Should Local Governments Pay Ransomware Attackers?

At least 170 local or state government systems in America have been hit with ransomware, and the French Interior Ministry received reports of 560 incidents just in 2018, according to Phys.org. (Though the French ministry also notes that most incidents aren't reported.)

But when a government system is hit by ransomware, do they have a responsibility to pay the ransomware to restore their data -- or to not pay it? "You have to do what's right for your organization," said Gregory Falco, a researcher at Stanford University specializing in municipal network security. "It's not the FBI's call. You might have criminal justice information, you could have decades of evidence. You have to weigh this for yourself." Josh Zelonis at Forrester Research offered a similar view, saying in a blog post that victims need to consider paying the ransom as a valid option, alongside other recovery efforts.

But Randy Marchany, chief information security officer for Virginia Tech University, said the best answer is to take a hardline "don't pay" attitude. "I don't agree with any organization or city paying the ransom," Marchany said. "The victims will have to rebuild their infrastructure from scratch anyway. If you pay the ransom, the hackers give you the decryption key but you have no assurance the ransomware has been removed from all of your systems. So, you have to rebuild them anyway."

Victims often fail to take preventive measures such as software updates and data backups that would limit the impact of ransomware. But victims may not always be aware of potential remedies that don't involve paying up, said Brett Callow of Emsisoft, one of several security firms that offer free decryption tools. "If the encryption in ransomware is implemented properly, there is a zero chance of recovery unless you pay the ransom," Callow said. "Often it isn't implemented properly, and we find weaknesses in the encryption and undo it."

Callow also points to coordinated efforts of security firms including the No More Ransom Project, which partners with Europol, and ID Ransomware, which can identify some malware and sometimes unlock data.

Re: "we find weaknesses in the encryption and und

[Anonymous Coward]

Actually, all of Emsisoftâ(TM)s decryption tools are available for free. Theyâ(TM)re the company that has exposed the scammers.

https://www.theregister.co.uk/2019/06/24/red_mosquito_rm_data_recovery_ransomware/

Re:

[BarbaraHudson]

if nobody pays the hackers, they will have to lower their ransom demands to what would be chump change for a target. Of course, if you have backups, they can lower it to $100 and people will tell them to get stuffed just on general principles.

No amount of insurance can replace the actual data, if there isn't some sort of copy, even if it's only on dead trees.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BarbaraHudson]

The electronic equivalent of a terminal would probably get more work done. No playing solitaire, no wasting time on Facebook or Twitter, no wallpaper to change, no mousing around, no gesture UI, and the UX "designers " can drop dead, preferably after eating a diet of Caps Lock keys.

Stupid question. Of course they shouldn't pay

[fustakrakich]

They are supposed to make proper backups instead.

Payments to criminals shouldn't even be considered.

wanted dead or alive

[goombah99]

Go back to wanted bounties on at large criminal gangs.
As much as a deplore vigilantism as it undermines civil society, people who ruin public goods don't deserve the protections of civil society.

Re:

[Anonymous Coward]

This! Strategies for this kind of situation should be in place before they happen.

Re:

[Roger W Moore]

They are supposed to make proper backups instead.

Yes but if you are too stupid to backup essential data then you are probably stupid enough to pay the ransom which is what the criminals are counting on.

Re:

[Anonymous Coward]

They are supposed to make proper backups instead.

Most organizations don't have an unlimited amount of backup storage and in any case they're only willing to go back so far in most cases. It should also be understand that at least some of the recent ransomware gangs have been sophisticated enough to lurk in the network for some time before triggering the ransomware. The purpose of this is to plant backdoors, trojans and other malware in such a way that they will be included in backups and allow rapid re-infection on restores. If you restore a backup infect

Re:

[Sean Clifford]

Of course paying ransom should be considered. In the end, one might not do it, but if you don't at least *consider* it, you're being completely and utterly irresponsible when it comes to due diligence.

Re:

[fustakrakich]

Nah, you gotta prove that someone's life is in danger before even considering paying. These people just do whatever is cheapest. That will only help the criminal's business. You can't give them one penny, or a second's thought. You were supposed to have backups. Carelessness should be considered complicit.

