2nd Florida City Pays Hackers, as 3rd City Faces Breach:
A second small Florida city this month has paid hundreds of thousands of dollars to hackers who took over most of its computer operations, an official said Wednesday, while a third Florida city said its data was breached.
The attacks in Riviera Beach, Lake City and Key Biscayne underscore the need for municipal governments to update and secure their software systems, and also reflect the dilemma of how to respond to hackers. The FBI doesn't condone paying ransom to hackers, but city governments often consider it the most convenient option.
The city manager of Lake City, a community of about 13,000 residents some 60 miles (100 kilometers) west of Jacksonville, says it paid about $460,000 in bitcoin Tuesday to recover data and computer operations.
In a separate case, the Village of Key Biscayne, just off the coast of Miami, reported a data breach earlier this week. This comes a week after Riviera Beach in South Florida agreed to pay $600,000 in ransom.
It was not immediately clear if there was any connection between the attacks.
Joseph Helfenberg, city manager of Lake City, said paying the ransom was the cheapest option available since the city is paying a $10,000 deductible, and the rest is being covered by its insurer.
"We had a lot of attempts to recover the data that were unsuccessful," Helfenberg said Wednesday.
[...] Michigan State criminal justice professor Tom Holy said the recent attacks underscore the need for governments and businesses to spend money on backup systems and security protocols. If a city has been backing up its data, it's probably not worth paying a ransom, but if they haven't, "paying might be the cheapest option," Holt said.
"Which is really awful, but that's the point we may be at," Holt said. "This ransomware threat is not going to go away anytime soon."
What would happen in your town or city if it were attacked for ransom? Are networks properly partitioned? Are backups up-to-date? Have the backups actually been tested?
(Score: 5, Insightful) by pipedwho on Thursday June 27 2019, @10:09PM (19 children)
The problem with paying ransoms is it's a short sighted approach. After payment, you've done two things. 1) You've directly funded the illegal outfit so they can improve their operations and approach for the next victim(s) which may include you. 2) You've shown the ransoms can and will be paid, thus validating the illegal operation in the first place, and therefore proliferating the problem.
Extortion and ransoming are illegal. And the only way they should be paid is via the FBI/etc if the money can be traced to the recipient. If not, paying the ransom should be illegal. Private ransoms / death threats might be a different story, but a city paying a ransom to get data back is extremely short sighted with only a minimal near term upside. The tragedy of the commons applies here - where each individual in trying to improve their immediate situation has a detrimental effect on everyone else (including themselves).
(Score: 0) by Anonymous Coward on Thursday June 27 2019, @10:12PM
The FBI should really be stepping in and squashing this capitulation.
(Score: 3, Insightful) by EJ on Thursday June 27 2019, @10:44PM
Maybe paying the ransom should be counted as aiding and abetting.
(Score: 2) by krishnoid on Thursday June 27 2019, @11:16PM (4 children)
All good points, which makes me wonder what kind of insurer can stay in business when they keep having to pay out for breaches against an insecure enterprise. I figure they'll learn that lesson *really* quickly.
(Score: 3, Interesting) by Anonymous Coward on Thursday June 27 2019, @11:45PM (1 child)
Yeah, the insurance is the key point of weirdness here.
My guess is the insurers have made one of the classic mistakes: thinking adverse events are uncorrelated when they're very correlated. Same thing that caused the latest financial crisis (and the previous several financial crises). Insurance works well against things like natural disasters, where they just happen on their own schedule and don't much care about the damage they do. Even things like pirates (or on a smaller scale, ordinary thieves) are limited by the fact that there are only so many thieves, and you have a pretty good idea of where they are, so you can at least price the risk properly.
But ransomware, that's something you bring on yourselves. There's no safe neighborhood against ransomware. There's no navy that can sail in and make the pirates look for other career options. This is more like liability insurance than crime or disaster insurance, where you're insuring someone against their own screw-up. Except nobody ever decides it's cheaper to just do reckless things and let insurance pay off everyone that sues you. Nobody would do that, and insurance would stop covering you if you did. But that seems to be what is going on here.
