If you run a hospital, a bank, a utility or a city, chances are you'll be hit with a ransomware attack. Given the choice between losing your precious data or paying up, chances are you'll pay.
Why it matters: Paying the hackers is the clear short-term answer for most organizations hit with these devastating attacks, but it's a long-term societal disaster, encouraging hackers to continue their lucrative extortion schemes.
Driving the news: Colonial Pipeline paid hackers almost $5 million in ransom to restore its systems and get gasoline flowing again after a ransomware attack held the country's largest pipeline hostage, which resulted in widespread disruption of gasoline supply.
The big picture: "This creates a collective action problem — the bad guys win so they'll go out and hit someone else," said Betsy Cooper, director of Aspen Tech Policy Hub at the Aspen Institute.
- "As an organization, you have to take into account the immediate costs versus the cost of your data. The less prepared you are, the worse it's going to be."
Threat level: Code red. Negotiating can backfire.
- Last week, foreign hackers released sensitive files they stole from the Washington D.C. police department last month, after the department offered to pay $100,000 rather than the $4 million that was demanded to return the data, DCist reported.
- The hackers reportedly said they'd keep the files public for months, even if the police department offered more than the original ransom.
Of note: The outfit responsible for the Colonial Pipeline attack announced it was shutting down Friday, but there's no sign the larger problem will abate.
- That same day, Ireland shut down its health care system's networks because of another ransomware attack.
By the numbers: Payments to ransomware attackers rose 337% from 2019 to 2020, reaching more than $400 million worth of cryptocurrency, according to figures just released by Chainalysis, a blockchain analysis company.
- So far in 2021, hackers have raked in more than $81 million.
- The average ransom payment has risen from $12,000 in the fourth quarter of 2019 to $54,000 in the first quarter of this year.
- Chainalysis notes these figures are conservative because they are based on reported attacks and payments.
Many attacks at the local level go unreported and unnoticed. Attack disclosure requirements vary state by state.
Zoom in: A hospital near Kansas City, Mo., fell victim to an attack, paid the ransom, and then had to ask the city's government for help making payroll, Mayor Quinton Lucas told Axios.
"It's odd how under-discussed [cybersecurity] is when we talk about infrastructure," Lucas said.
- "The challenge is not necessarily City Hall getting attacked, it's all the institutions that make up a city — the police department, banks, health systems — that all have different security companies working for them."
The irony: While having several different systems may seem inefficient, it disaggregates the risk, Cooper said.
- "If you put all your eggs in one vendor's basket, if that vendor has a flaw, then everything that's touched by that vendor will be affected." she said.
- "Just like you probably don't put all your money into one bank account, you probably shouldn't put all your security with one company," she said.
Between the lines: State and city governments are particularly vulnerable to attacks because it's well-known that public agencies often rely on outdated systems with less robust security defenses.
- Stimulus funds flowing to states and municipalities could make them attractive targets for hackers.
- While infrastructure funding is a big topic of conversation in Washington and states, it often comes in the form of grants for a specific purpose, like to repair roads or fix a bridge. Upgrading software and system security is often not thought of in the infrastructure category, and instead tackled separately every five or so years.
- Prompted by the Colonial Pipeline crisis, the Biden administration issued an executive order last week to encourage data IT data sharing and implement stronger security standards. But it applies to federal agencies and contractors, not the local level.
- A bipartisan group of House members is proposing to create a $500 million grant program for state and local government cybersecurity upgrades.
Companies that sell services to local governments are also attractive targets. In February, a ransomware attack hit widely used payment processor Automatic Funds Transfer Services.
- The cybercrime operation known as "Cuba Ransomware" sold the stolen data, including personal addresses and other billing information, on the web, security site BleepingComputer reported.
- The hack triggered data breach notifications from dozens of cities and agencies in California and Washington state.
Zoom in again: Last February, New Orleans was hit with a massive ransomware attack that crippled the city government. After the attack, the city weeded out old systems and machines, update files and install new software.
Then the pandemic hit, and the city had to quickly go fully remote — but it was ready.
- "In that way, the cyber attack ended up being a huge blessing in disguise," said Liana Elliot, deputy chief of staff to Mayor LaToya Cantrell.
Upgrading its systems should have been done much sooner, Elliot said, but there was no money or political will — until the attack.
- "Cities often can't do the things we need to do unless there's a crisis," she said.
- New Orleans later upped its cyber insurance policy to $10 million.
What to watch: Ransomware groups are getting more hostile and are less likely to restore systems, even when they are paid the ransom, according to Accenture's latest report on cyber threats.