Pay or no-pay, the city’s actions thus far are blood in the water for the “private sector” of the hacking economy
It has been more than two weeks since a ransomware attack penetrated Baltimore’s defenses and took the city’s network hostage. And still another month might not be enough time for city officials and IT teams to bring the city back to 100%.
Some major sources of commerce and revenue have been significantly impacted, including billing systems for city water, parking and small traffic citations. Lien services were taken offline, which delayed 1,500 pending home sales. City email was out for almost two weeks and was only restored on May 23, the day before we drafted this report. They weren’t exactly bombed back to the Stone Age, but city officials are feeling the loss.
As damages + lost income + IT expense pile far higher than the $100,000 asked as ransom payment, Mayor Bernard C. Young (friends call him Jack) indicated that he was thinking about giving the money to the hijackers. “Right now, I say no. But in order to move the city forward? I might think about it. But I have not made a decision yet.”
Mayor Young took office only days before the attack was reported, so his slip is understandable. You might even empathize with a $100,000 payment to make it stop. However the implications of his waffling will ripple through cybercriminal communities for years.
The ransomware city attack trend started before Baltimore, but numerous payoffs have thrown gasoline on the fire
Atlanta in March 2018. Then one year later two counties, first Jackson County, GA, then Orange County, NC suffered attacks. Jackson capitulated and forked over $400,000 to lift the ransom. That payment could be a reason why we have seen two attacks in the last two months.
Orange County did not payoff the criminals, this time. However, there is reason to believe they did choose the ransom option at some point. This last attack was the third in the last six years. Why would they continue to be a target if they never gave in?
The ransomware trend shows that every ransom payment accomplishes one good and three evils. The good is short-term normalcy. This can actually be a pretty big win as it would be in Baltimore’s case. But it only takes a moment to see how far the bad outweighs the good.
Think in terms of risk and reward, as you would for a small or mid-sized business. Remember that cybercriminals no longer work alone. We have extensive evidence of sophisticated, structured organizations working diligently to develop and exploit emerging attack vectors.
But if you are thinking government organizations from China or Russia, think again. It is true that until recently cities were targeted by government organizations. But the goal of government orgs is not to lift a few thousand dollars. Government orgs already have funding; they don’t ask for payment. These attacks indicate a culprit from the “private sector” of the hacker economy, most likely a fairly small player considering the ransom amount.
Baltimore was just that easy to crack. The malware used is called RobinHood, which is merely the latest variant to go round the world; almost anyone could obtain it. These cities are not succumbing to government-funded groups but private organizations operating from within an anti-economy.
That is what makes Mayor Young’s response so critically wrong. Ransom payments become revenue for the hacker org. When a venture is profitable, the business will respond with further investment because they want to reap more reward.
“Successful” ransoms also spur other organizations within the community to copy previous attacks. It is like any competitive industry.
What makes a city vulnerable to smaller hacker “businesses?”
In Baltimore’s case, the easier question would be, “What didn’t make Baltimore a prime target?”
Baltimore’s IT department ekes by on half the funding of other cities of its size, according to Sean Gallagher for Ars Technica. They did not even have a Disaster Recovery Plan in place, which is like not knowing the ABC’s of your own cyberdefense.
It’s a matter of priorities. When budgets are tight, basic functionality is the priority. Cyberdefense is often one of the first areas to suffer when you’re just trying to keep the lights on. But skimping on IT security is a big risk, and Baltimore is paying, with or without ransom.
Now that the city has been hacked, Mayor Young, the city of Baltimore, and hopefully more cities across the US will acknowledge their vulnerability and respond with comprehensive cyberdefense. They will need it in the months to come.
Small and mid-size businesses in every industry are targets as well. We recommend for your company that your IT annual budget should equate to around 2% of your overall annual revenue. You need to ensure you are investing in the right tools for IT including security so you are seeing value and not wasting money. Platte River Networks’ Intuition Managed Services platform helps our customers with their IT Roadmap budget and planning including security, life cycle management, procurement and project management.
More detailed info about Baltimore’s IT problems is available on Gallagher’s article.