Jackson County, Georgia. Riviera City and Lake City, Florida. When ransomware came knocking for these municipal networks, officials ponied up the money—to the tune of nearly $1.5 million—to recover from the infection ravaging their systems. But no more: as attackers lob more ransomware against municipalities, mayors from around the country pledged to not meet ransom demands.
"NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach," the mayors wrote in a resolution adopted at the 87th annual meeting of the US Conference of Mayors.
The resolution, which was adopted unanimously by 1,400 mayors representing cities with a population of over 30,000, is not legally binding, but will likely be used by mayors to explain what they are doing incase of a ransomware attack against city networks. At least 170 county, city, or state government systems have experienced a ransomware attack since 2013—and 2019 has already seen 22 attacks, the conference said.
The resolution is in line with recommendations from federal authorities, including the Federal Bureau of Investigation and the Department of Homeland Security. Paying the ransom give criminals incentive to attak more, and also finances future criminal operations.
"Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," said the Opposing Payment To Ransomeware Attack Perpetrators resolution. The mayors are interested in “de-incentivizing these attacks [ransomware infections] to prevent further harm.”
"The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach."
Riviera City paid 65 bitcoins, or approximately $600,000, and Lake City paid 43 bitcoins, or roughly $460,000. Jackson County paid $400,000, which at the time was around 100 bitcoins.
Not everyone pays. Last year, Atlanta declined to pay the $51,000 ransom, but paid dearly for that principled decision: the damage has been estimated to cost $17 million.
Similarly, when Baltimore’s IT network was crippled in May, the city's mayor, Bernard C. “Jack” Young, refused to pay the ransom—13 bitcoins, the equivalent of $76,280 at the time, and around $151,599 now. Instead, the city undertook the time-consuming and labor-intensive process to rebuild the IT network and restore from backups, even though that meant leaving city employees without access to email for weeks and taking down systems for paying water bills and parking tickets. The system for paying water bills is expected to be back sometime in August.
Recovery cost the city over $18 million: $10 million to rebuild the systems and $8 million in lost revenue in interest and penalties.
“Paying ransoms only gives incentive for more people to engage in this type of illegal behavior,” Young said, who proposed the conference resolution. Las Vegas mayor Carolyn G. Goodman was the co-sponsor.
Attackers are banking on the fact that many victims—municipalities, enterprises, and individual users—don’t have good backups. In many cases, these victims may not have any way to recover—or recreate—the data. While it’s easy to advise against paying ransoms, if there is no other way to recover crucial information, the payment becomes the only option.
Paying ransomware sets a dangerous precedent and it’s very troubling that, in a way, it became the norm for local government," said Mickey Bresman, CEO of Semperis. "It’s easy to understand how the decision of not paying is a very hard one to make, because there is just so much at stake.
Paying the ransom is just one part of the process, and the least painful part. Victims receive the decryption key to unlock the data when they pay, but the IT team still has to rebuild the network and use the key to restore the files. Ransomware incidents typically wind up costing millions of dollars because of the work involved to restore the data, regardless of whether the recovery is coming from backups or the decryption key. In Baltimore’s case, the Federal Bureau of Investigation advised Sheryl Goldstein, the mayor’s deputy chief of staff for operations, to not pay the ransom because the city would “bear much of these costs” whether or not the ransom was paid, Ars Technica reported.
While many municipalities are paying via cyber-insurance policies, taxpayers still have to bear the bulk of the costs of recovery. Similarly, enterprises may rely on their insurance policies as part of their strategy , but that may not cover the costs associated with lost revenue, downtime, and rebuilding.
“Paying ransoms only gives incentive for more people to engage in this type of illegal behavior.”
There is also no guarantee the criminals will honor the deal. Weeks after paying, Lake City still has not recovered all its files, The New York Times reported. That was one of the reasons the Baltimore mayor gave for not paying the ransom.
“If we paid there was no guarantee that we were gonna get the keys to all of our system,” Young said recently.