Atlanta city officials are not saying whether they were strong-armed into paying the $51,000 ransom to hackers holding many of the municipality’s online services hostage, but they did announce progress in restoring networks on Thursday.
Police officers are once again able to file reports electronically and some investigative databases thought to have been corrupted by the ransomware attack have turned out to be unscathed, the city says. The city’s 311 system — which deals with things such as trash pick-up and reporting of potholes — is also back in operation.
As a precaution, however, law enforcement is still not using some of its databases and the city’s water department can’t take any form of payment. Plus, the municipal court continues to push off its caseload, indefinitely.
Atlanta is just the latest target in a long list of victims whose vulnerable cyber security has fallen prey to online predators.
The FBI says ransomware attacks have been on the rise for the last three years, particularly against organizations that serve the public. That includes hospitals, school districts, state and local governments and even law enforcement.
Spike in ransomware attacks
In 2016, the agency received 2,673 complaints of extortion through the malware with losses of over $2.4 million. Last year the number of reports increased to about 3,000, with losses remaining at about the same level.
Data compiled by BitSight, a cyber security ratings company, is even more staggering. A 2016 report analyzing government, health care, finance, retail, education and utilities concluded that education institutions are most likely to be on the receiving end of a ransomware attack. They are three times as likely to get hit as are the health care sector and more than ten times as likely as financial institutions.
Also according to the study, government entities, from local to federal agencies, have the second-lowest security rating and the second-highest rate of ransomware attacks.
If Atlanta has not capitulated to the hijackers’ demands, then it’s following the FBI’s don’t-pay-the-blackmailers policy.
“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” FBI Cyber Division Assistant Director James Trainor wrote in a 2016 report on rising ransomware attacks.
Additionally, “[It] doesn’t guarantee an organization that it will get its data back— we’ve seen cases where organizations never got a decryption key after having paid the ransom,” Trainor said.
It’s also a bad idea to fork over any amount of cash, he said, because it could “inadvertently be funding other illicit activity associated with criminals.
BitSight Chief Technology Officer, Stephen Boyer, tells NPR that there is no one way to handle these types of extortion efforts.
“It really depends on the intent,” he explains.
Some hacks can be cloaked to look like a straight-forward ransomware attack but in reality they are what are called “wiperware,” meaning they are purely destructive in nature.
“Last year we saw some attacks where it was cloaked to look like a ransomware attack but when researchers finally understood what the script was doing, it wasn’t ever possible to recover the files,” he says.
But if the attacker is truly intent on extorting money, “There’s actually some honor amongst thieves,” he laughs.
The reason: “They need to show and demonstrate a track record of decrypting files, otherwise no one will pay.”
In Boyer’s experience, most of these criminal entrepreneurs go as far as establishing customer support groups to help their victims pay on time. They provide technical help in transferring funds into bitcoin and in some cases, even testing out sample decryption keys.
In the long run, it is in the hackers’ best interest to establish a good reputation with the public at large. “Because if word gets out that they never decrypt files no one will ever pay and they’ll never make money,” Boyer says.
Despite the FBI’s advice, there is no consistency in the way cities, schools and hospitals have responded to hackers’ demands. Outcomes are equally variable.
A school district refuses to pay
Big Fork Schools, a Montana district with about 900 students, has been under siege twice since 2016.
The first time it was hit with a ransomware attack that disabled the administration’s computer system. The district was given 48 hours to respond or risk having its data wiped clean.
Superintendent Matt Jensen remembers it as a terrifying day.
Still, he tells NPR, “We didn’t even entertain the notion of negotiating with them.”
It was a matter of principle, economics and luck.
IT administrators had backed up the entire system just two weeks prior to the strike, so even in a worst-case scenario it wouldn’t be losing very much data.
Perhaps factoring the size and budget of the school district or maybe owing to sheer ignorance, the hackers only demanded between $2,000 to $4,000, Jensen recalls. Therefore, if the district decided to ignore the blackmailers and go back to the two-week-old version of the systems, Jensen calculated that would cost about $8,000. It was worth it.
“We just decided we would pay more to not support a terrorist organization,” he says.
In the end, the district’s primary data remained inaccessible for over a week and it took about two months to back fill what was lost. But on the bright side, the recovery operation came in under budget.
The second attack happened last fall. But Jensen was glad to report that none of the district’s systems were comprised.
“The 2016 attack was a blessing in disguise,” he says, because in the interim between attacks, the district had invested lots of time and money in beefing up online security.
The school district was lucky. “Unfortunately, lots of schools do not have the budget to support IT defenses and it makes us pretty vulnerable,” he says.
A hospital gives in
The assault on Hollywood Presbyterian Medical Center in Los Angeles was a different kind of nightmare.
All but three of the hospital’s computer systems were brought down by a ransomware attack in Feb. 2016.
“It was just awful,” Steve Giles, the hospital’s Chief Information Officer tells NPR, explaining that hospitals are extremely susceptible to these threats because patient data can have life-or-death implications. As a result, hospitals are much more willing to meet the payment demands of hackers.
Yet, at the time of the attack Giles had never heard of a ransomware attack on a hospital.
“We were not even cognizant of the kind of level of cyberattack we incurred,” he says.
Hackers initially demanded 22 bitcoin, a value of about $9,000 at the time. But when the hospital paid, the hostage-takers came back for more. “They said they had given us the wrong software so we had to pay another 18 bitcoin,” which added up to nearly $7,000 more, Giles says.
Then a new problem: After paying the ransom, the hackers sent over the encryption code. Actually, more than 900 separate sets of code “that had to be uniquely applied to all servers and PCs.”
When asked how they could trust that the hackers wouldn’t come back a third time, Giles says, “We didn’t know.”
But, “It was a worthwhile bet and we took a chance because we felt that the decryption codes would be a quicker way to bring the system back up.”
Despite getting duped, and the frenzy the payoff created, Giles maintains it was the right call. He’s also immensely proud that for the duration of the outage no patients were adversely affected.
It’s tough to contradict Giles in light of the May 2017 ordeal at Erie County Medical Center in Buffalo, N.Y. When it became a target of a $30,000 extortion plot, authorities there decided not to pay.
Hackers wiped about 6,000 of the hospitals computers and it took the staff about six weeks to get up and running again. In the meantime, employees kept hand written records.
Officials said it cost them $10 million to recover from the attack. That figure includes money spent on hardware and software to rebuild the hospital’s computer system, as well as overtime pay and lost revenue.