US city balks at paying $5.3 million ransomware demand
It’s easy to assume that ransomware has become so unstoppable that criminals can almost name their price to reverse attacks.
While there is evidence that many victims pay up, it looks as if a growing number don’t, either negotiating a smaller ransom or simply refusing to play ball.
One organisation that decided it wanted to be in the latter camp is the city of New Bedford in Massachusetts, which has released details of an attack by a variant of the Ryuk ransomware in the early hours of 5 July 2019.
The attack quickly encrypted 158 workstations (4% of the city’s computers) but would have been even worse had it struck later in the day when more computers were turned on, the City now admits.
Departments such as fire, police and emergency 911 dispatch were unaffected, helped by engineers quickly disconnecting other systems to stop the infection spreading. Even so, that left the arduous task of rebuilding the network and restoring applications – that still continues two months on.
When consultants employed by the City reached out to the attackers by email, they were met with a demand for Bitcoins equivalent to $5.3 million. New Bedford Mayor, Jon Mitchel, said in a video account of the attack:
While I am generally averse to engaging in negotiations of this kind, I concluded it would be irresponsible to dismiss out of hand the possibility of obtaining a decryption key.
The City had insurance coverage for ransom payments, he said, and reasoned that negotiations would buy time to mitigate any follow-up attack.
When he made a counteroffer of $400,000 in line with the current going rate of ransomware attacks of this kind, the attackers stuck to their original, inflated demand.
Result? Negotiations stopped, the attackers got nothing, and the City resolved to undo the damage on its own.