The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.
At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.
Embarrassingly for the council workers, they were first warned that hackers had infiltrated a Windows 10 PC connected to their IT systems in late May by security blogger Brian Krebs.
Krebs says that he alerted “numerous officials” that criminals specialising in deploying ransomware had compromised their network and – if not stopped – might launch a more widespread attack.
It appears, however, that the Florence city council failed to successfully expel the hackers, who activated their DoppelPaymer ransomware on the city’s IT systems on June 5th.
At the time, Florence Mayor Steve Holt told the media that the city’s email system had been shut down, but that no ransom had been demanded, and officials did not believe that any information had been lost.
Less than a week later the City of Florence realises that things are more serious. As Mayor Steve Holt told journalists, money from the city’s insurance fund will be used to pay the hackers’ ransom demands:
“We began taking every precaution we could possibly take, and then on June 5 it actually hit us. It appears they may have been in our system since early May – over a month going through our system.” “It’s a roll of the dice for us to say ‘nope we’re not doing that,’ and if they actually have our information in their possession they can send it publicly. This unfortunately is a response on our part to pay to make sure they delete it.”
Quite how the council will be able to 100% confirm that the hackers have permanently erased any data they have stolen is unclear, but the gang behind the DoppelPaymer ransomware is reputed to keep its word and not release data after a ransom has been paid.
The same DoppelPaymer ransomware has recently struck NASA contractor Digital Management Inc (DMI) and previously hit the city of Torrance, in the South Bay region of Los Angeles.
Unfortunately Florence is not the only US city to find itself dealing with the aftermath of a ransomware infection this week.
The city of Knoxville, Tennessee, shut down its computer systems after ransomware encrypted its systems in the early hours of Thursday.
In social media posts, the public were advised that court sessions were cancelled as a result of the computer network being offline.
A post on the city’s official website, meanwhile, warns the city’s 180,000 residents that “City online services are currently unavailable.”
A spokesperson said that the FBI had been informed of the attack, which was first spotted by employees of the fire department at approximately 4:30am on June 11th.
Knoxville officials have declined to make public the size of the ransom demand they have received, and no information has been shared about the type of ransomware that was involved.
Cities and government departments are on the horns of a dilemma when it comes to ransomware attacks.
The risk when you give in to an extortionist’s ransomware demand is that you are encouraging other criminals to launch similar attacks. A strong message is sent out to other attackers that organisations are prepared to pay a ransom if hit by ransomware. And that, inevitably, means more ransomware attacks for all of us to fend against.
But at the same time, attacked councils may feel that there is less of a financial hit paying their ransomware attacker than trying to recover from an infection. And if the ransomware attack has also stolen data from an organisation – which the most pernicious strains of ransomware do today – then you may feel that you are protecting your citizens better by at least trying to stop their possibly sensitive data from being leaked to the outside world.
In July last year, a resolution was passed by the the United States Conference of Mayors (USCM) agreeing to “stand united against paying ransoms in the event of an IT security breach.”
Judging by the decision made unanimously this week by the emergency meeting of the City of Florence, Alabama, that is a resolution which some cities are choosing to ignore.