Hackers crippled Lodi City’s emergency phone lines and financial systems over two months, demanding $400,000 in Bitcoin. But did the City make the right move by fighting back?
The ransomware was delivered to a city employee, masquerading as an invoice attached to an email.
As soon as it was opened the virus quickly spread throughout the city’s network of computers.
It identified and encrypted critical files that knocked out the Police Department, the emergency helpline for Public Works, and the main switchboard numbers for City Hall and the finance division.
Hackers and ransomware not ‘high on radar’
Lodi City Manager Steve Schwabauer admitted the possibility of ransomware had not been “high on [his] radar” and that he was surprised by how sophisticated the software was.
“The virus goes looking for vulnerabilities. It looks for elements of data that are valuable to you,” Schwabauer said.
“It attacked our phone systems, our payment data, and our financial systems.”
The hackers demanded 75 Bitcoins – approximately US$400,000 (AU$588,000) at the time of the hack – in return for a password they claimed would unencrypt and restore the systems.
After deliberating what to do, the city resolved not to pay.
“The ransom demanded 75 Bitcoins be paid to restore our systems. We did not pay the ransom. Instead, we rebuilt our systems from our back-ups,” Schwabauer said.
Not paying ransomware can be costly
It wasn’t an easy or cost-free decision. The issue was first discovered on April Fool’s Day but was not corrected until a month later.
And the issues resurfaced in May, affecting the Lodi Police Department’s network and once again interrupting their (non-emergency) phone service.
Ransomware hacks have been occurring around the world since 2005, targeting large organizations like schools, hospitals, and businesses, and in some cases disrupting electrical grids.
Anyone with a smidgen of knowledge can buy off the shelf ransomware on the darknet and use it to target victims.
This ease of availability led to a 400% increase in ransomware attacks between 2017 and 2018 according to Symantec’s 2019 Internet Security Threat Report.
Should you pay ransomware or not? Experts divided
Deciding whether or not to pay off the hackers is a fraught decision.
Apart from the fact that many people lack the knowledge to acquire Bitcoin to pay the ransom, there is also the ethical dilemma of rewarding hackers for their nefarious deeds, which encourages them to find more victims.
There is a practical reason not to pay as well as there is no guarantee that the hackers will enable you to recover your files.
Experts are divided on the question. For an individual user, it might simply be a matter of principle. But for a hospital, school or city council, deciding not to pay can disrupt essential services for months.
In the past, FBI agents have informally recommending paying.
“The practical aspect of ransomware is that the cost of not paying the ransom is materially greater than the cost of paying it. The logic is clear,” said Todd Weller, chief security officer of Bandura Cyber.
Recent ransomware cases
In June, Lake City and Riviera City in Florida both paid off hackers around half a million dollars in Bitcoin each to recover their systems. Their ability to conduct services had been crippled for weeks.
And in March, Jackson County, Georgia paid $400,000 to recover access.
In 2017, 16 hospitals were crippled by the Wanna Decryptor (WannaCry) ransomware virus. It’s hard to argue with a hospital paying up in a situation where lives could be at stake.
How To Geek recently polled 30 experts on the issue, and only one third said affected organizations should never pay.
But Dror Liwer, founder of security company Coronet, argued: “The cybersecurity industry is saturated with consultants encouraging people to pay.
“This is not only poor and lazy advice, but it can actually prove harmful to others, as payment encourages attackers to come back again in the future.”
Good guys fight back against ransomware hackers
For victims who choose not to pay the ransom, No More Ransom – a joint project between McAfee and a handful of European law enforcement agencies – may be an option.
Launched in 2016, No More Ransom allows you to upload samples of encrypted files to its platform. If it has already cracked the ransomware family, you will be able to download a decryption solution and unlock your system at no cost.
It is not a foolproof system however and the best advice is to upgrade security systems and procedures before it happens to avoid the problem in the first place.
Lodi City has since met with their local assemblyman to request half a million dollars for computer security upgrades.
Although the exact details aren’t clear, it appears as if the costs from the attack were high. The city is pursuing its cybersecurity insurance which has a capped deductible of $50,000.
The city has not revealed the cost of correcting the ransomware issues or how many hours staff have had to work to repair and rebuild city systems.