$5.3M Ransomware Demand: Massachusetts City Says No Thanks | Threatpost

After a ransomware attack slapped a hefty payout demand of $5.3 million on New Bedford, Mass., the city announced that it is instead opting to pick up the pieces and restore what it can from backups itself.

If the city had opted to pay, the payout would have been the largest known ransom payout for an attack yet.

New Bedford is a city outside of Boston with a population of about 95,072 (making it the sixth-largest city in Massachusetts). The city was first infected on July 5, which it previously blamed on an unspecified virus. But speaking during a Wednesday press conference, New Bedford Mayor Jon Mitchell said that the attack had specifically dropped the infamous Ryuk ransomware, and that attackers had demanded a ransom of $5.3 million in Bitcoin.

“On Friday, July 5, 2019, the City of New Bedford’s Management Information Systems (MIS) staff identified and disrupted a computer virus attack, known as ransomware, in the early morning hours before city employees began the work day,” according to a New Bedford press release. “The city’s MIS department has now completely rebuilt the city’s server network, restored most software applications, and replaced all of the computer workstations that were found to be affected. The attack did not disrupt the city’s delivery of services to residents. The city’s MIS staff is now addressing the internal impact on city government.”

As a result of “a combination of luck, skill and the architecture of the system,” only about 4 percent (158 computers) of its computers were affected by the attack, said Mitchell.

That’s because after learning of the attack, the city was able to rapidly disconnect its computer servers and shut down systems. In addition, the attack hit after the July 4 holiday, meaning that a large number of computers were turned off at the same time that the ransomware was attempting to spread; and, officials said the city’s network was compartmentalized “to a certain degree,” making it harder for the malware to spread.

Impacted computers include those used by the fire department for administrative purposes. However, the emergency dispatch system and municipal services (such as schools, water and wastewater plants) were not impacted. The city’s financial management system was temporarily placed out of service but was quickly brought back online.

Attackers demanded a Bitcoin payment of $5.3 million, far surpassing one of the largest known ransoms to previously be demanded: In 2017, a South Korean web host paid the equivalent of $1 million after a ransomware attack that hit 153 Linux servers and locked up more than 3,000 websites.

The city first made a counter-offer of $400,000, which was rejected by the attacker. Mitchell said that this cost would have been covered by the city’s insurance provider (a trend that continues to grow when it comes to ransomware).

“The city was thus faced with the question of whether a task of restoring the computer system without obtaining a decryption key might justify a response to the ransomware,” said Mitchell. “While I am generally averse to engaging in negotiations of this kind I concluded it would be irresponsible to dismiss the possibility of obtaining a decryption key if the insurance coverage would cover the full cost of the ransom pay.”

However, after the city’s counter-offer was rejected, Mitchell said that city officials are now working to restore the systems themselves. It is unknown how much has actually been recovered and restored at this time; the mayor did not respond to a request for comment from Threatpost regarding how much was backed up and how the initial ransomware infection first occurred.

“The city is taking several actions going forward,” according to the press release. “Systems will continue to be restored while keeping all essential services operating seamlessly; the city has continued to deliver those services since the attack.”

The Ryuk ransomware has raked in $3.7 million in bitcoin payments since it first appeared last August, researchers say – and has emerged as the calling card for a crime organization called Grim Spider (although attribution in this specific incident has not been determined).

“The specific virus was a variant of the Ryuk virus, a ransomware virus whose purpose is the financial extortion of a computer network’s operator – in this case, the City of New Bedford,” according to the city’s release. “Ryuk has been implicated in attacks on government, education and private sector networks around the nation and the world. These attacks have escalated in their frequency, their technical sophistication, and the size of the ransom demands in exchange for the decryption key.”

Indeed, ransomware attacks specifically against city and local governments continue to make headlines.

In June, dual Florida cities – Lake City and Riviera Beach – were both hit by ransomware attacks and decided to pay off the hackers. And, after a rash of public schools were hit with ransomware in July, Louisiana’s governor declared a statewide state of emergency. The city of Baltimore meanwhile is another high-profile recent victim of ransomware, which hit in May and halted some city services like water bills, permits and more, with attackers demanding a $76,000 ransom. And in 2018, several Atlanta city systems were infamously crippled after a ransomware attack extorted the municipality for $51,000.

In August, 22 Texas entities – the majority of which were local governments – were hit by a ransomware attack that Texas officials say is part of a targeted attack launched by a single threat actor.