The other key difference is that you never know with liability what's going to happen, so you can't really take precautions against it. Liability is the catch-all insurance against things someone might blame you for. But ransomware doesn't have that essential randomness. You know exactly how it's going to go down. You just didn't bother preventing it.
Which means, from an insurance perspective, being the victim of ransomware should be considered along the lines of gross negligence, and they should refuse to cover it.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @03:04PM
Never get involved in a land war in Asia?
(Score: 3, Insightful) by bzipitidoo on Friday June 28 2019, @04:00PM (1 child)
I keep wondering if some of these are inside jobs. As in, the city leaders who decide to pay these ransoms get some of this action for themselves.
They don't necessarily have to be in cahoots with the cybercriminals. If a ransom amount was delivered discretely, the officials could bump up the amount and pocket the difference.
Anyway, such corruption is another reason that governments should not pay ransoms. That's not their own money, that's taxpayer money they're so freely parting with. Oh well, there are many less risky schemes for transferring taxpayer monies to officials' personal bank accounts. A flashy cybercrime gets way too much attention. Grift with very boring and banal operations is much quieter and safer.
(Score: 2) by krishnoid on Friday June 28 2019, @07:31PM
No way, I'm hard-pressed to believe that the leadership of that many cities, all in one specific state ... ah geez.
(Score: 1, Insightful) by Anonymous Coward on Friday June 28 2019, @12:29AM (5 children)
That's cute, now list all the problems you have when you DON'T pay them.
(Score: 2) by pipedwho on Friday June 28 2019, @03:34AM (3 children)
You have the same problem if the ransom is paid and the 'restore' code doesn't work, or if the damage was malicious with no ransom attached. The only reason the second city pays is because someone else paid and had their data restored. On top of that, you don't know what data was altered, and have no guarantees that critical/private data hasn't been exposed/sold.
Now you've paid to have a quick and dirty patch job on your problem and have exacerbated the problem for everyone else.
If it was illegal to pay these demands, then the city is forced to cut its losses and rebuild - just as if the disaster was permanent and not reversible through a convenient one-click ransom payment.
(Score: 2) by Teckla on Friday June 28 2019, @03:15PM (2 children)
The hackers in question are not stupid. They know if they do not abide by the ransom agreement, cities will stop trusting them, and then their business model will no longer work.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @07:44PM
There is always the possibility the restore is intentionally ignored. But more likely the restore is attempted but doesn’t quite work as expected and fails for technical reasons.
(Score: 2) by toddestan on Saturday June 29 2019, @05:16AM
That's also assuming that you are dealing with actual hackers who are playing the long game, and not some script kiddies who really don't know what they are doing and just cobbled something together with something they downloaded off of the dark web.
(Score: 2) by fido_dogstoyevsky on Friday June 28 2019, @05:09AM
That's easy... it's an empty list.
Because (to quote somebody else) you haven't lost anything important, just something you didn't think was worth backing up.
It's NOT a conspiracy... it's a plot.
(Score: 2) by darkfeline on Friday June 28 2019, @08:13AM (4 children)
Not backing up the data in the first place to save a little time/money was short-sighted. Obviously, short sighted approaches are standard procedure with the affected organizations, so your proposal is cute, but pointless.
Join the SDF Public Access UNIX System today!
(Score: 2) by pipedwho on Friday June 28 2019, @09:07AM (3 children)
So far I've made no proposals or suggested any solutions. I'm pointing out the meta problem.
If I were to propose something it would be that some entity at a higher level (ie. congress) needs to put a legal roadblock in place so these shortsighted decisions are no longer 'standard procedure' in these affected organisations. As usual when it comes to 'tragedies of the commons', the solution is usually beyond resolution by any single player within the problem sphere.
(Score: 2) by AthanasiusKircher on Friday June 28 2019, @12:59PM (2 children)
I think what you mean is something more akin to the Prisoners' Dilemma. Cooperation (among victims, in this case, to have a collective strategy not to give in to ransom) means we all suffer a bit, but we end up better by cooperating with each other than if some give into the demands, thereby causing others to potentially suffer even more greatly.