Re:

[fustakrakich]

Don't be so silly. You use a single image for all your terminals, and you restore them all at once.

You never pay a ransom for property.

Re:

[Anonymous Coward]

Why are retards so eager to prove their idiocy? Paying for it once will only encourage the same criminals to do it again.

Re:

[Uberbah]

Why are retards so eager to prove their idiocy?

Dunno, why are you.

Paying for it once will only encourage the same criminals to do it again.

Easy to say when you're not the one in the hot seat - or dealing with SLA's where you are paying penalties to third parties the longer your system is down. If a hacker is demanding $500,000 ransom when the COO is telling you that not paying will cost the organization $2 million to recover from, with another $1 million in SLA penalties, would you be willing to fall on yo

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fustakrakich]

armchair sysadmin

:-) Damn right! I would be a complete failure if I wasn't relaxing in my armchair while the machines do all the work.

Re: Stupid question. Of course they shouldn't pay

[gumbi west]

So youâ(TM)d just pay to unencrypt and not reimage? What could possibly go wrong?

Re:

[BarbaraHudson]

If everyone receives proper training in backing up and restoring their own machine, it should not take long. And to keep things on track, a certain number of users chosen at random should have to do a test restore every month. Make it mandatory before rolling out updates and you kill two birds with one stone - and also find holes in your strategy before it's critical.

Absolutely not!!!

[sentiblue]

Law enforcements having to bow down to the criminals should not be allowed in any manners.

States should have laws mandating local governments to have shielded copies of backups that are not exposed to hacks such as an offsite hosted backup site, tapes, etc... I worked the field for nearly 20 years, I can't imagine why local governments cannot afford to design and maintain such a solution. Not only I'll implement it, but I will mandate regular testing of the recovery and gauge the amount of time it takes to perform a total bare metal restore.

Re:

[Anonymous Coward]

" I can't imagine why local governments cannot afford to design and maintain such a solution"

Local gov't budgets are tiny. Before ransomware outbreaks it was impossible to get funds for a solution that was hoped to never even be needed or used. Even with the publicity these cases are getting its still difficult. Local govts are funded by local taxes. People expect local govt to pick up the trash, deliver clean water, make sure toilets flush, maintain drainage, keep streets clear, etc. The majority of lo

Re:

[BarbaraHudson]

A 128 gig Kingston USB 3.1 key is $30 at Staples. If I were ever to get hit, I have multiple keys with backups on them - plus my laptop is only connected for updates.

You'd be surprised how little you need your computer on the net if you use your phone as your main net device and don't do social media shit.

Re:

[guruevi]

Stage your own ransomware attack. Then show them the results. Unless you can demonstrate the impact of not spending 25k today. Also, most machines running XP or 7 will run 10, just upgrade them and make sure to cycle the old machines to the executives. You'll get plenty of replacements.

Re:

[ctilsie242]

The ironic thing is that backup solutions are not that expensive. A LTO-8 tape silo, once the dust settles from the lawsuits and you can get tapes, will cost you about $5-$10k. A 2-3 RU PC that has a lot of bays for drives isn't that much, and that can run the Veeam server. As always, there is cloud backups, but the problem with cloud backups is that if someone hacks an admin account or the root account, they can purge everything with a couple mouse clicks, while to destroy offline tape backups in a safe

Re:

[BarbaraHudson]

Back up to the cloud? Never underestimate the bandwidth of a station wagon full of SDDs / USB sticks. Also, if you're locked out of the machine, if you don't have bootable backups, you're kind of screwed. Online backups are then as useless as no backup.

Re:

[Anonymous Coward]

As an aside I was able to get a reasonable backup solution for all the servers and decent enterprise AV system for all the desktops in place after experiencing 6 real-world ransomware attacks within 9 months 3 years ago. I called in the FBI but none of the incidents ever became public. The FBI was useless but had to do it for CYA. Each time resulted in 2-day downtime for all employees and non-critical govt services (paying your water bill, etc). That allowed me to justify the cost of the above solution.

Re:

[Nkwe]

So there ought to be a law to make paying them illegal so the "cheaper option" is completely off the table and these scammers stop getting rewarded. This can't continue like this.

