yesAdam JanofskyNone
×

Get access to Protocol

Will be used in accordance with our Privacy Policy

I’m already a subscriber
Power

The ransomware dilemma: To pay or not to pay?

Ransomware victims face a "devil's bargain" over paying demands.

A screen showing a ransomware message

Everyone says you shouldn't pay hackers. But it's not always that simple.

Photo: Alexander Ryumin via Getty Images

Ransomware victims often find themselves in what feels like an impossible position: There are endless decisions to be made, but it's a race against the clock to save computer systems and data.

That's what New Orleans city officials learned firsthand in the early morning hours on a Friday in December. At 6 a.m., there was a blip of suspicious activity on the city's cybersecurity alert system — not a definite sign of attack, but an early warning of what would come, the city's chief information officer Kim Walker LaGrue recounted in an interview with Protocol. At about 9 a.m., when many city employees started arriving to work, there was an uptick in reports of unusual behavior on their computers.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

By 11 a.m., the diagnosis was clear: Ransomware was spreading through the network. The malicious code was encrypting devices and information, rendering them inaccessible unless city officials decided to contact the attackers. Presumably, they would then get instructions about paying a ransom.

City officials had a game plan in place to guide them through some of the toughest decisions ransomware victims face — the biggest being whether or not to pay the demand. The Louisiana state government and three of its school districts were hit by two separate ransomware attacks in 2019, so New Orleans officials had prepared and rehearsed an incident response plan.

The first step LaGrue took — before she even consulted with the mayor — was to disconnect all city systems from the internet. More than 3,000 computers and 400 servers were shut down to prevent the malicious code from spreading, she said.

"We sounded every type of alarm we could," LaGrue said. The city declared a state of emergency within about 30 minutes of identifying the attack, she added. Within an hour, the FBI and other state and federal agencies were on the ground to help respond to the attack. Normal lines of communication — including the city's email system — were inaccessible, and a war room was set up to help relay information.

City officials knew early on that they would not engage with the attackers and that no ransom would be paid. The U.S. Conference of Mayors, of which New Orleans Mayor LaToya Cantrell is a member, last year adopted a resolution opposing such payments after cities including Baltimore and Atlanta were hit by ransomware attacks. Additionally, the FBI discourages organizations from paying ransomware demands, arguing that it incentivizes crime, emboldens attackers and is sometimes futile — attackers on occasion don't decrypt the data after a payment is made.

Because it didn't pay the attackers, New Orleans is still recovering; LaGrue estimates that it will take another four months to make a full recovery. So far, her staff has focused on restoring key priorities. The first step was inspecting and cleaning thousands of government computers, and removing ones that were too old to run up-to-date software, she said. Over the last month, the city has focused on restoring data from backups, as well as services including email and printing. Over the last few weeks, the city's IT staff has been particularly focused on assisting the city's infrastructure and public safety agencies in their preparations for Mardi Gras on Tuesday.

The financial impact of the attack is still uncertain. A city spokesperson said that the current estimated cost of the attack is $7.2 million, adding that he "wouldn't be shocked if it got higher." The city has a $3 million cyber insurance policy that will help cover some of the costs, which include replacing between 500 and 800 computers as a result of the incident, LaGrue said. The city is planning to add three cybersecurity specialists to its IT staff, which currently includes 65 workers, she said.

Ransomware has been a rapidly growing problem for all types of organizations, including Fortune 500 firms and small nonprofits. The antimalware firm Malwarebytes said in August that it observed a roughly 365% spike in ransomware detections between 2018 and 2019. Municipalities, educational institutions and health care organizations are prime targets for ransomware attacks due to their lack of spending on security and outdated hardware and software, according to the report.

Because ransomware affects a range of organizations, the decision to pay can't be one-size-fits-all, according to Chris Hallenbeck, CISO for the Americas at cybersecurity firm Tanium.

"In an ideal world, no one pays the ransom," he said. "It's feeding the beast and creating an ecosystem that encourages criminals. But the reality of many organizations is that every day they're down there's massive impacts to the services they provide."

Overall, about a third of companies pay the ransom, according to security firm Emisisoft.

