When it Comes to Ransomware Demands, Just say No

When Dave Richards learned cyber hackers had locked down 23 of his municipal servers in West Haven, Connecticut on October 16, he quickly notified his bosses in the mayor’s office and took the usual steps of calling in state and local police and the Department of Homeland Security.

The criminals, who were operating from overseas, were demanding a ransom to restore the city’s access to what the city deemed “critical” networks. Richards, the city’s information technology manager, along with Mayor Nancy Rossi, and local police IT experts, agreed that the best course of action was to pay the hackers a $2,000 ransom in bitcoin to unlock the servers.

Three weeks later, Richards is still cleaning up the malware mess. “We’ve got the FBI and the DHS in here still finding things,” he said. “It’s an ongoing investigation. We’re still rebuilding.”

Security experts and law enforcement agencies have a rule when ransomware hackers try to extort money from companies, municipalities, utilities, hospitals, or individuals: Don’t pay.

“First of all, that money is then used to proliferate this activity,” says Joel DeCapua, the supervisory special agent for the FBI’s cyber crimes division. “You’re paying these bad actors to target other people. Second, organizations that pay a ransom think their problems are over. But a lot of times there’s a lot of nasty malware left on their systems that they don’t know about. You can pay, but there’s still malware on there, re-infecting the system or stealing information.”

In 2017, the FBI received 1,783 complaints of ransomware attacks. That figure belies the overall problem and most likely reflects only the organizations (like hospitals) required by law to report such incursions. Actual ransomware detections stood at 1,242 per day that year, according to Symantec. In the complaints filed with the FBI, victims reported $2.3 million in total losses. That figure, says the FBI, could include not only ransoms paid, but remediation and downtime costs.

Again, that’s only the figure officially reported to authorities. Neither the FBI nor industry experts keep a tally on how many victims pay versus those who don’t. However, DeCapua says that through the FBI’s relationships with IT security firms sent in to mop up after an attack, “we hear anecdotally that too many victims elect to just pay the ransom and hope for the best.”

The decision to pay comes down to a couple of key issues: One is whether the victim has sufficiently backed up their system and their files and, more crucially, whether they’ve run tests to determine that those backups will work when they need them. (Organizations often fail to do this because testing requires downtime and that hurts the bottom-line productivity.

The second issue is arguably more pressing: financial calculation. System downtime is costly. So are idled workers. And so is brute-force rebuilding from backups. It’s far more expedient, especially if your backups are out of date, to pony up. “For their own wallet, companies and cities will decide to pay,” says Kevin Haley, director of product management for Symantec Security Response. “It’s a phenomenal cost for some victims to recover their files. It shouldn’t be a mystery to anyone if they haven’t figured out how to recover from a crisis like this.”

Those concerns weighed on West Haven’s pay-the-hackers decision. Though the city didn’t originally want to offer up the money, officials looked at other municipalities that hadn’t paid ransomware hackers and didn’t like the price tags they saw.

For example, this past March, ransomware attackers hit the city of Atlanta with the SamSam encryption virus, crippling the city’s computer systems and demanding a ransom. West Haven officials clearly had that experience in mind and apparently, when it chose to hand over $2,000 to hackers.  “Atlanta didn’t pay” when it was attacked, West Haven’s Corporation Counsel Lee Tiernan explained to the New Haven Register shortly after the pay off. “They [the hackers] wanted $57,000.”

But “$3 million later, they’re still trying to clean it up.” In fact, Atlanta, which had been criticized prior to the attack for not upgrading its IT infrastructure, could end up paying as much $17 million in contracts and costs associated with the attack, according the Atlanta-Journal Constitution.

Don’t Bet on Good Intentions of Cyber Criminals

Despite the associated costs of re-building from backups, the FBI and security industry analysts say the trend is toward not giving in to extortion demands.

“More and more people are not paying,” said Symantec’s Kevin Haley.

In fact, just three days before the West Haven attack, hackers deploying the malware EMOTET launched a virus known as RYUK against the Onslow Water and Sewer in North Carolina. Instead of paying the ransom demands, the utility set about rebuilding their system from backups. Their reasoning, said utility officials in a statement: Any ransom monies “would be used to fund criminal, and perhaps terrorist activities in other countries. Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks. ONWASA will not negotiate with criminals nor bow to their demands.”

Even if they had paid a ransom, as did West Haven, DeCapua says there’s never a guarantee a victim will get their files restored, and that is perhaps the biggest reason not to do business with hackers.

“These guys are criminals,” he says. “You can’t rely on them to just keep their promise. And a lot of them are not technically sophisticated. They just don’t know how their virus is going to affect different operating systems. We’ve seen instances where victim pays the ransom but because of the hackers’ incompetence they’ve not able to decrypt the computer.”