Officials in Valdez, Alaska, admitted earlier this month that they paid off hackers to regain access to municipal computer systems that were crippled in July by a ransomware attack. The city of just 4,000 gave its attackers four bitcoins, worth $26,624 at the time of the payment, in exchange for a decryption key that unlocked its systems that had been affected by the cyberattack.
In a press release posted Nov. 13 to Valdez’s Facebook page, City Manager Elke Doom said she approved the payment after consulting with a cybersecurity firm in Virginia, which negotiated with the hackers as a third party. She didn’t name the company that assisted the town.
Despite guidance from the FBI and other federal authorities that ransomware victims should never pay up, Doom said Valdez’s decision to pay was made in “careful consideration of the best interests of the city.” The decision to pay off its cyberattackers puts Valdez in the minority of publicly known government ransomware victims. A few other small communities have acknowledged paying ransoms, including Yarrow Point, Washington and West Hartford, Connecticut.
Valdez city workers first noticed the ransomware affecting their systems on July 27, when it encrypted all data stored on city networks. The virus, known as Hermes, froze 27 servers and 170 personal computers. It also rendered the city employees’ email system inoperable, forcing information technology personnel to set up a new email server. Other systems, including the city government’s phone network and access to cloud storage, were not impacted.
The city required a demonstration that the decryption key would not in fact bring a second infection of its computer systems, Doom said in the Facebook post. The decryption tool was then used over a period of “several weeks” to regain access to its files, which included several years’ worth of police records.
While city officials said there is no evidence any user’s or resident’s data was stolen in the attack, it is keeping its files in “quarantine” since they’ve been decrypted. Some agencies’ critical computer functions are still unavailable, including the system that registers workers at the city’s shipping terminal and processes bills for Valdez’s ports and harbors. Those systems are not expected to be fully restored until early 2019.
But for some ransomware targets, agreeing to the demands of hacker is the best option, said Bill Siegel, the founder of Coveware, a firm that acts as an intermediary between ransomware perpetrators and their victims. (Coveware was not involved in Valdez’s recovery.)
“I think for a town, the amount of time needed to recover may be so crippling and they make a decision as unpalatable as it is,” Siegel told StateScoop. “You never know what’s been encrypted. What if the emergency systems had been encrypted?”
‘A complicated decision’
The Valdez attack also occurred within days of an even more devastating ransomware incident in Alsaka’s Matanuska-Susitna Borough, about 250 miles north near Anchorage, where a complex virus knocked out so many government systems, workers resorted to dusting off typewriters and recording activities, including library loans and landfill transactions, by hand.
The Mat-Su Borough, as locals call it, has refused to pay its attackers a ransom close to $400,000, despite having to rebuild many government systems from scratch, including land-line phones, online payments and even the card-swipe mechanisms used to open doors at borough government buildings. (The doors themselves continued to open the old-fashioned way.)
Coveware deals mostly with businesses stung by ransomware, advising its clients to pay if there is no other way to recover from catastrophic, possibly bankruptcy-inducing data losses. But for governments, the decision to pay up can be motivated by comparing the figure on the ransom note to the potential cost of manually rebuilding affected systems, Siegel said. He pointed to Atlanta, where many of the city government’s computer systems were taken down in March by the ransomware variant SamSam. While the hackers behind that attack requested a bitcoin payment equal to about $50,000, which the city refused to pay, Atlanta’s total costs of recovering could eventually reach $17 million.
“It’s a complicated decision for governments, but at the end of the day they make a practical decision,” Siegel said. “I think people look at it pretty rationally.”
Siegel said that in a ransomware settlement, a firm like his will first advise a client to try to recover lost data without paying. If that’s not possible, the consultants will contact the hackers and begin negotiating, which includes asking for proof of a working decryption key like the one the Virginia firm secured for Valdez.
Still, Siegel conceded there’s no way to make sure a ransomware victim that agrees to pay won’t get bamboozled in the exchange.
“There’s no way to guarantee decryption,” he said. “The only thing you can rely on is your own data and the hacker’s history. If you look at the data, we have historical payments and success rates.”
On its website, Coveware boasts success rates of at least 98 percent for recovering client data from several ransomware strains, including SamSam. Valdez may have gotten lucky, then. According to Siegel, the virus that struck the Alaska city, Hermes, “is one of the worst in terms of data recovery.”