Which brings us to Maastricht University in the Netherlands, a recent example of an organization that decided to pay a demand after falling victim to ransomware. On Dec. 30, the university decided to pay 30 bitcoin, or about $305,000, to regain access to its systems and data.

Several factors made the attack particularly disruptive, and increased the university's incentives to pay the demand, according to a forensic report from FOX-IT, the security firm that assisted with the incident. A key factor was that attackers were able to encrypt backups for some of the university's critical systems. That meant that, without obtaining a decryption key from the attackers, the university would have to rebuild its infected systems from scratch — a process that would stall the work of students and researchers for many months. Additionally, unlike New Orleans, Maastricht University did not carry cyber insurance to help cover the costs of lengthy disruptions.

The attacker had access to the university's infrastructure for months and studied it to figure out how to maximize damage. They first gained access through a phishing email on Oct. 15 that instructed someone in the university community to sign an attached document and scan it back to the sender. Upon clicking the attachment, malware was installed that gave the attacker administrative access to the device.

On Nov. 21, while scanning the university's network, the attacker found a server with missing security updates and used it to obtain full access to the organization's infrastructure. On Dec. 23, the attacker deployed the Clop ransomware variant on 267 servers. The timing was particularly challenging for the university: Most faculty, students and support staff were away for the holiday break. Employees from IT, facilities, communications and a range of other departments had to skip part of their holiday to respond to the emergency, according to a spokesperson. One week after the ransomware was installed, the university decided to pay the ransom.

Nick Bos, vice president of the university's executive board, said in the report that the decision to pay the demand was a "devil's bargain": The university would have to live with the ethical issues that come from paying criminals in order to resume operations, research and studies.

At a symposium this month attended by students and faculty, Bos said the risks of losing the data were so great that the university did not attempt to negotiate with the attackers; administrators wanted the process to be as calm as possible, he said.

Bos said he was confident that paying the demand was the right choice. About five weeks after paying the demand, students and faculty were able to access almost all of the university's technologies, as well as attend classes and take exams.

"We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff," Bos said in the report.

Protocol | Fintech

Plaid’s COO is riding fintech’s choppy waves

He's a striking presence on the beach. If he navigates Plaid's data challenges, Eric Sager will loom large in the financial world as well.

Plaid COO Eric Sager is an avid surfer.

Photo: Plaid

Eric Sager is an avid surfer. It's a fitting passion for the No. 2 executive at Plaid, a startup that's riding fintech's rough waters — including a rogue wave on the horizon that could cause a wipeout.

As Plaid's chief operating officer, Sager has been helping the startup navigate that choppiness, from an abandoned merger with Visa to a harsh critique by the CEO of a top Wall Street bank.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Sponsored Content

The future of computing at the edge: an interview with Intel’s Tom Lantzsch

An interview with Tom Lantzsch, SVP and GM, Internet of Things Group at Intel

An interview with Tom Lantzsch

Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corporation

Edge computing had been on the rise in the last 18 months – and accelerated amid the need for new applications to solve challenges created by the Covid-19 pandemic. Tom Lantzsch, Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corp., thinks there are more innovations to come – and wants technology leaders to think equally about data and the algorithms as critical differentiators.

In his role at Intel, Lantzsch leads the worldwide group of solutions architects across IoT market segments, including retail, banking, hospitality, education, industrial, transportation, smart cities and healthcare. And he's seen first-hand how artificial intelligence run at the edge can have a big impact on customers' success.

Protocol sat down with Lantzsch to talk about the challenges faced by companies seeking to move from the cloud to the edge; some of the surprising ways that Intel has found to help customers and the next big breakthrough in this space.

What are the biggest trends you are seeing with edge computing and IoT?

A few years ago, there was a notion that the edge was going to be a simplistic model, where we were going to have everything connected up into the cloud and all the compute was going to happen in the cloud. At Intel, we had a bit of a contrarian view. We thought much of the interesting compute was going to happen closer to where data was created. And we believed, at that time, that camera technology was going to be the driving force – that just the sheer amount of content that was created would be overwhelming to ship to the cloud – so we'd have to do compute at the edge. A few years later – that hypothesis is in action and we're seeing edge compute happen in a big way.