Would there also be a companion law that mandates funding (probably via tax increases) sufficient to hire competent IT staff and to purchase the necessary equipment needed for reliable offline backups, as well as the staff and equipment necessary to regularly test restoration of backups?

Re:

[BarbaraHudson]

Just cancel Trumps extravagant spending. He bankrupted Washington DC's security budget with his stupid 4th of July party, he did the same to the budget for Secret Service protection by buggering off to play golf every weekend. Just claw back the tax breaks to the rich in his budget and you'll have a trillion over the next few years.

Re:

[gettin2old]

Or a law saying the Mayor/Director/Governor of the local government must pay the ransom. Then maybe they'd find the money to upgrade their systems and hire decent IT professionals.

Re:

[Anonymous Coward]

If it were that easy they'd do it already. Bounty Hunters don't tend to go to Russia / China / Indonesia / North Korea to pick up their quarry very succesfully. It's also not as easy to attribute things to individuals as you seem to think.

#Dog the Bounty Hunter is a TV show about an actor.

Re:

[ArchieBunker]

Oh damn better watch out for those mall ninjas.

Re:

[Nehmo]

The concept of not negotiating with terrorists depends on your definition of "terrorists". If an entity kidnaps your kid, do you pay a ransom? What if the entity is your government?

Re:

[slashdot_commentator]

Or they could infect machines again... and again... and again. As long as people are paying.

You'll find when that adds up to real money, government will hire an actual, qualified security consultant, follow through with infrastructure investment to survive a ransomware attack, and then not need to pay off for ransomware attacks. But this step won't occur until some real pain has been inflicted upon the gov't infrastructure. As I see it, it must be more viable to explain that I have to raise your taxes to specifically defend against gov't shutdowns, than raise taxes because we have to budget for

Re:

[BarbaraHudson]

Because paying ransom is not going to be a 1-time expense. Also, most cash-strapped municipal governments would be better off financially just scrapping most of their old office computers.

As long as they had backups for the important data, who gives a shit about the crap most office workers accumulate on their computers. Same applies to personal computers.

Simple!

[Artem S. Tashkinov]

The cost of recovery >> the ransom => you're paying.

And then, if you're lucky and the decryption key you get allows you to recover your data, then you make sure you have regular backups in at least two locations (one of them must be off-site whilst you only have access to upload preferably encrypted backups, not erase or rotate them - that must be done remotely with a completely different set of credentials).

Re:Simple!

[vux984]

I said this in another thread just recently too.

"The cost of recovery >> the ransom => you're paying. "

Pretty much.

"And then, if you're lucky and the decryption key you get allows you to recover your data, then you make sure you have regular backups in at least two locations (one of them must be off-site whilst you only have access to upload preferably encrypted backups, not erase or rotate them - that must be done remotely with a completely different set of credentials)."

Exactly this. Backups are absolutely critical.

However, and this applies, EVEN if you have triply redundant air-gapped offsite backups:

Having backups doesn't make the "cost of recovery" zero, and paying the ransom may still lead to less downtime and speedier recovery than using just the backups.

I've seen a couple companies decide to pay the ransom DESPITE having perfectly good backups simply because restoring everything from backups would TAKE LONGER. Factor in insurance policies, and they are just paying a deductible not the full ransom.

Re:

[Artem S. Tashkinov]

I concur.

It's the tragedy of the commons.

[Anonymous Coward]

An individual city may be better off paying the ransom, but it poisons the community well and makes everyone worse off in the end.

You can't trust anything important anymore.

[Kernel Kurtz]

It's not the FBI's call. You might have criminal justice information, you could have decades of evidence. You have to weigh this for yourself.

Once hackers have shown an ability to mess with your "evidence" at will, any half competent lawyer should be able to challenge it's provenance in court.

"We got hacked and the evidence all got encrypted, but no worries, we paid the ransom and got them back. See, we even have chain of custody and checksums. They got encrypted too but it's all back good as new."

Re:

[ctilsie242]

There is CJIS compliance as well. The FBI does not suffer fools gladly when people don't abide by their rules.

No, but not quite yet.

