Ransomware Attacks Create Dilemma For Cities Several cities around the country have had their computer networks taken over by hackers and held for ransom. Paying up resolves the problem quickly, but could encourage more of the extortion.

Ransomware Attacks Create Dilemma For Cities: Pay Up Or Resist?

  • Download
  • <iframe src="https://www.npr.org/player/embed/739999730/739999733" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


It's been a bad few months for government IT departments across the U.S. Hackers have used ransomware to attack the data networks of Baltimore, the Georgia court system and Lake City, Fla., to name just a few places. As NPR's Wade Goodwyn reports, these governments are struggling to decide whether to pay up.

WADE GOODWYN, BYLINE: It started out as a nice, normal Monday morning in June at Lake City, Fla., City Hall. But then someone in IT noticed something was wrong with the network - something so, so wrong.

MIKE LEE: They immediately brought everything offline. They turned off the servers. They literally went, like, room to room through city hall, like, unplugging people's network cables and turning off all computers.

GOODWYN: Mike Lee is a sergeant with the Lake City Police Department. Lee says after everything was disconnected, there was a tiny bit of hope that maybe they caught it before everything was encrypted. Lee says in Lake City's case, that hope was forlorn.

LEE: And in hindsight, yeah, the riot (ph) ransomware attack quietly makes its way through the entire system. And then it encrypts everything at once and sends you a ransom. So we kind of cut it off partway through, but, you know, a lot of the damage had already been done.

GOODWYN: Business at city hall didn't so much grind to a halt. It was more like a finger snap. And how much did the crooks want for the decryption key that would restore Lake City's information systems?

LEE: Their payment request was for 42 bitcoins. At the time of the purchase, it was roughly $460,000.

GOODWYN: Lake City officials notified state and federal law enforcement and then called their insurance company - the Florida League of Cities.

ERIC HARTWELL: We put them in touch with a cybersecurity firm that would, essentially, pick up the reins and walk them through the process.

GOODWYN: Eric Hartwell is the insurance counsel at the 500-plus member Florida League of Cities.

HARTWELL: Every city is kind of like a business. They've got to evaluate, what data is missing? What kind of backup information do we have? Is it reliable? - whether or not to cooperate with what the demand has been or whether or not to stand pat.

GOODWYN: Not paying often means replacing equipment and, basically, starting over. That's a lot more costly than paying the ransom. The city of Baltimore decided not to pay the 13 bitcoin ransom demand - roughly $75,000 - when their systems were hacked with RobbinHood ransomware. The cost of Mayor Jack Young's principled stand has topped $18 million. Back in Florida, Lake City Police Sgt. Mike Lee said they were advised to pay the hackers.

LEE: Yes, we have received the decryption key. And we are slowly making our way through our system a little at a time. And at this point, that key has proven successful where we've used it.

GOODWYN: The Lake City taxpayers had to pick up the $10,000 deductible, but the rest was paid by insurance. Ransomware crime is many times more lucrative than, say, bank robbery, with the advantage of no weapons, disguises, getaway cars, police chases - in fact, practically no risk of getting caught at all.

AMANDA VIDELL: We see these types of attacks happen every day all across the country.

GOODWYN: Amanda Videll is with the FBI, which is investigating Lake City's attack. Videll says even though ransomware hacks are much more common than is generally understood, the official numbers are nevertheless an underrepresentation. That's because businesses sometimes decide not to report they were targeted because getting hacked carries a stigma, which can be bad for business.

VIDELL: We are trying to encourage any victim of ransomware, whether it be a business or an individual or a city agency or a government agency, to report that to the FBI directly before they decide to take any action; basically, whether or not to pay.

GOODWYN: From the FBI's point of view, paying ransom encourages more hacking. And when a private business doesn't report a ransomware attack, it's an added boon for the extortionists. The FBI says it's not unsympathetic toward the victim's plight and dilemma, but paying data-hostage-takers has to stop or the attacks never will.

BRYAN GARDNER: OK. So this is the data - our data center. We actually have some cloud presence too. So, like, all of our major systems reside here.

GOODWYN: Dr. Bryan Gardner is a chief information security officer for the city of Dallas. Gardner has watched with concern as cities, hospitals, court systems and other vital public institutions' information systems have been hacked and encrypted. Dallas follows the best security practices outlined by the National Institute of Standards and Technology, known as NIST. But Gardner says municipal information security officers know their system could be next.

GARDNER: Right now it's 197 days before a breach is detected, normally. That's the average. So you're talking 200 days that they've been in, looking around. They know your system probably better than you do.

GOODWYN: Last week, the administrative office of the Georgia courts became the latest victim to have its data encrypted by ransomware. That follows on the heels of last year's attack, when the city of Atlanta's computer network was hacked and $51,000 in ransom demanded. To the FBI's satisfaction, Atlanta refused to pay. But the resulting damage has been estimated to cost around $17 million.

Wade Goodwyn, NPR News, Dallas.


Copyright © 2019 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.