To Pay or Not to Pay? Ransomware Demands Can Be Less Costly than Mitigation

State and local agencies around the country have been faced with this question, some absorbing massive costs as they move to rebuild what was taken by hackers.

by Deb Erdley, Tribune-Review / September 24, 2018

(TNS) — Pay now, or pay later. Leaders of the Pennsylvania Senate Democratic Caucus faced those options when hackers infected their computer system in March 2017, holding it hostage with ransomware.

Officials at the West­more­land County Housing Authority faced the same dilemma when hackers held their computers and phones hostage in July. The Housing Authority paid a ransom of $6,500 through a single Bitcoin, a digital currency that allows users to exchange money anonymously over the Internet.

Senate Democrats balked at a demand for 28 Bitcoin — valued at just over $30,000 when the lockout began — and adhered to the FBI’s advice against paying ransom.

Instead, state records released to the Tribune-Review through a Right-to-Know request revealed taxpayers underwrote the $703,697 Microsoft charged to rebuild and enhance the system.

Thousands of public sector agencies and businesses face similar dilemmas every day, said Chris Duvall, a senior director with the Chertoff Group, a global security and risk management firm. Quoting the U.S. Department of Homeland Security, Duvall said an average of more than 4,000 ransomware attacks occur every day — or about 1.5 every minute.

Ransomware is software hackers send out to infiltrate computer systems. The software takes control of computers and systems when it finds a vulnerable entry point. Users are left to decide to pay ransom for an encryption key or rebuild a system and attempt to recover records.

Recent victims of ransomware attacks include a Buffalo, N.Y., hospital; the city of Atlanta; and the Professional Golfers’ Association of America, which was attacked last month.

The Erie County Medical Center in Buffalo paid $10 million to recover its 6,000 computers and system instead of paying a $30,000 ransom to hackers. Atlanta officials made a similar decision not to pay and so far have paid $6 million with another $11 million in potential costs.

Even law enforcement agencies have found themselves locked out of their computers and forced to deal with online extortionists. The Allegheny County District Attorney’s Office paid a ransom of $1,400 in bitcoin in late 2016.

Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University’s Cylab, said there are two ways to look at such dilemmas.

“There is a possibility that paying the ransom is the cheaper option, but the FBI says it sets a bad precedent for future incidents and you are more likely to be attacked again. And if you already have a ransomware strategy and recovery mechanism in place, the cost of repair might not be that high,” Sekar said.

Businessman Dan Wukich, who chairs the Westmoreland County Housing Authority, said officials there made the right choice when they agreed to pay ransom.

“It was a bargain,” Wukich said.

But it doesn’t always work out that way.

“When we advise our clients, we recommend seriously considering not paying the ransom, but we also say it is up to key leaders to do cost-benefit analysis,” Duvall said. “If you do get your key back, it may not mean they’re out of the system. That may have just been one prong of the attack. And you can pay and not get your key back. And we’re seeing that happen more and more.”

Although some ransomware attacks are perpetrated by lone hackers, experts say others are launched as attacks by hostile states dabbling in cyber warfare or sophisticated crime syndicates that operate like businesses.

Sen. Jay Costa, leader of the Pennsylvania Senate Democratic Caucus, said officials in Harrisburg still don’t know who hacked their system.

“And we were instructed not to speculate,” he said.

Duvall said Notpetya, a global cyber attack authorities believe Russia launched against Ukraine, eventually knocked out transportation, health care, shipping and public-sector computers in Europe and the United Kingdom.

When system owners paid up, some got their computers back. “But a good portion did not,” Duvall said. “(The hackers) weren’t interested in the money, but in the destructive capacity of the software.”

Sekar said the takeaway from such attacks is the scope of the vulnerabilities out there and the need for constant vigilance.

“You need to want to have best practices and strategies in place to deal with these things. People should not have their machines exposed on the Internet. The second is you should probably have recovery systems and backups in place. Make it part of your DNA to say, ‘I’m going to back up things every day.’ And if the backup is not connected (to the Internet), your recovery costs will be a lot lower,” Sekar said.

Costa declined to say exactly what Microsoft did to rebuild the caucus computer system and put safeguards in place. Part of the work referenced in the repair contract was planned maintenance, he said.

Nonetheless, the attack was a wake-up call, a lesson learned for the Pennsylvania General Assembly.

“The other caucuses and administration were keenly aware of our situation and took steps to address their own cybersecurity,” Costa said. “Through the process, we shared the details of our experience to assist them in enhancing their own security measures.”

©2018 Tribune-Review (Greensburg, Pa.), Distributed by Tribune Content Agency, LLC.

Platforms & Programs