[thedarb]

No, ideally you don't want your government entities paying ransomware attackers. But you can't just make that decision in a vacuum, it takes preparedness. There are things you can do to help make your systems resistant to these attacks.

1) Backups. Do them. Test them. And know your recovery times if you need to restore from them.
2) Automate your re-installation procedures for servers, desktops, and cloud.
3) Get a NAS with with read-only snapshot support, and snapshot often. This could be your fastest r

Being Irresponsible Is Not Acceptable

[mschaffer]

It is sad that this question was even asked. This is not acceptable. The LAST line of defense should be restoring from a recent, good backup. Other strategies should be in place to prevent needing to implement this. Most of us pay large fractions of their income (both personal and corporate) to fund the many layers of government. It is the government's responsibility and obligation to do things correctly and with care. Anything else is UNACCEPTABLE and there should be severe penalties (even criminal) f

Nope

[nehumanuscrede]

I tend to lean towards the " Buy once, cry once " philosophy.

Doing it the right way the first time might cost you a bit more up front, but it saves you a whole lot of headache and cost later on down the road.

So, don't design your networks around the cheapest solution you can find ( hardware, personnel or practices ) because it can ( and usually does ) come back to haunt you later on.

Re:

[BarbaraHudson]

Or just destroy all the data of any government that harbours or shelters them. Make the punishment truly fit the crime. Or hold it for ransom, payment being turning over the perps plus financial reparations.

Hardwood or Softwood?

[Cmdln Daco]

Should the government invest in hardwood to make the gibbets to hang the ransomeware culprits on, or use cheaper softwood? If an effective example would be made with one or two uses, the cheaper pine gibbit should suffice.

What a stupid question

[hvidstue]

Sysadmins should take backups. If backups are done correct, ransomware is not a problem and sysadmin can just laugh at the ransom demands.

Same problem as pollution

[Solandri]

"You have to do what's right for your organization," said Gregory Falco, a researcher at Stanford University specializing in municipal network security. "It's not the FBI's call.

That's the same argument made by people/companies who want to pollute willy-nilly. That the government doesn't have the right to interfere how a private individual or corporation behaves.

The resolution is the same as pollution as well. In both cases, the benefits are concentrated in the individual/corporation, while the costs

Be prepared

[pierrelaplace]

By that, I mean one should assume an attack IS COMING, your countermeasures WILL FAIL, and the attack WILL BE SUCCESSFUL once it happens. That means having a business continuity management system in place that includes off-site/off-line backups, a disaster recovery plan to rebuild the infrastructure, and a business continuity plan which explains how you're going to operate while the DRP is being executed. Also, and this is critical, these things have to be fully exercised. You don't want to find out your ba

Re:

[vux984]

Even if you have a continuity plan, and triply redundant offline air-gapped backups, documented and practiced, restore procedures, ... even if you have everything you think you should have:

It may still be cheaper to pay the ransom than to execute that recovery plan. It may be faster and it may reduce down time. It may get your most recent not-yet-backedup data back...

If the building burned to the ground, you'd just accept the loss, and execute on the total-loss DRP It was specified in the risk assessments a

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[vux984]

"If A pays, you have created a market and they will go after B, C and D."

Ah but B, C, and D are my competitors. :p

In all seriousness I agree with you, but there's always going to be people who pay. Everything from bicycle theft to knock off goods to kidnapping would go away if people would just stop paying for it... pissing into the wind.

Pay it, then tell the world they reneged

[John Jorsett]

Sabotage future efforts by blackmailers by paying their ransom, but then proclaim that the blackmailers didn't give you the key and you'll have to recreate the data at great expense anyway. Fewer and fewer agencies will pay blackmailers off in the future if they think they'll get screwed.

Re:

[doubledown00]

A government entity may have done just that recently. I seem to recall a story from the last couple months of a government entity that paid the ransom. Afterwards they claimed that the keys unlocked the computers and they were back up and running, but that their data was lost.

I should pay but others shouldn't

[GuB-42]

That's game theory at work.

