City Pays $2K in Ransomware, Stirs ‘Never Pay’ Debate

The city of West Haven, Conn. made the hard choice to pay cyberattackers a $2,000 ransom after being hit with malware that ground their operations to a halt.

West Haven said that its City Hall offices were the victim of a ransomware attack, and that the U.S. Department of Homeland Security determined originated from outside the United States. According to Mayor Nancy Rossi, the attack disabled 23 servers on Tuesday last week – after which officials decided to pay the $2,000 asking fee to unlock the servers, paid in Bitcoin.

“The attack occurred between 2:49 p.m. and 3:16 a.m. Tuesday,” Rossi said in a statement. “The city’s information technology manager David W. Richards notified [the mayor’s office], local police and federal authorities.”

She added, “The data restoration of a critical system occurred shortly after the completion of that transaction.”

The decision to pay stands in stark contrast to the recent attack on The Onslow Water and Sewer Authority (ONWASA). In that attack, which occurred last week, authorities said a “sophisticated ransomware attack… left the utility with limited computer capabilities.” An investigation showed that it was first infected with the Emotet virus, which in turn downloaded the RYUK ransomware, which locked up its systems.

ONWASA said that it received one email from the cybercriminals, who are also thought to be based in an unspecified foreign country. It didn’t say how much the ransom demand was for, but it opted not to pay. Instead, a team of local, state and federal agencies are cooperating to restore the utility, the company said.

Ransomware is often used as a cover for other criminal activities. For example, adversaries may use the attack as a distraction to make copies of the data it encrypted. Or, a criminal may leave a backdoor on the system. In both of these recent cases, the organizations say they believe their data is safe.

The two incidents seem to be part of a spike against municipal targets by ransomware criminals. On Oct. 17, the city of Muscatine, Iowa said its financial and other servers were hit with ransomware; scant details available include that the city’s IT staff is attempting to “isolate the problem servers” and get things back online. Also, the Indiana National Guard said that a server with the personal information of both civilian and military personnel was locked up by ransomware. No further details on that attack are yet available, but the Guard doesn’t think it was a targeted attack.

To Pay or Not to Pay?

Clearly, the decision not to pay or not to pay has to do with individual circumstance: “Any business unit, private, public or government, needs to evaluate and determine their ‘hourly down rate,’” Thomas Pore, director of IT and services for Plixer, told Threatpost. “Essentially, how much does it cost the organization to be down if an event like ransomware takes place? Understanding the business impact will help decision makers implement strategic solutions to overcome incidents such as this.”

He added, “Municipal offices are seen as target rich environments. Very often they operate with limited IT budgets, are understaffed and lack security technologies that are prevalent in enterprise businesses.”

Conventional wisdom and most security experts say that paying the ransom is the last thing an organization should do, as it simply perpetuates the cycle of attacks.

“Victims of ransomware should refrain from paying any ransom unless it is a life-or-death situation,” Joseph Carson, chief security scientist at Thycotic, told Threatpost. “Paying cybercriminals will only enrich them and encourage them to create new malicious software that can be used on a larger scale, resulting in further critical infrastructure and services being affected. Organizations should never be in a position where paying a ransom is the only remaining option. Not having sufficient backup is a poor cybersecurity practice today.”

However, the reality is that for the city of West Haven, and similar entities like small- and medium-sized businesses and even large enterprises, paying the ransom may be the only viable option if they want their data back, if they don’t have the means by which to back up their data effectively. As Dan Dearing, senior director of product marketing at Pulse Secure, told Threatpost, a proactive approach is often beyond the means of under-resourced IT teams.

“For the unlucky IT teams that are successfully targeted, a brute-force response is to take their network off the grid and rebuild their servers with backups,” he explained. “That assumes they have current backups and their business or service can tolerate the downtime. Perhaps that’s why West Haven and others choose the unsavory but easier route of just paying the ransom.”

The upshot is that those with appropriate data-backup procedures in place have recourse; those that don’t are faced with the options of paying up, hoping a security consultant can find a way to decrypt (and paying them for that privilege), or losing their data. Fortunately for Onslow Water and Sewer Authority, they had a choice because they had a working disaster-recovery plan.

There’s also a concern about whether criminals will actually decrypt files after receiving payment – it could be a bait and switch. “Less than half of victims get their data back after paying, either because the attack is designed to be irreversible, or because of a technical failure,” said Oliver Münchow, security evangelist at Lucy Security. “On the other hand, you or your organization might even become a more popular target in the future as the word spreads that you paid the ransomware. But hopefully you are better prepared with backups next time.”

However, Adam Laub, senior vice president of product marketing at STEALTHbits Technologies, told Threatpost that criminals would soon run out of takers if they went back on the promise to decrypt.

“As crazy as it sounds, the whole ransomware phenomenon relies on trust,” he said. “If attackers threaten to destroy your data if you don’t pay the ransom, but still destroy the data when you do, then the whole system falls apart. Attackers know this, which is why they both continue to leverage ransomware and provide the decryption keys when the ransom is paid.”

If one finds oneself in a situation where dealing with the ransom is the only option, Münchow offered some tips for dealing with cyberattackers.

“Most hackers just want money, so there’s little room for negotiation. Only if you come to the conclusion that no deal is worse than paying the ransom, start communicating,” he told us. “There are some rules: Stay calm. The last thing you want to do is annoy the hacker. Try to keep it professional. Be quick. To avoid being tracked down, the hacker will try to communicate as little and as fast as possible.”

He also added that try to get a better deal is not unheard of.

“Tell the hacker that you are willing to pay, but not the amount they ask,” he said. “It is normal to ask for a different price, and most victims in the end never pay the full price if they decide so. Try to aim at a third of the initial ransom and settle at half if possible.”