Mayors across the US met at the beginning of July for the 87th annual US Conference of Mayors in Honolulu. Unlike the other conferences, however, this conference has received quite a bit more coverage. The group of over 1,400 mayors (from cities with over 30,000 citizens) signed a resolution against paying ransoms to cybercriminals who hold their data hostage. Why now? The Conference came right after three successful ransomware attacks on three Florida cities, all which happened in quick succession. Two of the three cities decided to pay their ransom demands, paying together a total of about $1.1 million. This conference was also in the wake of a larger-scale attack on the city of Baltimore, only a couple months prior.
Since 2013, the US has witnessed over 170 ransomware attacks on government institutions. Just in 2019 alone, there have been over 27 attacks so far, which is putting us well on our way to a new record. Not only that, but experts suspect that these reported attacks account for much less than the actual number of cities experiencing attacks. Supervisory Special Agent Joel DeCapua of the FBI’s Cyber Division said to Vice news, “I do think that we are seeing less than half of the actual cases, and it may be significantly less.”
One of the reasons behind this pact is the logic that paying ransoms enables cybercriminals to continue their malicious activities. It is also suspected that paying a ransom makes the organization a larger target for future attacks. Why? Paying a ransom indicates to hackers that your information is too valuable for your organization to lose it, as well as show them that you do not have adequate security plans in place to thwart them. They take note, sharing that on the dark web, says Or even more obvious, it shows the hacker you are willing to play with them! It’s like showing them all your cards (or just giving them your cards), and then not expecting them to win the game.
The mayors also cited the expensive recovery from ransomware attacks as a reason against paying ransoms. The logic behind this argument is similar to the one previous: those paying the ransoms are giving attackers the resources to attack again, only feeding the fire of the increasing trend of ransomware attacks.
Those who decide against paying the ransom are affected even more, paying millions of dollars to recover. Baltimore City has definitely had it the worst this year since getting hacked in May. The city decided against paying the ransom of 13 bitcoin, or about $76,000, and instead opted for the long process of recovery, which ended up costing over $18 million ($8 million estimated from lost revenue and $10 million for repairs). It also took a couple months for Baltimore to come back online; just recently they announced they will not be able to send citizens their water bills until August, possibly later.
Moving forward, it will be interesting to see how this new promise will affect the amount of ransomware attacks–and if other industries and government organizations will follow suit by pledging to say no to ransoms. However, until cyber security vulnerabilities are given adequate attention and resources earlier on in development, ransomware will continue to be an issue for all industries, including government.