back to article Pay ransomware crooks, or restore the network? Guess which way this city chose after weighing up the costs

A city in Colorado, USA, has swallowed its pride and paid off a malware gang after deciding the cost of a network nuke-and-pave was too high. The city of Lafayette – technically a home-rule municipality – with a population of around 30,000, said it has opted to pay ransomware criminals a $45,000 (£35,000) fee after deciding …

  1. Hubert Cumberdale Silver badge

    I wonder if...

    ...when doing the cost/benefit analysis, they factored in the possibility that the crims might just take the money and run.

    1. Mike 125

      Re: I wonder if...

      > the possibility that the crims might just take the money and run.

      Assuming they leave their calling card and have a 'reputation' to protect, that would be a fairly dumb strategy. It's no cost to them to follow through on the deal.

      The victim's choice to pay is understandable, but supremely selfish.

      1. BrownishMonstr

        Re: I wonder if...

        I agree, there would be another type of cost for paying, in that the criminals are more likely to do it again.

        Imagine if the Government made it illegal to pay the criminals the ransomware fee. I wonder if companies would still pay, or criminals would resort to something else.

        1. LDS Silver badge

          "Imagine if the Government made it illegal to pay the criminals the ransomware fee"

          It was what was done here in Italy to stop kidnappings.

        2. Tomislav

          Re: Ah IT 'managers'

          Remember the recent attack against Garmin. A group called Evil Corp encrypted their infrastructure, demanding $10m. The problem with this group is that it was illegal for Garmin to pay up, so they paid a third party to "deal with the issue", and that company paid the crims. Making these payments illegal will result in similar deals.

          1. doublelayer Silver badge

            Re: Ah IT 'managers'

            If it is considered important enough, the law can be modified to clarify that paying money to someone else knowing that they will be paying the ransom means you are equally culpable. In fact, I'm surprised that's not already what the law says for cases like that. It won't stop it entirely, but by driving it underground there will be fewer people who will pay and less reason for other people to create similar malware.

        3. Claverhouse Silver badge

          Re: I wonder if...

          The data would still be borked --- but if barred from paying the criminals, just lost forever as well.

      2. Jamie Jones Silver badge

        Re: I wonder if...

        Surely they will need to rebuild and sanitise their network anyway if there's bern an intrusion?

        1. David 132 Silver badge
          Facepalm

          Re: I wonder if...

          Well you'd like to think tat, wouldn't you.

          If I were cynical though, I'd say that what they'll do instead is restore the data, (maybe) update the antivirus on the PCs and retire their remaining Windows 2000/XP machines, and bumble along exactly as before, while congratulating themselves on their IT smarts.

      3. doublelayer Silver badge

        Re: I wonder if...

        "Assuming they leave their calling card and have a 'reputation' to protect"

        You assume a large thing. A lot of ransomware artists don't see their job as requiring a reputation advantage. The smaller the scale of their effort, the less reason they have to write a decrypting program or actually check they're encrypting correctly instead of just corrupting every file. Even for those longstanding efforts that do have a reputation, nothing stops a competing criminal from designing their malware to look like one that is more trustworthy, if such a word can be applied to malware. It's been done to attempt to throw off attribution; it can be done to get more money.

      4. DCFusor

        Re: I wonder if...

        The selfish part was doing lousy security. Now the taxpayers pay, not the entity deciding to pay ransom - it's not their money, so yes, selfish in that sense.

        By refusing to take a stitch in time, they let their constituents pay the nine.

    2. drand

      Re: I wonder if...

      Whoever said crime doesn't pay needs to get with 2020. Not a week goes by without a sorry tale of someone paying up to the fuckers, and an order of magnitude more must go unreported.

      1. Alan Brown Silver badge

        Re: I wonder if...