Let's first assume that the cost of recovery is much higher than the ransom. If it isn't, the answer is obvious so let's get it out of the way.
If the loss of data doesn't affect you personally, for your best interest, the ones affected shouldn't pay the ransom. As a general rule, it is better if crime does not pay.
But if you are the victim, then you should pay, because the cost is lower, even when we take the possibility of criminals altering the deal into account.
Sometimes, there

Hindsight, invest in better IT

[spinitch]

Not so easy for organizations to fund IT depth, limited career growth, but given criticality seems they should be pooling efforts. Insurance as well. Next up cloud risk mitigation.

how to REALLY make them stop

[slashmydots]

Let's see...there are two options here. Train every 55 year old secretary what a fake email attachment is OR they can make it illegal throughout the entire US to pay ransoms. Which one do you think would work better, guys?

The greater good

[shentino]

Paying ransoms just encourages future extortion.

"Millions for defense but not one cent for tribute"

Another thing, damage from ransomware is completely preventable with proper backups.

Also, paying ransom to get your data back is a self serving move that harms others by exposing them to the risk of future attacks since now they'll be emboldened to keep launching attacks.

Finally, what's to stop the hacker from coding their malware to only unencrypt the data temporarily, but plant more logic bombs to have it re

Just buy Chromebooks

[iTrawl]

Local governments should be running on Chromebooks. Most businesses should be running on Chromebooks or iPads, really.

Windows and Mac are overkill for most people. Unless you're an IT outfit, you should only run stuff that's been locked down. If you don't have an IT department to lock your stuff down, let Google and Apple do it and ignore the people who dis you for doing so but don't offer a real solution.

difference

[sad_]

do they have any plans in place for when criminals take government personel hostage for money?
almost the same thing, and going by movies the rules probably is to not make deals with them.
but for a ransomware attack they would very much like to pay them off.
shows the value of human live(s).

Just curious

[NewYork]

Is Microsoft software different from Ransomware?

Re:

[BarbaraHudson]

I call bullsit. I left for a year and a half because I'm going blind and using a computer was too frustrating to even try. After lots of practice. I can make sense of the blurs well enough to read a screen, even though print material, even with special glasses, is almost beyond me.

Its going to continue to get worse, but I'm going to be okay. I hit 60 just over 3 years ago so I was able to start collecting a reduced retirement pension, which sucks because I never thought I would retire. But as long as I ca

Pascal currently ranks #218 - that's pretty dead

[BarbaraHudson]

I'm on break, so I will point out that if you scroll down the page of the link to TIOBE that to provided, Pascal currently ranks 218, down from #3 in 1994, Elsewhere it shows the top 10 for various years and Delphi is absent.

I'll stick with c/c++. If I wanted to play with a dead language, I'd learn Latin.

Delphi had it's day. I bought version 1 shortly after release, convinced my employer to pay a couple of grand to Borland to sign us up for the Delphi 2 closed beta after talking to a Borland rep after

Re:

[BarbaraHudson]

If Pascal and Delphi are so great, where are the stories about them? The product reviews of new releases, the stories about Pascal taking over software development in business or science or the web? Why are c, c++, and Java all over the place and Delphi is nowhere to be seen? If c is so dangerous, why is it running everywhere, why is it the language of operating systems that everyone uses? Where's the OS written in Pascal if c is so bad? Why does the web run on servers written in c instead of Pascal? Why d

Re:

[BarbaraHudson]

Delphi strings are obsolete. Even Embarcadero admits you're limited to a 32-bit 2 gig length for Delphi strings, even with the 64-bit version. With everything from log files to DNA sequences routinely exceeding that, it's not fit for today's 64-bit world. That you never ran into character data over 2 gigs shows how limited your experience is.

You "work for yourself " - that's what most unemployable people say. The same people who can't dream of ever needing a string of characters more than 2 gigs long.

No

Re:

[BarbaraHudson]

You only need the last backup before the ransomware executed. Restore it on a non-executable partition, locate the files that are suspect, delete them, then see if you now have a rans-free backup by restoring it to another machine and booting it. Repeat until you're sure. Then you can schedule fresh installs of a new copy of the OS and programs and copy only the data and configuration. It might take much longer than paying the ransom once, but if you don't pay the ransom you discourage future attacks, as