack.
Unfortunately for many cities, putting an effective disaster recovery system in place will require a significant investment of time, effort, and money. Following the incredibly costly attack in Atlanta, city officials voted to spend nearly $3 million to update and improve their IT infrastructure. Part of the problem is that there are so many systems to secure. As cities become more invested in internet-based services, attackers are presented with more opportunities to try and breach the city’s network. It will be interesting to see how these cities follow up on this pledge in the coming years.