Power

The ransomware dilemma: To pay or not to pay?

Ransomware victims face a "devil's bargain" over paying demands.

A screen showing a ransomware message

Everyone says you shouldn't pay hackers. But it's not always that simple.

Photo: Alexander Ryumin via Getty Images

Ransomware victims often find themselves in what feels like an impossible position: There are endless decisions to be made, but it's a race against the clock to save computer systems and data.

That's what New Orleans city officials learned firsthand in the early morning hours on a Friday in December. At 6 a.m., there was a blip of suspicious activity on the city's cybersecurity alert system — not a definite sign of attack, but an early warning of what would come, the city's chief information officer Kim Walker LaGrue recounted in an interview with Protocol. At about 9 a.m., when many city employees started arriving to work, there was an uptick in reports of unusual behavior on their computers.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

By 11 a.m., the diagnosis was clear: Ransomware was spreading through the network. The malicious code was encrypting devices and information, rendering them inaccessible unless city officials decided to contact the attackers. Presumably, they would then get instructions about paying a ransom.

City officials had a game plan in place to guide them through some of the toughest decisions ransomware victims face — the biggest being whether or not to pay the demand. The Louisiana state government and three of its school districts were hit by two separate ransomware attacks in 2019, so New Orleans officials had prepared and rehearsed an incident response plan.

The first step LaGrue took — before she even consulted with the mayor — was to disconnect all city systems from the internet. More than 3,000 computers and 400 servers were shut down to prevent the malicious code from spreading, she said.

"We sounded every type of alarm we could," LaGrue said. The city declared a state of emergency within about 30 minutes of identifying the attack, she added. Within an hour, the FBI and other state and federal agencies were on the ground to help respond to the attack. Normal lines of communication — including the city's email system — were inaccessible, and a war room was set up to help relay information.

City officials knew early on that they would not engage with the attackers and that no ransom would be paid. The U.S. Conference of Mayors, of which New Orleans Mayor LaToya Cantrell is a member, last year adopted a resolution opposing such payments after cities including Baltimore and Atlanta were hit by ransomware attacks. Additionally, the FBI discourages organizations from paying ransomware demands, arguing that it incentivizes crime, emboldens attackers and is sometimes futile — attackers on occasion don't decrypt the data after a payment is made.

Because it didn't pay the attackers, New Orleans is still recovering; LaGrue estimates that it will take another four months to make a full recovery. So far, her staff has focused on restoring key priorities. The first step was inspecting and cleaning thousands of government computers, and removing ones that were too old to run up-to-date software, she said. Over the last month, the city has focused on restoring data from backups, as well as services including email and printing. Over the last few weeks, the city's IT staff has been particularly focused on assisting the city's infrastructure and public safety agencies in their preparations for Mardi Gras on Tuesday.

The financial impact of the attack is still uncertain. A city spokesperson said that the current estimated cost of the attack is $7.2 million, adding that he "wouldn't be shocked if it got higher." The city has a $3 million cyber insurance policy that will help cover some of the costs, which include replacing between 500 and 800 computers as a result of the incident, LaGrue said. The city is planning to add three cybersecurity specialists to its IT staff, which currently includes 65 workers, she said.

Ransomware has been a rapidly growing problem for all types of organizations, including Fortune 500 firms and small nonprofits. The antimalware firm Malwarebytes said in August that it observed a roughly 365% spike in ransomware detections between 2018 and 2019. Municipalities, educational institutions and health care organizations are prime targets for ransomware attacks due to their lack of spending on security and outdated hardware and software, according to the report.

Because ransomware affects a range of organizations, the decision to pay can't be one-size-fits-all, according to Chris Hallenbeck, CISO for the Americas at cybersecurity firm Tanium.

"In an ideal world, no one pays the ransom," he said. "It's feeding the beast and creating an ecosystem that encourages criminals. But the reality of many organizations is that every day they're down there's massive impacts to the services they provide."

Overall, about a third of companies pay the ransom, according to security firm Emisisoft.

Which brings us to Maastricht University in the Netherlands, a recent example of an organization that decided to pay a demand after falling victim to ransomware. On Dec. 30, the university decided to pay 30 bitcoin, or about $305,000, to regain access to its systems and data.

Several factors made the attack particularly disruptive, and increased the university's incentives to pay the demand, according to a forensic report from FOX-IT, the security firm that assisted with the incident. A key factor was that attackers were able to encrypt backups for some of the university's critical systems. That meant that, without obtaining a decryption key from the attackers, the university would have to rebuild its infected systems from scratch — a process that would stall the work of students and researchers for many months. Additionally, unlike New Orleans, Maastricht University did not carry cyber insurance to help cover the costs of lengthy disruptions.

The attacker had access to the university's infrastructure for months and studied it to figure out how to maximize damage. They first gained access through a phishing email on Oct. 15 that instructed someone in the university community to sign an attached document and scan it back to the sender. Upon clicking the attachment, malware was installed that gave the attacker administrative access to the device.

On Nov. 21, while scanning the university's network, the attacker found a server with missing security updates and used it to obtain full access to the organization's infrastructure. On Dec. 23, the attacker deployed the Clop ransomware variant on 267 servers. The timing was particularly challenging for the university: Most faculty, students and support staff were away for the holiday break. Employees from IT, facilities, communications and a range of other departments had to skip part of their holiday to respond to the emergency, according to a spokesperson. One week after the ransomware was installed, the university decided to pay the ransom.

