Florida City Votes to Pay Off Criminals Holding Computer Systems Hostage

Illustration for article titled Florida City Votes to Pay Off Criminals Holding Computer Systems Hostage
Photo: AP

The leaders of Riviera Beach, Florida, this week voted to authorize a payment of $600,000 to criminals who crippled the city’s computer system after targeting its police department with ransomware.

“We are well on our way to restoring the city system,” a city spokeswoman told the New York Times.

The city was “paralyzed” after someone in its police department reportedly opened an infected email attachment. Malware quickly spread through its network, knocking the city’s operations offline. “Paychecks that were supposed to be direct-deposited to employee bank accounts instead had to be hand-printed by Finance Department staffers working overtime,” the Palm Beach Post reported.


The city’s decision to pay runs counter to some of the best advice offered by leading cybersecurity experts—not to mention the Federal Bureau of Investigation. Payments do not guarantee that access will ever be restored. One in five companies that choose to pay, in fact, never receive the promised key to decrypt their files. There’s also no guarantee a second attack won’t follow.

In 2016, a Kansas hospital paid an untold ransom only to find themselves being double-crossed. The criminals decided they wanted more money.

Payments only perpetuate a problem that has “gained rapid momentum,” according to Malwarebytes Labs, which reported a 195 percent increase in detections of ransomware between Q4 2018 and Q1 2019—a 500 percent increase from the previous year.


Whether payments lead to victims’ regaining access to their files or not, they also fuel future attacks. Riviera Beach’s cash will go to fund a criminal operation that, in all likelihood, will move on to target others. Its money may even go towards funding the development of more sophisticated malware.

The city’s decision will undoubtedly embolden the culprits, whose next target may suffer more than payroll delays. Hospitals and healthcare facilities, for instance, are become an increasingly popular target.


“You’re paying these bad actors to target other people,” an FBI agent last year told Symantec, a leading antivirus maker, whose advise on ransomware demands is simple: “Just say no.” But not everyone agrees.

“It’s too easy to pontificate and say ‘never pay’ when you’re not the one that has to try to recover from a devastating attack,” said Bob Rudis, chief data scientist at Rapid7. “If there is no backup at all of the data that has been obfuscated an organization may have little choice but to pay the ransom, regardless of the precedent that may set.”


Earlier this month, Riviera Beach authorized an additional $900,000 to purchase new computer hardware. But throwing money at the problem—which started with a poorly-trained office employee opening an email attachment they shouldn’t have—won’t necessarily solve anything.

Take the debt collection agency that sunk $1 million into not only updating its computers systems but paying IT consultants to ensure its data security protocols reflected “current technological standards.” The company filed for bankruptcy this week after a data breach sent most of its clients running for the hills.


The security industry is, unfortunately, one plagued by snake-oil salesmen whose grandiose claims about making systems impervious to attack almost always prove fraudulent. Riviera Beach can pay the ransom, and maybe help fuel a flourishing criminal enterprise, but there’s no guarantee it won’t find itself in the same sticky spot tomorrow.

Senior Reporter, Privacy & Security

Share This Story

Get our `newsletter`


1) OpenBSD

2) Follow Theo’s lockdown guidelines

3) Nginx, if you must have a web server

4) No opening holes in the Intranet firewall, no matter how convenient and no matter how trivial.

4) Background checks on all employees with access to anything more than the file and print server.

5) Restriction of JavaScript; in fact, don’t activate it on the browsers that can access the Internet. (Locked out of YouTube and your Fantasy sports sites? Boo how, poor you. We pay you to work.)

6) Deep packet inspection of all traffic going in AND out — look for zombies trying to reach chat channels and keyloggers reporting in.

7) Use Slack instead of email, and, yes, don’t use either one to transfer files. Put them in the server and grant minimum permissions. Log all access. Use a cron script to change all permissions to none-none-none during non-working hours.

8) No personal laptops connected to the network EVER and no copying files to work on them at home. You have eight hours every day. Learn to use them.

9) No Adobe products ever, no Microsoft, Oracle products only after they’re been out for two years and been vetted and no “cloud” software.

10) AWS for offsite encrypted backup only.

11) So the OpenBSD desktop isn’t as “friendly” and “pretty” as Micro$hit? Get over yourself, snowflake.

12) Only install software and tools compiled under LLVM, NEVER GCC or ANY commercial C implementation.

13) Twelve character passwords with lower case, UPPER CASE, numbers and punctuation. No names, dates, dictionary words or letter/number sequences. Firing offense for sharing your password or using someone else’s.

14) Every few months, fire a veep, program manager or other “big shot” for trivial security violations, to make it clear that you’re Serious.

15) Personal email at work, even via webmail? First offense, a week’s suspension. Second offense, termination, lawsuit, blacklisting and prosecution.

Computer security is only hard for the lazy and dumb.