        "Not a week goes by without a sorry tale of someone paying up to the fuckers, "

        At some point we're going to start hearing of these extortionists being found face down wherever they happen to live, having decided the guilt fo the crimes is too much to bear, thus committing suicide with three shots to the forehead, two to the heart and ample evidence of their activities left for the police to find

        Think it won't happen?

    3. LDS Silver badge

      They saw the prices for backup software, hardware, training and personnel...

      .... and decided taking the risks of paying the ransom was cheaper....

    4. Imhotep Silver badge

      DaneGeld

      Or future costs. I would hit them again and again.

      1. Anonymous Coward
        Anonymous Coward

        Re: DaneGeld

        The history of blackmail shows that once someone pays up then they are on the hook forever. A competent blackmailer knows how to keep the demands light enough to not kill the goose that lays the golden egg.

  2. Anonymous Coward
    Anonymous Coward

    ...after deciding that it was a better use of cash than spending time and money wiping and reformatting all of their machines.Er, wouldn't that be a sensible course of action even if you did pay the ransom (at least you could do it in a less urgent fashion)?

    1. Alister

      Exactly, unless they wipe and reformat the machines, how do they know for sure that those machines are not riddled with other malware.

      1. Alan Brown Silver badge

        Even if they DO wipe and reformat the machines, how do they know for sure that those machines are not riddled with other malware?

        1. NetBlackOps

          Yes, while tricky, hardware persistence isn't that difficult to achieve as we've seen of late.

        2. big_D Silver badge

          A friend of mine was visited by the federal police in Germany and warned that one of his servers had appeared on a dark-net forum. The advice was to buy a new server, recover from known good backups and shred the hardware, it couldn't be trusted.

    2. Captain Scarlet Silver badge
      Facepalm

      This is obviously a decision from a non IT background.

    3. Marcelo Rodrigues
      Unhappy

      "Er, wouldn't that be a sensible course of action even if you did pay the ransom (at least you could do it in a less urgent fashion)?"

      Yes. The operative word being "sensible".

  3. Anonymous Coward
    Happy

    Your Mac can't get hacked by a Microsoft Office macro...

    ...if you don't let Microsoft Office anywhere near your Mac.

    1. Hubert Cumberdale Silver badge

      Re: Your Mac can't get hacked by a Microsoft Office macro...

      Of course, Mac users can relax completely because Macs never need bugs patching and don't get malware.

      1. Hubert Cumberdale Silver badge

        Re: Your Mac can't get hacked by a Microsoft Office macro...

        [Three Mac users (so far) can't handle the idea that as their minority operating system gets more popular, the malware writers will demonstrate it has just as much potential for pwnage as Windows... I await more downvotes as they gradually realise my original post was insulting... (and for every downvote on this post, I'll punch a kitten, you cruel bastards.)]

        1. Hubert Cumberdale Silver badge

          Re: Your Mac can't get hacked by a Microsoft Office macro...

          Won't somebody please think of the kittens!

  4. 0laf
    Pirate

    Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough that they 1- allowed a significant and dangerous malware onto theri network and 2 - their systems were too poorly configured/maintained to allow them to recover from 1 in a timeous way.

    If that was the case 1- security/maintenance would be much much better and these incidents would be much rarer, 2 - where an incident still happened no one would pay the fine therefore these incidents would continue to be rarer (bad business for the bad guys).

    Things happen when the CEO or Mayor (whatever) has their arse personally in the firing line.

    1. Bitsminer Bronze badge

      Yes but no

      A successful criminal prosecution requires a motive and a payback and a "guilty mind" in the US parlance. Mere indifference or abstemiousness or negligence is unlikely to be sufficient to gain a successful conviction.

      A civil action on the other hand has much lower bar, and several dozen citizens can sue their muni for such indifference or negligence. But any successful outcome with a payout would result in....higher taxes. Ooops.

      The current list of IT vulnerabilities is far far longer than any other risk a city faces: offenses by police, weather events, labo(u)r unrest, and so on. It takes just one mistake to lose control of the complete IT infrastructure to criminals. City managers and politicians are slowly learning this the hard way.