Nick Bos, vice president of the university's executive board, said in the report that the decision to pay the demand was a "devil's bargain": The university would have to live with the ethical issues that come from paying criminals in order to resume operations, research and studies.

At a symposium this month attended by students and faculty, Bos said the risks of losing the data were so great that the university did not attempt to negotiate with the attackers; administrators wanted the process to be as calm as possible, he said.

Bos said he was confident that paying the demand was the right choice. About five weeks after paying the demand, students and faculty were able to access almost all of the university's technologies, as well as attend classes and take exams.

"We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff," Bos said in the report.

Google’s latest plans for Chromecast are all about free TV

The company is in talks to add dozens of free linear channels to its newest streaming dongle.

Google launched its new Google TV service a year ago. Now, the company wants to add free TV channels to it.

Photo: Google

Google is looking to make its Chromecast streaming device more appealing to cord cutters. The company has plans to add free TV channels to Google TV, the Android-based smart TV platform that powers Chromecast as well as select smart TVs from companies including Sony and TCL, Protocol has learned.

To achieve this, Google has held talks with companies distributing so-called FAST (free, ad-supported streaming television) channels, according to multiple industry insiders. These channels have the look and feel of traditional linear TV networks, complete with ad breaks and on-screen graphics. Free streaming channels could launch on Google TV as early as this fall, but the company may also wait to announce the initiative in conjunction with its smart TV partners in early 2022.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

While it's easy to get lost in the operational and technical side of a transaction, it's important to remember the third component of a payment. That is, the human behind the screen.

Over the last two years, many retailers have seen the benefit of investing in new, flexible payments. Ones that reflect the changing lifestyles of younger spenders, who are increasingly holding onto their cash — despite reports to the contrary. This means it's more important than ever for merchants to take note of the latest payment innovations so they can tap into the savings of the COVID-19 generation.

Keep Reading Show less
Antoine Nougue,Checkout.com

Antoine Nougue is Head of Europe at Checkout.com. He works with ambitious enterprise businesses to help them scale and grow their operations through payment processing services. He is responsible for leading the European sales, customer success, engineering & implementation teams and is based out of London, U.K.

Protocol | Policy

Iris scans for food in Jordanian refugee camps

More than 80% of the refugees in Jordanian camps now use iris scans to pay for their groceries. Refugee advocates say this is a huge future privacy problem.

A refugee uses their iris to access their account.

Photo: KHALIL MAZRAAWI/AFP via Getty Images

Every day, tens of thousands of refugees in the two main camps in Jordan pay for their groceries and withdraw their cash not with a card, but with a scan of their eye.

Nowhere in the United States can someone pay for groceries with an iris scan (though the Department of Homeland Security is considering collecting iris scans from U.S. immigrants, and Clear uses iris scans to verify identities for paying customers at airports) — but in the Jordanian refugee camps, biometric scanners are an everyday sight at grocery stores and ATMs. More than 80% of the 33,000-plus refugees who receive cash assistance and (most of them Syrian) and live in these camps use the United Nations' Refugee Agency iris-scanning system, which verifies identity through eye scans in order to distribute cash and food refugee assistance. Refugees can opt out of the program, but verifying identity without it is so complex that most do not.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (Twitter: @ anna_c_kramer, email: akramer@protocol.com), where she writes about labor and workplace issues. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

Protocol | China

Weibo is muzzling users for discussing a landmark #metoo case

A number of accounts have been suspended, even deleted, after voicing support for the plaintiff.

Photo: Photo by Kevin Frayer/Getty Images

As a Beijing court dismissed China's landmark sexual harassment case on Tuesday, Weibo censors acted to muzzle a number of accounts that voiced support for the accuser, or even simply discussed the trial beforehand.

In 2018, the plaintiff Zhou Xiaoxuan, better known by the nickname Xianzi, filed a high-profile #MeToo case against Zhu Jun, a renowned state broadcast show host. Zhou claimed that Zhu sexually harassed her while she was an intern on Zhu's show in 2014. Chinese web users have closely followed the civil suit, which has also drawn international media attention.

Keep Reading Show less
Shen Lu

Shen Lu is a reporter with Protocol | China. Her writing has appeared in Foreign Policy, The New York Times and POLITICO, among other publications. She can be reached at shenlu@protocol.com.

Protocol | Enterprise

Take that, Slack: ServiceNow gets a little closer to Microsoft Teams

ServiceNow is expanding its decade-long partnership with Microsoft as both companies intensify their rivalry with Salesforce.

Microsoft and ServiceNow's "coopetition" is aimed at a higher goal: undermining Salesforce, which is fast becoming the main rival for both vendors.

Photo: Uwe Anspach/Getty Images

For ServiceNow, Microsoft is the lesser of two evils compared to Salesforce.

After ditching Slack for Teams following the Salesforce acquisition, ServiceNow is deepening its decade-long partnership with Microsoft, promising co-development of new products and fresh integration capabilities within Teams, it plans to announce Thursday.

Keep Reading Show less
Joe Williams

Joe Williams is a senior reporter at Protocol covering enterprise software, including industry giants like Salesforce, Microsoft, IBM and Oracle. He previously covered emerging technology for Business Insider. Joe can be reached at JWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Latest Stories