According to experts, many municipalities attacked with ransomware do not have many options when facing such an incident
The city of West Haven, Connecticut, made the difficult decision to pay a cybercriminal group a ransom of $2k USD after its infrastructure was attacked with a malicious program that crippled its operations, as reported by digital forensics specialists from the International Institute of Cyber Security.
The West Haven authorities mentioned that their offices were victims of a ransomware attack originated from outside the United States, according to the investigation conducted by the US Department of Homeland Security (DHS). According to Mayor Nancy Rossi, the attack, held on Tuesday of last week, disabled 23 servers, after which the officials decided to pay the amount requested by the attackers to unlock the servers. The payment was made in Bitcoin.
“The attack occurred between 2:49 p.m. and 3:16 a.m. last Tuesday”, said the mayor in a statement. “Our IT manager, David W. Richards, notified the city hall, the local police and the federal authorities”.
Rossi added, “Restoring data from one of our critical systems occurred shortly after the transaction was complete”.
Last week a similar incident arose against the Onslow Water and Sewerage Authority (ONWASA). The attack, which occurred last week, was perpetrated using a “sophisticated ransomware”, limiting the capabilities of the institution’s computer systems, as reported by experts in digital forensics. Unlike the attack on West Haven, this time the authorities chose not to pay the ransom demanded.
ONWASA mentioned that an email from hackers was received, who are also believed to be located outside the United States. The office didn’t mention the ransom fee, but they decided not to pay it. Instead, a team of local, state, and federal agencies is cooperating to restore the attacked systems, according to company reports.
Often, ransomware is used to cover up other criminal activities. For example, attackers can use the attack as a distraction to make copies of the encrypted data. A cybercriminal could also open a backdoor in the attacked system. According to the two recently attacked organizations, their data is not compromised.
These two incidents seem to show an increase in cyber actions against municipal structures. On October 17, the city of Muscatine, Iowa, reported that its financial servers were attacked with ransomware; the scarce details available include that the city’s IT staff is trying to “isolate the compromised servers” and restore their operations. In addition, the Indiana National Guard said that a server with sensitive information from civilian and military personnel had been encrypted with ransomware.
Pay or not to pay the ransom?
The decision to pay or not to pay has to do with individual circumstances. “Any organization, private or public, needs to evaluate and determine its ability to resolve such incidents”, says Thomas Pore, an information security expert. “How much does it cost an organization to interrupt its operations for a ransomware attack? Understanding the real impact of the attack will help decision makers to implement strategic solutions to overcome incidents like this”, he says.
“Ransomware victims must refrain from making any payments unless it is a life or death situation”, considers Joseph Carson, a digital forensics expert. “Paying this cybercriminals will only enrich them and encourage the development of more advanced malicious tools. Moreover, the lack of backup also affects organizations”.
Digital forensics specialists from the International Institute of Cyber Security consider that paying for the release of encrypted files with ransomware is a risky bet, as there is no guarantee that the cybercriminals will restore the compromised files or systems once the payment is made, so it is best to prevent such attacks as far as possible, making the members of the organizations aware of cybersecurity risks and creating backups of their sensitive information.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.