Keep Reading Show less
Saul Hudson
Saul Hudson has a deep knowledge of creating brand voice identity, especially in understanding and targeting messages in cutting-edge technologies. He enjoys commissioning, editing, writing, and business development, in helping companies to build passionate audiences and accelerate their growth. Hudson has reported from more than 30 countries, from war zones to boardrooms to presidential palaces. He has led multinational, multi-lingual teams and managed operations for hundreds of journalists. Hudson is a Managing Partner at Angle42, a strategic communications consultancy.
Protocol | China

Here’s who has the ear of China’s most active cyber regulator

Alibaba and Huawei are dominating — while other big companies like ByteDance are sitting on the sidelines.

TC260's proposed standards have influence throughout Chinese government.

Image: Yuichiro Chino/Getty Images

Protocol | China tracks major Chinese standards and regulations with the power to affect your business.

China's economy is projected to be the world's largest by 2028, and Beijing is betting heavily on the power of technology to get it there. But China needs to build and sustain public trust in tech platforms if it wants a future with smart cities that run on the cloud, wide adoption of digital currency and increasing reliance on electronic devices that collect vast amounts of personal data. So it's hastily assembling a regulatory framework, and the organization doing much of this building is the National Information Security Standardization Technical Committee (also known as Technical Committee 260 or TC260). Despite its wonky name, it wields extraordinary power over Chinese cyberspace; as of December, it has issued more than 300 standards related to information security and cybersecurity, and it has about 700 more in the works.

Keep Reading Show less
Clara Wang

Clara Wang is a Researcher - Data Scientist for Protocol | China. Previously, she worked as a data scientist for the Biden campaign and at Civis Analytics, and she spent a summer working for the John L. Thornton China Center at the Brookings Institution. She has conducted research on data privacy, misinformation, and information control in the digital age, and she is completing her Master's in Economics at the Yenching Academy program at Peking University.

Transforming 2021

Blockchain, QR codes and your phone: the race to build vaccine passports

Digital verification systems could give people the freedom to work and travel. Here's how they could actually happen.

One day, you might not need to carry that physical passport around, either.

Photo: CommonPass

There will come a time, hopefully in the near future, when you'll feel comfortable getting on a plane again. You might even stop at the lounge at the airport, head to the regional office when you land and maybe even see a concert that evening. This seemingly distant reality will depend upon vaccine rollouts continuing on schedule, an open-sourced digital verification system and, amazingly, the blockchain.

Several countries around the world have begun to prepare for what comes after vaccinations. Swaths of the population will be vaccinated before others, but that hasn't stopped industries decimated by the pandemic from pioneering ways to get some people back to work and play. One of the most promising efforts is the idea of a "vaccine passport," which would allow individuals to show proof that they've been vaccinated against COVID-19 in a way that could be verified by businesses to allow them to travel, work or relax in public without a great fear of spreading the virus.

Keep Reading Show less
Mike Murphy

Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.

Protocol | Enterprise

Don’t worry about the cybersecurity fallout of the Capitol breach

Members of Congress can't access classified information on their work computers, and the chances that Wednesday's mob contained a few moonlighting cyberspies are slim.

Any lasting cybersecurity damage from the breach is likely to be limited.

Photo: Louis Velazquez/Unsplash

Among the disasters that visited Capitol Hill on Wednesday, the fact that the people who infiltrated Congressional offices had unfettered access to IT assets for several hours ranks rather low.

One of the most iconic images of Wednesday's events was a picture of the home screen of Speaker Nancy Pelosi's office computer, abandoned in haste after a mob broke into the Capitol building, forcing Congress and staffers to retreat to safer locations. By design, nothing on Pelosi's computer was classified: Members of Congress have to enter a protected area room in the building to view secret documents, as you'll recall from last year's impeachment proceedings when several House Republicans stormed into such a room in protest because they were denied access to documents their leaders could access.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET and paidContent, and served as executive editor of Gigaom and Structure.

Latest Stories