The leaders of Riviera Beach, Florida, this week voted to authorize a payment of $600,000 to criminals who crippled the city’s computer system after targeting its police department with ransomware.
“We are well on our way to restoring the city system,” a city spokeswoman told the New York Times.
The city was “paralyzed” after someone in its police department reportedly opened an infected email attachment. Malware quickly spread through its network, knocking the city’s operations offline. “Paychecks that were supposed to be direct-deposited to employee bank accounts instead had to be hand-printed by Finance Department staffers working overtime,” the Palm Beach Post reported.
The city’s decision to pay runs counter to some of the best advice offered by leading cybersecurity experts—not to mention the Federal Bureau of Investigation. Payments do not guarantee that access will ever be restored. One in five companies that choose to pay, in fact, never receive the promised key to decrypt their files. There’s also no guarantee a second attack won’t follow.
In 2016, a Kansas hospital paid an untold ransom only to find themselves being double-crossed. The criminals decided they wanted more money.
Payments only perpetuate a problem that has “gained rapid momentum,” according to Malwarebytes Labs, which reported a 195 percent increase in detections of ransomware between Q4 2018 and Q1 2019—a 500 percent increase from the previous year.
Whether payments lead to victims’ regaining access to their files or not, they also fuel future attacks. Riviera Beach’s cash will go to fund a criminal operation that, in all likelihood, will move on to target others. Its money may even go towards funding the development of more sophisticated malware.
The city’s decision will undoubtedly embolden the culprits, whose next target may suffer more than payroll delays. Hospitals and healthcare facilities, for instance, are become an increasingly popular target.
“You’re paying these bad actors to target other people,” an FBI agent last year told Symantec, a leading antivirus maker, whose advise on ransomware demands is simple: “Just say no.” But not everyone agrees.
“It’s too easy to pontificate and say ‘never pay’ when you’re not the one that has to try to recover from a devastating attack,” said Bob Rudis, chief data scientist at Rapid7. “If there is no backup at all of the data that has been obfuscated an organization may have little choice but to pay the ransom, regardless of the precedent that may set.”
Earlier this month, Riviera Beach authorized an additional $900,000 to purchase new computer hardware. But throwing money at the problem—which started with a poorly-trained office employee opening an email attachment they shouldn’t have—won’t necessarily solve anything.
Take the debt collection agency that sunk $1 million into not only updating its computers systems but paying IT consultants to ensure its data security protocols reflected “current technological standards.” The company filed for bankruptcy this week after a data breach sent most of its clients running for the hills.
The security industry is, unfortunately, one plagued by snake-oil salesmen whose grandiose claims about making systems impervious to attack almost always prove fraudulent. Riviera Beach can pay the ransom, and maybe help fuel a flourishing criminal enterprise, but there’s no guarantee it won’t find itself in the same sticky spot tomorrow.