Days after the U.S. Conference of Mayors passed a resolution opposing the payment of ransoms by cities following a ransomware attack La Porte County’s government has done the opposite after its files were encrypted. According to WSBT-TV, the municipality has paid a Bitcoin ransom worth approximately $130,000 to cyber attackers who encrypted its files.
At the current prices, this translates to about 11.3 Bitcoin. La Porte County will pay $30,000 while its insurer will pay the bulk of the ransom. The cybersecurity insurance policy was reportedly authorized last year.
FBI’s decryption software fails the test
The decision to pay the Bitcoin ransom was made after leaders of the municipality consulted FBI’s cyber experts and determined that the Bureau’s decryption software could not unlock the encrypted data.
The cyberattack occurred on July 6th and disabled the municipality’s computer network, website and email systems. The malware was identified as the Ryuk ransomware. According to malware support firm Coveware, Ryuk was the third-largest ransomware by market share in the first quarter of 2019 behind Dharma and GandCrab.
That the cyber attackers unleashed Ryuk ransomware on La Porte is in line with trends already established. According to the FBI, the Ryuk has had a ‘disproportionate impact’ on among others ‘small municipalities’.
Did La Porte do the right thing by paying the Bitcoin ransom?
La Porte’s decision to pay the ransom is similar to the action taken by Florida’s Riviera Beach City which forked out around 65 Bitcoins. However, FBI has strongly discouraged this in the past claiming that it is rewarding criminal behavior and that cybercriminals can’t be trusted to keep their end of the bargain:
The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. More importantly, paying the ransom does not guarantee that a victim’s files will be recovered.
Casting morals and ethics aside, La Porte may have made the right decision in paying the Bitcoin ransom from a cost perspective. Other local governments that have declined to pay the ransom have ended up incurring heavy costs.
Here’s why your accountant might want you to pay the Bitcoin ransom
For instance, the city of Baltimore, which hit headlines after a ransomware attack that crippled most services in May, declined to meet a ransom demand of 13 Bitcoins which at the time were worth around $76,000. However, it is estimated that the city will require to spend around $10 million in order to fully restore its computer network. The city is also estimated to have lost revenues amounting to approximately as a direct consequence of the ransomware attack.
Last year the city of Atlanta is estimated to have spent over $2.7 million in recovery efforts following a ransomware attack. The cybercriminals had been demanding Bitcoin valued at $50,000 at the time.
As previously stated, the problem with paying ransom is that it will make such cybercrimes even more lucrative and more attractive.
"Paying ransoms only gives incentive for more people to engage in this type of illegal behavior,” said Baltimore Mayor Jack Young. Baltimore didn't pay hackers but a number of other cities have. https://t.co/Um2aHnkcWN via @WSJ @jon_kamp
— Scott Calvert (@scottmcalvert) July 10, 2019
The best move though is neither paying nor refusing - it is taking preventive measures to ensure that a ransomware attack does not happen in the first place.