Lake City, Florida paid out a bitcoin ransom worth $460,000 to hackers who disabled the city’s computer systems with sophisticated ransomware last month, hot on the heels of a $600,000 ransom paid out in similar circumstances by Riviera Beach, Florida just weeks later. Now, as flagged from local media reports by ZDnet on Monday, the city has fired its director of information technology.
According to WCJB, city manager “Joe Helfenberg confirmed that the director of information technology, Brian Hawkins, was fired” as a result of the attack, which hit servers, email networks, and phone lines. Helfenberg “estimates that the city should make a full recovery from the attack in about two weeks,” WCJB wrote.
Lake City officials described the incident as a “triple threat,” according to ZDnet, and it has since been determined that an employee downloaded an infected document they had received via email. That set off a chain of events involving three separate malware variants sometimes used in concert in cyber attacks. The initial document carried the Emotet trojan, which installed itself and subsequently downloaded another trojan called TrickBot and the Ryuk ransomware. Ryuk then spread throughout city systems, locking them down and demanding a ransom. Only the police and fire department systems were spared as they were on a different server, according to the New York Times.
The Times reported that after several days of working with the FBI and security consultants to resolve the issue, city officials reluctantly determined that it would be cheaper and more effective to simply pay off the hackers. The city deemed the employee in question to have left city networks vulnerable to attack, but he was not the individual who downloaded the malicious attachment, the Times added.
Brett Callow, a spokesman with security firm Emsisoft, told Gizmodo via email that there was a “small chance they may have been able to save half a million bucks,” as researchers have figured out how to decrypt some versions of the ransomware involved. Callow said Emsisoft had success in decrypting Ryuk in “about 3 - 5% of cases” and growing using two free services: a site called ID Ransomware run by Emsisoft researcher Michael Gillespie in his spare time that identifies malware variants, and decrypting software available on their website.
Callow also noted that a prior investigation by ProPublica showed that some data recovery firms promising ransomware solutions ended up just paying the ransoms, adding that “This really highlights problems that the lack of communication and coordination between the private sector and US law enforcement can potentially cause.” Emsisoft has collaborated closely with the Europol and European Cybercrime Centre, Callow wrote, but its chief technical officer Fabian Wosar told ProPublica the FBI had responded with basic questions that showed they were unfamiliar with ransomware on a technical level in one incident, as well as ignored what he said was a “very hot lead” on the developer of a ransomware variant named ACCDFISA.
“Our city manager did make a decision to terminate one employee, and he is revamping out whole IT department to comply with what we need to be able to overcome what happened this last week or so and that’s so it doesn’t happen again,” Lake City Mayor Stephen Witt said, according to WCJB. He added that the decryption key provided by the hackers appears to be working.
Paying the hackers is controversial because it almost certainly encourages further attacks, whether or not officials believe they have little choice in the matter. Sometimes, as occurred to a similarly afflicted Kansas hospital in 2016 that chose to pay the ransom, the hackers will simply attempt to extort more payments from the target.
“First of all, that money is then used to proliferate this activity,” FBI cyber crimes supervisory special agent Joel DeCapua told security firm Symantec last year. “You’re paying these bad actors to target other people. Second, organizations that pay a ransom think their problems are over. But a lot of times there’s a lot of nasty malware left on their systems that they don’t know about. You can pay, but there’s still malware on there, re-infecting the system or stealing information.”
Ransomware attacks on municipal systems have recently made big headlines, with estimates of such incidents in the U.S. running into the hundreds. In early June, Baltimore officials recently estimated the cost of an attack using the RobbinHood ransomware that hit around 10,000 city computers at $18 million and counting. (They declined to pay the ransom.) Officials with Georgia’s Judicial Council and Administrative Office of the Courts confirmed their systems had been contaminated with ransomware on Monday in what Ars Technica reported appears to be another Ryuk attack.
Correction/clarification: A prior version of this article stated that the New York Times cited Emsisoft as saying that security experts had “successfully unscrambled Ryuk ransomware in 3 to 5 percent of cases.” In fact, Emisoft says that number reflects their own success rate. Additionally, this article has been updated with further comment from Emsisoft.