By Rachel Siegel | Washington Post
A saga that began with a municipal employee opening a corrupted email has forced a small Florida city to agree to pay nearly $600,000 to the hackers who paralyzed its computer systems – a cautionary tale for smaller governments whose security systems may also be unprepared for such an attack.
With Riviera Beach’s records held hostage, its city council voted unanimously to pay 65 bitcoin to the hackers – a tab that will be picked up by the city’s insurance carrier. For the past three weeks, city employees have not been able to access their emails, emergency dispatchers couldn’t log calls into computers, and workers and vendors had to be paid with paper checks. Even cops had to dig through closets at the police headquarters to find paper traffic citations, The Palm Beach Post reported.
Experts say the Florida case is just one example of how vulnerable municipalities are to ransomware attacks, and how much more common these hits have become. Compared to larger corporations or state-level governments, cities don’t necessarily have security measures in place to preempt cyber attacks. And a downed system could have serious effects on citizens who rely on city hall to carry out basic, if not life-saving services.
Speaking generally about attacks on local governments, Charles Carmakal, CTO of the cyber security services firm FireEye Mandiant, raised the prospect of residents not being able to get help in emergencies.
“Hackers have been able to encrypt systems and encrypt data that are essentially critical to these cities,” Carmakal said. “If people call 911 and can’t get ahold of them, it could potentially kill people.”
But preparedness requires planning, and for small governments, planning requires time. Hackers evolve and operate on much faster timelines that make it hard for cities to keep up, said Jake Williams, founder and president of Rendition Infosec, a cybersecurity firm.
“The attackers are obviously advancing at their own pace – they don’t work on annual budget cycles,” Williams said.
Though city spokeswoman Rose Anne Brown told the Associated Press there is no guarantee the city’s records will be returned after the hackers collect, outside security consultants said paying the ransom was the best approach. The culprits insisted the ransom be paid in bitcoin, a cryptocurrency that is difficult to trace.
Before the city council approved the ransom payment, it decided to spend nearly $1 million on new computers, hardware and other system upgrades.
“We are relying on [the consultants’] advice,” Brown told the AP. The city did not immediately respond to a request for comment Thursday morning.
Riviera Beach, a waterfront suburb of West Palm Beach, joins a growing list of ransomware victims, including governments and businesses. In May, Baltimore said it would not pay hackers $76,000 after its systems were attacked. The city is still trying to recover, and this week Gov. Larry Hogan, a Republican, appointed Maryland’s first statewide chief information security officer to help guard against cyber threats.
Two Iranians were indicted by the U.S. government last year after allegedly launching more than 200 ransomware attacks, including those that hit the cities of Atlanta and Newark. Those hackers collected more than $6 million in ransom and caused $30 million in damage to computer systems, authorities say.
The FBI would not comment specifically on the existence of any investigations. But the agency told The Post that 1,493 ransomware attacks were reported in 2018. Victims, including individuals, paid $3.6 million to hackers. That figure doesn’t include estimates for lost business, time, wages, equipment or services from a third party.
Williams said Riviera Beach’s $600,000 ransom was a comparably large payment, and that his firm typically negotiates payments down to about half that. Large sums of Bitcoin can be hard to secure in a hurry, in part because currency exchanges are wary of any sort of illegal activity. Plus, not all governments could lawfully pay an extortion fee, depending on their own legal charters.
The word “hacker” doesn’t conjure images of a friendly neighbor. But both Carmakal and Williams said reputable hackers will quickly hand back the encryption keys once a payment comes through. That often means that ransoms are the quickest and surest ticket to getting hacked data back under control – even with a bill as steep as Riviera Beach’s.
Williams even said that he’s watched attackers offer tips on how to keep similar hits from happening again.
“They’ll say ‘go and implement this control and turn off this,’” Williams said with a laugh. “We’re like, ‘thanks, buddy! Appreciate that.”