City

The ransomware dilemma: Pay up or fight back?

As the City of Atlanta copes with the consequences of not paying its attackers, other municipalities reflect on how they dealt with one of local government's most dreaded scenarios.

By Mark Satter

April 4, 2018

Local governments across the United States are increasingly faced with a difficult decision after being hacked: Should they pay the ransom or not?

The City of Atlanta was recently forced to answer that question. The deadline set by cyber-extortionists to regain control of Atlanta’s computer systems by paying $51,000 in bitcoin passed on March 28. As of today, many of the city’s computer systems remain offline.

But in other parts of the country, municipal government officials have paid the ransom. The difference in approach to ransomware attacks is often a function of preparation.

In October 2017, the small, affluent town of Yarrow Point, Washington, saw its computer systems locked, and hackers demanded nearly $10,000 in ransom, paid in bitcoin, to unlock them. The mayor’s office decided to pay it.

“It’s all risk management, and a make versus buy decision,” said Yarrow Point Mayor Richard Cahill. “We followed a very strict protocol when deciding how to act and had the assistance of our insurance provider. In the end, our liability was limited by our deductible and we paid the ransom.”

Since the attack, the town has been backing up all of its data on remote servers that it controls, and allocating more funds to cybersecurity. If struck by ransomware again, Yarrow Point will be able to use its backed up data to quickly recover and move on.

“We expect that if this were to happen again, we will not need to pay a ransom a second time,” said Cahill.

Other places were better prepared for a cyberattack. In Licking County, Ohio, a municipality of nearly 200,000 just east of Columbus, a ransomware attack in February 2017 grabbed more than 60 of the county’s 100 network servers and began encrypting files.

The hackers, thought to be operating from Eastern Europe, demanded $50,000 in bitcoin.

“We asked ourselves: Could we trust offshore criminals to keep their word? And if so, were we willing to pay them?” said Licking County Commissioner Tim Bubb. “The answers were no and no.”

The attack came on a weeknight, Bubb said, so his team was able to react quickly.

“We shut down our network and isolated the affected servers to control the damage before immediately going through an assessment process for the rest,” Bubb said.

With the help of cybersecurity firm Sylint, county officials were able to understand the extent of the attack and confirm that their backups had not been affected. It took two weeks to get Licking County’s network working again, and the server had to be rebuilt with new hard drives and a more advanced firewall. In total, it took roughly four months for the county to completely recover.

“We probably spent as much in overtime as we would have had we paid the ransom, but to us it was worth it to know that the hackers were completely out of our systems,” said Bubb.

Though some have been able to mitigate the damage done by ransomware attacks, the City of Atlanta is still struggling to regain control of its computer systems. A lack of preparation and, as mayor Keisha Lance Bottoms admitted, not making cybersecurity a priority, could haunt Atlanta for months to come.