Ransomware attacks are said to be a $1 billion industry. Worldwide, a ransomware attack happens every 40 seconds. So, do you pay the ransom or lose the data?
Employees at the Treasury Department at Wasaga Beach Town Hall in Ontario Canada walked into their office one Monday morning in April 2018 and booted up their computers to begin their workday and immediately noticed something strange.
Department head Jocelyn Lee was being told by her employees that a lot of things were missing.
Jocelyn Lee: “They noticed that they could not access their systems. That files would not open. Some people would try to open a file and it would be blank. It was clear that something was unusual there when you looked at the folder”
It wasn’t just the treasury department computers that were acting weird. That morning, other town employees discovered files on their computers with strange names and folders that should be full of word documents and excel spreadsheets, but were completely empty. Some employees were locked out of their computers entirely.
“And a couple of the computers did have a message on the screen that said that all the data was locked and that you needed to contact this email address in order to get your data back. That’s the ransom note”
Newscasters: “MUNI hacked” “Hackers got into the emergency notification system” “City employees are being asked to stay off of their computers after a massive cyber attack”
Wasaga Beach had been hit with a ransomware attack, a type of computer virus that locks up computer data behind a wall of encryption. Perpetrated by hacker groups, these attacks hold a computer hostage and demand payment in exchange for unlocking your data.
Ransomware attacks have become a major threat to computer networks everywhere in recent years. Countless major companies have been hit by attacks: FedEx, the shipping giant Maersk, Nissan. This form of digital extortion has been estimated to be a $1 billion dollar industry.
But Wasaga beach isn’t some large multinational corporation. It’s a small retirement community on the shores of Lake Huron. Their primary functions include supplying the town’s water and plowing the roads when it snows. Municipalities like Wasaga Beach aren’t exactly flush with cash, but ransomware has become such an incredibly effective tool of extortion, that hackers have begun to troll cyberspace looking for any targets, large or small.
At town hall, no one could access anything. Services like the Fire Department and 911 remained operational, but the town couldn’t tell which residents had paid their water bill or who owned money on their property taxes. Not the sexiest hostage situation, but the hackers had all the essential data that made up the proverbial boring low hum of a functioning town government.
Jocelyn: “You have all your records, all your official town records are all locked.”
Hackers had successfully held Wasaga Beach’s computers hostage and Jocelyn’s bosses faced the biggest question when it comes to ransomware: should they pay up?
The first thing you need to know is that ransomware isn’t new, what is new is that it’s happening everywhere, all the time. Worldwide, a ransomware attack occurs every 40 seconds.
The first documented ransomware attack occurred in 1989. Harvard biologist Joseph Popp mailed out 20,000 floppy disks to researchers ahead of the World Health Organization’s AIDS conference. They contained a survey about AIDS risk factors. But buried in the code was a virus that took over a victim’s hard drive and demanded that $189 dollars be coughed up to restore the computer. Popp paradoxically claimed the extortion was meant to raise money for AIDS research itself, but this new form of attack left the researchers in a panic. An Italian institute reportedly lost 10 years worth of research trying to restore their data.
Modern ransomware attacks follow a similar tactic. The virus is sent as an email attachment or in a link that tricks the recipient into opening it and infecting their machine. These phishing attacks rely on the same social engineering tactics that con artists have used forever, luring victims into a false sense of security by appearing completely legit. Once infected, a message appears with instructions on how to contact the hackers and pay. After the ransom’s been paid, hackers supply decryption keys that unlock that data.
The biggest contributor to the recent rise of ransomware has been cryptocurrency. Before, the fundamental problem with ransomware was the hacker’s ability to get paid. Popp directed his victims in 1989 to mail cash to a PO Box in Panama. But with cryptocurrencies like Bitcoin payments can be quick and most importantly anonymous.
Cities have become an appealing target mostly because they are operating often out of date computer networks with pretty poor cybersecurity to prevent threats. San Francisco had its transit system hacked in 2016, forcing the city to offer free rides for two days.
Newscaster: “Riders will notice a few things. The metro gates at several stations are wide open right now”
Dallas had their emergency alert system hacked, allowing hackers to activate their 156-siren tornado alert system for an hour and a half.
Jake Williams is a cybersecurity consultant who helps municipalities navigate a ransomware attack after they’ve been hit. While not headline-grabbing, he says attacks can have real-world consequences
Jake Williams: “When General Electric or Best Buy or whoever gets hit with ransomware, unless you work there explicitly, nobody cares. But suddenly when your town can no longer provide water services or EMS is now three minutes slower per call, there's a huge issue there”
“We had one where for a week they didn’t let anybody out of jail because they didn’t know who was supposed to get out of jail when, because they didn’t have the records” One of the most publicized ransomware hack came in March or 2018 was when the city of Atlanta was hit by a massive ransomware attack.
Mayor Keisha Lance Bottoms: “As you all know Atlanta is experiencing outages”
A notorious hacker group called SamSam wormed its way through the city’s entire computer network and crippled it. The municipal court system was forced to close, online payments for city services were offline, and the police department lost dozens of archived dashcam video.
The hackers asking price? $50,000.
Reporter: “Is the city of Atlanta going to pay the ransom?” Mayor Keisha Lance Bottoms: “We can’t speak to that right now”
Hackers have gotten very good at understanding how much a city would be willing to pay to recover their data. They often demand what victims might consider a reasonable sum of money, making paying far more appealing than trying to recover your data yourself. In Wasaga Beach, it was Jocelyn who became the de facto hostage negotiator to find out the hacker’s demands.
Jocelyn: “I never thought I’d have to do that. I can say that ”
“They were polite. They were definitely experienced and I would describe the communication as a typical business communication”
“They gave instructions on how you would proceed and hey gave step-by-step”
Hackers know the position towns are in and do their best to make paying the ransom the easiest option.
Jake Williams: “ I think in the movies we picture that these attackers are the big bad ‘F.U.’ type guys”
Jake Williams: “Over the last couple of years we’ve seen a move toward full customer service. Honestly, I wish my Internet Service Provider had customer service like these guys do”
But saying no to hackers often comes down to just how important it is to you to get your data back.
Jake Williams: “Some factors you would want to consider I think is: what’s been encrypted? Do you have backups available? And another big question is does your town or city charter, does it even allow you to pay that?
“Most of them don’t have any IT infrastructure to speak of so in a vast majority of cases its pay or don’t get your stuff back”
Plus the sheer cost of building your computer network from scratch often far outweighs the ransom demands. Atlanta reportedly ended up spending $2.6 million dollars to update their computer network and deal with the fallout from the SamSam attack.
Wasaga Beach paid the ransom, but they can't say how much until the can present the town council with a report on the incident
It took over to decrypt the town's files, but Wasaga Beach recovered almost all of their data and soon after it was like the hack never happened
Jocelyn: “You walk around now and you would never know that about a month ago we couldn’t access our data. It’s come and gone”
The FBI has published guidelines for dealing with a ransomware attack. They suggest you do not pay, however they even admit that holding your nose and paying off the hackers might be the most viable option for some organizations, but it doesn’t make the situation any easier.
Jocelyn: “You’re dealing with total strangers. You’re handing them money hoping that they’ll give you back the key.”