      I hope they do not fire their IT staff. Their IT staff have now learned very valuable lessons; hopefully they get to apply their lessons at their job.

      1. doublelayer Silver badge

        Re: Yes but no

        "I hope they do not fire their IT staff."

        I'd be surprised to hear they have much in the way of IT staff. I'd guess they have a couple people whose job is maintaining desktops and contracts with places to write web apps they need to provide city services, meanwhile the maintenance of infrastructure, backups, etc is handled by whoever needs it at the time. I've seen many systems run in this way because IT is a cost center, and backups even more so. Then this happens and they can't recover because they didn't make any backups or provide for a restore process.

        1. Imhotep Silver badge

          Re: Yes but no

          When I used to peruse position postings, a lot of state and municipal governments seemed to require advanced degrees, have unrealistic expectations and pay below the private sector.

          That is pretty much going to ensure the applicant pool is less than optimal.

    2. Alan Brown Silver badge

      "Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough"

      What's driving a lot of these attacks is insurance - you can get policies against being attacked these days

      When the loss adjusters decide to move in is when this will start getting interesting

      1. 0laf

        "What's driving a lot of these attacks is insurance - you can get policies against being attacked these days"

        My understanding of insurance is that it will only pay out if you have taken all reasonable security steps. If you have been found to be lacking in patching, configuration or training your insurance won't pay.

        Same at home, you can have very good cover but I con't think of any insurance policy that will pay out for burglary if you never lock your doors.

        Too many organisations right now get away without doing even the bare minimum. Running a municipality without adequate IT to manage and maintain systems should be criminal incompetance in the same way failing to run health and safety on a building site is.

        The outcome is the same these are life and death systems (not just emptying your rubbish and putting up bunting at Easter but social work, child protection and criminal justice) and must be treated as such.

    3. doublelayer Silver badge

      "Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough that they 1- allowed a significant and dangerous malware onto theri network and 2 - their systems were too poorly configured/maintained to allow them to recover from 1 in a timeous way."

      On the surface, this sounds nice. I'm all for accountability, and the senior management is the place that most often needs and fails to be accountable. However, I think the criminal penalty would probably break things, and maybe we should be more lenient but more precise in our penalties.

      If such a criminal penalty were enacted, almost certainly it would include a provision making it the fault of the technical people if they could be proven incompetent. For example, the senior managers hire people and pay for backups, but the techs don't actually do that. It makes logical sense, and it would undoubtedly get lobbied into the law. The problem here is that, in every case, the senior management will do everything it can to put the blame on somebody in IT rather than take the blame themselves. They will be backed up by the legal and financial power of their business, while the IT person will be backed up by their life savings, which will have to serve for their protection from charges of incompetence and for their legal expenses for wrongful dismissal. The answer to this would probably be things like required audits by an independent third party to confirm that IT are doing what they should be doing, which would be nice, but would also mean IT has to keep stopping normal work to complete the audits and the business has to pay for them frequently. This is easy for a large business, but it could make things hard for the small ones.

    4. Boris the Cockroach Silver badge

      It would never work.

      The malware got onto the systems by dodgy email attatchment (my preference for users that click on the link/attatchment is to be burned alive infront of the rest of the staff) and we all know that despite the signs/training it will be From: Doug(best friend) " here watch this video" and the user will click on it (even after seeing my demostration 10 minutes earlier).

      And i were the crims.. leave a nice little booby trap on the machines timed to go off in 12 months so I get a nice annual subscription.

      Paying the danegeld means the dane will be back next year for more

    5. big_D Silver badge

      So, no computers, or only air-gapped computers and no portable media then... Maybe an internal network, but no Internet access...

      The problem is there are so many security issues in modern software, from the firmware, through the OS to the applications and web services, that it is impossible to effectively lock down a system if it is networked, or worse, has access to the Internet (E.g. email).