(Score: 2) by AthanasiusKircher on Friday June 28 2019, @01:06PM
(I should also note even the last analogy is not quite right, as someone who pays a ransom may also increase their own likelihood of becoming a victim in the future. So it's not quite the classic Prisoners' Dilemma, but it is a variant of that sort of thing.)
(Score: 2) by pipedwho on Friday June 28 2019, @08:15PM
My analogy is quite loose as I couldn’t find a simple concept that better describes this problem. All these problems are a subset of general collective cooperation. And there really should be one for extortion rackets in general. I was alluding the commons in this situation as a sort of space being polluted by self interest, but including some form of positive feedback.
In this class of problem the behaviour of any one victim perpetuates and worsens the problem in question for everyone, while resolving an interrelated immediate issue for that individual. Kind of a hybrid between the Prisoner’s and Commons dilemmas.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @11:08AM
Applies to any extortion racket. Halal certification is another one. Millions paid for certification of water, milk, cheese, the list goes on for products that are 'halal' by default. Pay once and you set yourself up to pay for a lifetime.
(Score: 0) by Anonymous Coward on Thursday June 27 2019, @10:17PM (1 child)
It does not underscore the need for anything. It does underscore the value of insurance coverage, which the city already had!
Assuming the city actually got their data back by paying the ransom (which costs them $10k), then the frequency of such attacks (and whether or not their insurer will cover them next time...) will determine whether or not the ransom is the cheapest option. $10k is peanuts. Hiring an IT professional to implement and maintain the city's backup system is unlikely to be cheaper...
(Score: 2) by stretch611 on Friday June 28 2019, @01:33AM
Actually, that points out how stupid the insurance industry is...
They know ransomware is out there and that the average computer user is an idiot.
I don't know why the hell the insurance industry even cover anyone that doesn't follow a basic minimum of security standards, including
a) users need to go to some minimal security class and be told not to open random attachments or random links.
b) incoming email and file systems should get regular scans from up to date virus systems. (including mac and linux systems.)
c) networks should utilize some type of intrusion detection system
d) regularly schedule backups
e) actual testing of the backup system to make sure it can restore data and that it verifies.
After all, insuring for a day or two recovery will cost a lot less than paying a ransom. Especially when every hacker hears about which cities pay out and make them favored targets.
Not following these guidelines should result in loss of insurance. Any IT department that has critical data that can't be restored is not worth crap.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2, Funny) by Anonymous Coward on Thursday June 27 2019, @11:14PM (2 children)
it used to be "a florida man". now it's "a florida city".
florida, oh florida.
(Score: 2) by AthanasiusKircher on Friday June 28 2019, @01:09PM (1 child)
Next up, Florida City gets random demand that the mayor has to have sex with an alligator on a live stream to the internet in order to recover data. Black Mirror meets Florida Man. (I hope I didn't just give hackers ideas...)
(Score: 0) by Anonymous Coward on Friday June 28 2019, @03:08PM
Here, take my money and point me to the pay per view channel! No, my name is not "Florida Man", why do you ask?
(Score: 5, Insightful) by stormreaver on Thursday June 27 2019, @11:26PM (6 children)
Hopefully, step #1 would be to stop using Windows.
(Score: 3, Interesting) by NateMich on Friday June 28 2019, @12:01AM (4 children)
Yeah, just imagine the crickets when you suggest that at a town meeting.
I bet they wouldn't even understand what you mean.
You would try explaining and their eyes would just glaze over when you started talking about operating systems.
(Score: 2) by Runaway1956 on Friday June 28 2019, @12:43AM (3 children)
I hate to say it, but I think you're exactly right. My little town? I don't know if ANYONE outside my own home knows what a *nix is. I've told some of them, but I'll bet no one remembers. Windows on desktop, iOS on the phone if they need a status symbol, Android if the status symbol isn't terribly important.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @06:59AM (2 children)
im sure someone understood perfectly well, when mentioned in the bar, over a beer, that KB XYZ12345 wasn't applied, loudly.
maybe?
