The city council in Riviera Beach, Florida, voted this week to pay nearly $600,000 to hackers who crippled the city’s computer systems with a ransomware attack.
Riviera Beach’s payment is the largest publicly reported ransom a government has paid hackers this year, topping the $400,000 paid in March by Jackson County, Georgia. In exchange, Riviera Beach received a decryption key to restore its networks and devices.
The attack began May 29 when an employee in the 35,000-resident city’s police department opened an email containing a piece of malware, according to the Palm Beach Post. The virus quickly spread throughout the municipal government, disabling the city’s official website, municipal employees’ emails, voice-over-internet-protocol phones and the local water utility’s ability to take online payments. It also forced workers in the city’s 911 dispatch center to record caller information on paper.
The city’s leaders were presented with a demand for 65 bitcoins, equal to about $594,000 at the time they approved the payment.
Officials investigating the attack, which include those from the FBI, U.S. Secret Service and Department of Homeland Security, have not identified the type of malware that disabled Riviera Beach’s systems. But Allan Liska of the cybersecurity research firm Recorded Future said Riviera Beach’s experience looks similar to an attack in March on Jackson County, in which a fairly sophisticated ransomware strain known as Ryuk was used.
“This attack has all of the hallmarks of recent ransomware attacks against state and local governments,” Liska said. “It appears to be an advanced cybercriminal team, that took the time to study the network and determine how to inflict maximum damage on the city, increasing the chances that the ransom will get paid.”
Liska said that while most ransomware that finds entry via phishing attacks stops at a single system, Ryuk attempts to propagate across the entire enterprise. Ryuk is also often paired with Emotet, a Trojan horse virus that downloads other viruses, making the ransomware infection much broader, according to Duo Security.
And research published in February by McAfee and Coveware reported that Ryuk often asks for much more money than other ransomware attacks. The RobbinHood virus that infected Baltimore last month, for instance, asked for 13 bitcoins, currently valued around $121,000.
Ryuk was also used in recent attacks against Stuart, Florida, and Imperial County, California. Imperial County refused to pay a $1.2 million demand, but has spent more than $1.6 million to rebuild its systems, officials there told the Wall Street Journal. Law enforcement agencies recommend that ransomware victims do not satisfy their hackers’ demands, because there’s no guarantee their systems actually will be decrypted, but victims do sometimes pay up.
According to the Palm Beach Post, the Riviera Beach City Council voted to have its insurance company negotiate a payment after just two minutes of discussion.
Riviera Beach’s full cost of recovery will be much more than the $600,000 ransom payment. On June 4, a week after the attack was initially detected, the city council approved nearly $1 million in new IT spending to purchase new equipment, including 310 desktops and 90 laptops, to replace devices affected by the ransomware and upgrade its network architecture.
Liska said the extent of the ransomware attack likely left the city facing steep expenses and a pressure to satisfy the hackers’ demands in order to get government services working again.
“While it is always difficult to make the decision to pay the ransom, when constituent services are disrupted to the point that the city cannot function effectively, which it sounds like was the case here, sometimes cities do not have a choice,” he said. “The town of Riviera Beach still has a long and expensive road to recovery getting files restored and ensuring security procedures are in place to prevent this type of attack from happening again.”