      Even if you patch everything when the patches are released and you have good border protection and up to date AV software, you have just reduced you vulnerability a bit, you haven't eliminated it.

      You have to start further up the line, with the software developers, hold them liable for their mistakes, not persecute their customers. But neither will happen.

      It is now an arms race, the bad guys buy exploits on the black market, before they are discovered by security companies or the software developers. The infiltrate the target systems and... nothing. Well, nothing visible. The quietly work away in the background compromising the backups and all the infrastructure they can access. Only once they are fairly certain that they have done enough damage to make recovery too expensive or impractical do they trigger "the event".

      There are fly-by-night operations that encrypt straight away or don't provide decryption tools upon payment, but the high end malware is thorough and is a slow burn.

      You have backups? Good. How often do you do a complete restore to a fresh machine, to check everything works? Most companies assume their backups are working, until they need them.

      But if the malware is on the last 3 months of backups, with a trigger date, doing a restore isn't going to help much. Or you are going to have to rebuild the servers (fresh installs) and then recover just the data and doing very thorough checks - oh and everything offline and in isolation, until it has been thoroughly checked and certified clean, before it is brought back online.

      How many weeks do you need to completely rebuild your architecture and rebuild all client PCs? You will be offline for weeks or months? I can see how paying the ransom and recovering the data might seem like an easier solution - although even then, I'd be backing up the data, restoring it in isolation and scanning it, before moving it to new infrastructure.

      I'd hope I could get away without paying a ransom. But realistically? I hope I never have to find out!

      1. JCitizen
        FAIL

        Cryptoprevent..

        There are a lot more things you have to do to prevent ransomware attacks, and yes they can be prevented. There is no excuse in my book that every dagone one of these situations could have been prevented, although not easily, I'd be willing to say even one IT person could have done it for a city that small. The cost is more than affordable as well. Until they make it illegal to pay; this madness is just going to keep going on and on and on.

  5. Mark192

    Hmm, they've clearly an urgent need to upgrade/update/patch their systems. It's possible that they've made the decision that paying the ransom allows their IT staff to focus on preventing the next infection.

    They better have invested in their systems because they've now got a reputation for paying...

  6. RM Myers
    Meh

    Possible first step - change insurance regulations to forbid reimbursing ransomware payments

    This would be much easier to do in the United States, since the state insurance departments have the ability to do this under the concept of it being against public policy - no law change needed. TI could also see tax codes being revised to disallow ransomware payments being considered as a business expense for tax purposes, similar to other expenses considered to be against public policy (paying bribes, for example).

    Ultimately, the only really effective change would be to make ransomware paying illegal, possible by defining it as aiding and abetting the original crime, just like fencing stolen goods for the thieves is a crime.

  7. hoola Silver badge

    Difficult....

    The value of the ransom was pretty low and staff hours lost whilst it was fixed would far outweigh the cost of paying. This could easily be a straight commercial decision. Maybe they were insured and the insurers advised to pay out once the analysis had been done. We got hit by ransomware a few years ago but the source was very quickly found, isolated and because of how the data was organised, the impact limited to one area. We still had to restore about 30TB of user data which took time. The cause was a PC that was not centrally managed and this is where problems start. If there is a culture of dispersed IT that is not as well manged then it is easy to make an argument for centralisation however in some environments (particularly academia) there is a legacy of culture & systems that are very difficult to bring in. Centralised IT is seen as control to stop people doing what they "need" to do to work, not something that is there to make their systems more secure and better managed.

    There is very little excuse for not being up to date on patching (software or firmware) or even running current operating systems but it requires planning, routine and acceptance that it has to happen. This is rarely a technical issue but is management. Only when patching has a direct impact on profit or regulatory compliance that impact them will people believe that it is an essential tool in modern IT.

  8. Sudosu

    Crocodile Hunter vs Stingray

    The last time I heard about this match up we lost Steve Irwin...a very sad day indeed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022