Ransomware demanded $5.3M from Massachusetts city in July attack
The hackers behind the Ryuk ransomware that’s extorted several local governments across the United States for six-figure payments this year might have gotten a bit too hungry in July when they went after New Bedford, Massachusetts, for more than $5 million, but came away empty-handed when the city elected to restore its systems internally, the city’s mayor, Jon Mitchell, said Wednesday.
Mitchell said at a press conference that New Bedford, a city 95,000 about 60 miles south of Boston, had its computer systems infected by the Ryuk malware on July 5 and was met with a note asking for the equivalent of about $5.3 million in bitcoin. Had that sum been paid, it would’ve shattered the record for biggest ransomware payment, set in 2017 by a South Korean web-hosting firm that paid $1 million to get rid of the WannaCry virus.
At first, Mitchell said he attempted to negotiate with the Ryuk hackers through an email address left on the ransom note, countering with $400,000, which he said would have been “consistent with ransoms paid recently by other municipalities.” Since March, Ryuk has collected $400,000 from rural Jackson County, Georgia; nearly $600,000 from Riviera Beach, Florida; $490,000 from Lake City, Florida; $130,000 from LaPorte County, Indiana; and $100,000 from the public school district in Rockville Centre, New York.
Mitchell also said his $400,000 offer would’ve been covered under the $1 million cyber insurance policy New Bedford purchased in 2016, but the hackers rejected the city outright.
“While I am generally averse to engaging in negotiations of this kind, I concluded it would be irresponsible to dismiss out of hand the possibility to obtain a decryption key if the insurance would cover the full cost of ransom,” Mitchell said.
With the counteroffer rejected, the task of fixing New Bedford’s affected computer systems fell to the city’s Management Information Services agency, which Mitchell said has spent the last two months replacing or restoring 158 infected computers. The attack was also relatively limited in scope, affecting just 4 percent of the city government’s 3,532 computers, which Mitchell chalked up to a combination of luck — at the time of attack, most devices were still turned off for the July 4 holiday — and an IT architecture that compartmentalizes several key city departments, including police, schools and utilities.
As a result, Mitchell said, the attack was limited to a handful of internal administrative systems and did not disrupt any public services.
The Standard-Times newspaper reported that New Bedford officials initially said in July that the city had experienced an unspecified cyberattack, but only revealed Wednesday that it was ransomware. Many local governments that experience ransomware attacks often withhold details, citing the advice of cybersecurity consultants or federal officials assisting with ongoing criminal investigations. Mitchell said New Bedford hired outside counsel specializing in data privacy and a forensic firm to investigate the July attack. It was also relayed to the FBI’s Cyber division.
“Based on the advice of cybersecurity experts we refrained from providing specifics about the nature of the cyberattack,” he said.
Mitchell credited the Management Information Services agency and the city’s IT director, Maria Pina-Rocha, with “quick decisions” and “smart action” to identify the Ryuk malware before it spread more widely. Along with replacing the affected devices, New Bedford’s IT staff have rebuilt the city’s server network and implemented new security tools such as endpoint protection software. The mayor did not say how much the repairs and new purchases have cost, but he said they were covered under the city’s cyber insurance policy.
Still, Mitchell’s concession that he initially considered paying a ransom, if not the full $5.3 million demand, is a reminder that ransomware is a worsening problem for local governments, and that victims who pay up make hackers hungry for bigger scores.
“Substantial ransom payments — in some cases exceeding $100,000, funded wholly or in part by insurance policies — are a strong incentive for bad actors to continue using ransomware to target public entities,” said Adam Meyers, the vice president for intelligence at the cybersecurity firm CrowdStrike, which last week reported an uptick in activity from a Russian criminal hacker group known for designing a trojan-horse virus that often acts in concert with Ryuk.
“However, paying the ransom doesn’t solve the problem,” Meyers said. “It encourages it.”
