For the second week in a row, a small Florida city has agreed to pay cyber criminals hundreds of thousands of dollars after a ransomware attack crippled city systems.
The council in Lake City, a community of about 12,000 people west of Jacksonville, approved during an emergency meeting Monday night a bitcoin payment worth about $462,000 by the city’s insurer. This follows a vote a week earlier in Riviera Beach, a city of about 34,000 near West Palm Beach, in which the council authorized its insurance carrier to pay about $600,000.
The hefty tabs are the latest sign of how hackers are hitting cities indiscriminately while raising the stakes with big-dollar demands. In the case of Riviera Beach, the ransom was nearly 12 times the size of one the city of Atlanta refused to pay last year.
Six-figure ransom demands are becoming more common, whereas they averaged several thousand dollars just a few years ago, said Larry Ponemon, whose Michigan research company, the Ponemon Institute, focuses on information security and has advised cities that were hacked.
“There are a lot of copycats out there, and they figure they’re going to ride the gravy train,” he said.
Ransomware attackers are hitting both companies and cities with regularity by finding vulnerabilities in their systems, often by sending malicious email attachments, locking up vital data and demanding payments in return for decryption keys.
These attacks happen every day and many are never publicized, cybersecurity professionals say. Local governments can be particularly vulnerable if they lack resources to upgrade equipment and security and protect backup data.
“We do see an increased frequency against municipalities,” said Michael Tanenbaum, head of North America cyber and professional liability at insurance giant Chubb.
The Federal Bureau of Investigation advises against paying hackers, saying there is no guarantee they will release data and warning that victims could be targeted again or asked to pay even more money for decryption keys. In addition, the FBI says, paying only encourages more attacks.
But some ransomware victims say hackers’ ability to infiltrate backup data left them little choice but to pay. In March Jackson County, Ga., paid $400,000 from its $10.5 million rainy-day fund after realizing a cyberattack had compromised its backups.
“I thought we had a backup, but obviously we didn’t have a good enough backup for this kind of attack,” said Joe Helfenberger, city manager in Lake City. “Fortunately, we had all the financial data backed up properly off-site, so that wasn’t affected, but pretty much everything else was.”
Big payouts by local governments are emboldening hackers to jack up their demands, Mr. Ponemon said, citing comments he has read on the dark web, a section of the internet where users can operate anonymously. At the same time, he said, changes to some ransomware tools make it harder for victims to spot and contain the threat before it is too late.
“That might explain why the ransom is going up: The bad guys can get away with it,” he said.
Riviera Beach got hit on May 29, leading to a council vote on June 17 to authorize the city’s insurer to pay the ransom. A spokesman for the city said Wednesday the payment has been made and that the decryption keys the city received are working.
Florida League of Cities, which facilitates cybersecurity coverage through an insurance carrier for Lake City and hundreds of other cities, helped decide to pay the ransom. A cybersecurity firm helped analyze the attack and dealt with paying off the attackers, according to Eric Hartwell, deputy general counsel and insurance counsel at the league. Lake City only has to pay a $10,000 deductible.
The event there began June 10 with what the city described as a “triple threat” malware attack, then escalated with a ransom demand last week, the city said in a news release. The attack knocked out email and hindered city services, and people had to temporarily pay utility bills on terminals at the police station, the city manager said. The attack included a ransomware variant called Ryuk that is known for hefty ransom demands.
Emergency services weren’t affected. But Lake City authorities worried they wouldn’t be able to access encrypted files such as ordinances, public-record requests and utility information, Mr. Helfenberger said.
Some cyberattack victims have refused to pay comparatively modest ransoms. Officials in Baltimore, hit by a disruptive attack in early May, rejected a $76,000 demand, in part because the city still would have incurred major costs to restore systems, ensure they weren’t still infected and bolster defenses.
Baltimore officials estimate its attack will cost at least $18 million, including IT costs and lost revenue. A spokesman for Mayor Bernard C. “Jack” Young said Wednesday most city employees have regained access to email and data, though the city’s online payment system remains down and the city still can’t issue water bills.