Tech/Engineering

Fight back or pay? Ransomware targeting cities without DR

July 18, 2019 W. Curtis Preston, Technical Evangelist

Any organization, including city governments, that does not have a solid disaster recovery (DR) system in place is a ripe target for ransomware, which could end up costing far more than the investment in a DR system would. Interesting enough, it doesn’t seem to even matter whether you pay the ransom or not – your organization could be unable to function for weeks or even months if you are infected with this terrible ransomware affliction.

Consider the recent cities affected by just this. Baltimore, MD, who has been hit twice with a ransomware attack, refused to pay the ransom in both cases. This is what everyone specializing in this topic – including me – says to do, but if you’re not already equipped with a solid DR system that can quickly recover critical systems, you’re going to be down for quite a while. It appears that Baltimore has backups, but the amount of time that it’s taking to recover critical systems, and the costs of rushing a slow system have been quite high. The city is saying these attacks have cost them more than $7.9M so far. 

Baltimore should be applauded for not giving into the ransom demand, as doing so just makes things worse for everyone. It emboldens the data kidnappers and further funds their ventures. But it is likely no one in the city that was impacted by the outage or the cost will feel grateful.

What happens when you pay the ransom?

Lake City and Riviera Beach, both in Florida, are at the opposite end of the ransomware spectrum. Not only did both of them pay the ransom demanded by the attackers, together they paid more than $1.1M. For those unfamiliar with these two cities, neither would be considered large or wealthy by any standard. Riviera may have a big-sounding name, but it is home to just over 32,000 people in just under 10 square miles, and Lake City is just over 12 square miles and has around 12,000 people. So if the reader is thinking “I’m from a small town that would never be a target for such things,” please think again.

Lake City has received quite a bit of coverage for a few reasons. One reason being that, despite paying the ransom, critical systems are still down weeks later and they are unsure if they will recover all their data. The infection apparently spread to many systems, complicating recovery efforts even with the ransomware decryption keys. Another reason for the additional coverage of the Lake City incident is that the IT director has been fired as a result of what we call a“triple threat” attack, as it disabled city servers, phones, and emails.. Both cities did have insurance to help pay for these ransoms, but the insurance appeared to have only paid for part of the actual ransom. 

Another interesting wrinkle in the cyber-insurance story is food giant Mondelez, who had insurance specifically against cyber attacks. Their insurance provider, Zurich, declined their claim, saying their attack was from a government entity, making it an act of war not covered by their insurance. Mondelez is suing Zurich for $100M. This lawsuit will be set precedent, but one thing is for sure: one cannot easily rely on insurance as a way out of the ransomware problem.

The FBI says it received 1,500 ransomware reports last year, and believes that number to be a small percentage of actual attacks. A more sobering data point is a website called ID Ransomware, that receives 1,500 requests for assistance every day. (It helps you identify what type of ransomware you have been infected with. Some ransomware products have workarounds, while others do not.) 

Don’t wait to get infected

We learned from Mondelez that relying on an insurance company is clearly not the answer. Lake City showed us that paying the ransom will not immediately fix your problems, and that you as an IT leader can get fired for not protecting against ransomware. Baltimore taught us that you can be attacked multiple times – even if you did the right thing and didn’t pay the ransom.  

The only right thing to do is to prepare now for a ransomware attack. The good news is that the preparation is the same as what you should do for any real disaster, such as a fire or hurricane.  A solid, well-planned, and well-tested DR plan is all you need. Druva offers the easiest and most affordable way to make sure you can easily recover if you are ever attacked. With a  cloud-native disaster recovery system on AWS, Druva delivers one-click, automated recovery for on-premises and cloud workloads. 

Learn more about our cloud-native disaster recovery solution