(Score: 2) by Runaway1956 on Friday June 28 2019, @02:06PM (1 child)
No bars in this little town. Nothing but the dead and the dying, back in my little town. I'd find the Youtube link for it, but I'm sure you can find it if you want to hear it.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @03:11PM
I know that one without looking it up. Paul Simon's "My Little Town". The key change from the verse into the chorus is a subtle but very effective way of adding a sense of tension.
(Score: 2) by Teckla on Friday June 28 2019, @03:24PM
Over the years, it has become increasingly obvious to me that Windows, macOS, and desktop Linux are simply too hard for non-technical people to properly administer, Windows probably being the worst choice of all since it is targeted the most.
In my opinion, non-technical users should be limiting themselves to Chromebooks and/or iPads. Our technology needs to protect us from ourselves. Even smart people make mistakes sometimes, so the real solution is to make it hard or impossible to make mistakes.
(Score: 1) by fustakrakich on Thursday June 27 2019, @11:44PM (3 children)
Have the backups actually been tested?
Are backups actually made??
The above AC has it pegged. It's simple math. What are the cost/benefit ratios of a well maintained "secure" system vs. insurance for the occasional break in?
La politica e i criminali sono la stessa cosa..
(Score: 4, Insightful) by martyb on Friday June 28 2019, @01:46AM (1 child)
Cost/benefit... but to whom?
The finances of the town or city? What about the residents who face the prospects of a non-functioning local government for the period until the system is remediated? How about the potential that a backdoor was left in place for a repeat performance? While they were at it, the perpetrators could well have siphoned off untold amounts of private/personal/internal information. How about knowing you are one inopportune event away from having a non-functioning government?
Backups are not only protection against cyber-attacks but also the everyday stuff like disk crashes, fires, accidental deletion, etc.
There's an old adage "If you think education is expensive, try ignorance" to which I would add "backup early and often".
Wit is intellect, dancing.
(Score: 1) by fustakrakich on Friday June 28 2019, @02:27AM
Cost/benefit... but to whom?
The accountants. We gave all our power to them, and have given up all oversight. The technical stuff is trivial, though unobtainable due to those fundamental flaws.
La politica e i criminali sono la stessa cosa..
(Score: 2) by bradley13 on Friday June 28 2019, @08:03AM
What you say is, of course, obvious. Backups, including off-site backups.
The thing is: have you ever worked with really small, non-technical organizations? I can't speak to these specific towns, but in general: small organizations run on very tight budgets. If they are non-technical, then they have relatively little IT, and what they do have is even more underfunded.
Take the kind of IT person that they can hire, put too many demands on their time, and what kind of backup system will you get? In the best case, they will set up something that is mostly automated. Plus maybe a backup medium that can be swapped out to provide offsite. Only: an automated solution is by definition attached to the network - and hence vulnerable. And the offsite swapping? That requires human intervention, and will be done irregularly at best.
I work with a lot of tiny organizations. I know of two small examples where exactly this kind of thing was set up, and ran absolutely smoothly. The person who set up all the automation moved on to some other position, and - probably because the system ran so automatically - no one really took on the responsibility for it. When disaster struck, it turned out that something had tripped up the backup process and there were no recent backups after all. In those cases, it was hardware failure rather than ransomware, but the result is much the same.
It's easy for us to criticize, but these organizations don't have the technical focus - and maybe not the money - to pay for the kind of IT support that they actually need. This may be the best argument there is for a cloud solution. Yes, there are all sorts of privacy concerns, but at least a cloud provider has the resources, expertise and motivation to manage their infrastructure, make backups, etc...
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @02:22AM
They should have hired their own hackers for much less.
(Score: 0) by Anonymous Coward on Friday June 28 2019, @06:25PM
so instead of being forced to deal with their completely negligent and incompetent IT infrastructure when subjected to this "hack", they are allowed to steal more money from the people and pay off the attackers? how about burning city hall down (with these fat fucks inside) instead?