Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Fraud Management & Cybercrime , Malware as-a-Service

Ransomware Hit: Tulsa Promises Recovery, Not Ransom Paying

Mayor Says 2018 Atlanta Ransom Attack Served Notice 'That We Needed to Up Our Game'
Ransomware Hit: Tulsa Promises Recovery, Not Ransom Paying
G.T. Bynum, mayor of Tulsa, Oklahoma, pictured at a 2019 event (Photo: Naval Surface Warriors via Flickr/CC)

"Ransomware attackers hold yet another city hostage - film at 11."

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

If it feels like ransomware attacks today are stuck on repeat, that's because they are. Criminal syndicates have found an extremely profitable business model, and they're milking it for all it's worth.

"Know that your tax dollars are not going to go into the hands of criminals." 

The city of Tulsa, Oklahoma, is yet another public sector victim. But give officials credit for appearing to have strong disaster recovery processes in place and refusing to be victimized, vowing to not engage with the attackers.

"We're not going to pay any ransom," Tulsa Mayor G.T. Bynum said at a Thursday press conference.

The city, which has a population of 766,000, first announced the attack on May 9 via a post to its Facebook page.

Restoration work is continuing. "All of our computer systems - with a few exceptions - are down right now," Michael Derringer, the city's CIO, said at the press conference.

Emergency services - including police and fire services - remain fully functional, officials say. But multiple systems have been disrupted, with police, for example, having no way to offload data from their body cameras, which they would typically do via Wi-Fi, except all Wi-Fi is down. Residents also remain unable to pay bills, such as their water bills, but the city has said nothing now will come due until five days after billing systems get restored.

In the meantime, the city's mayor has vowed to "not … pay a nickel" to attackers. "We have strong systems in place here at the city of Tulsa, and we have no inclination to negotiate with cyber terrorists," he said. "We're not embarrassed to publicly say when we've been a victim, and you're not going to get hush money from us for that, and we're not going to pay to get our systems restored more quickly, when we can go through and do it ourselves."

Bynum added: "We will be completely transparent and do the hard work and avoid rewarding criminal behavior. And I think the most important audience for me that would hear that is the citizens of Tulsa, to know that your data here at the city of Tulsa is secure, and to know that your tax dollars are not going to go into the hands of criminals."

Repeat Target: US Cities

Tulsa joins a growing roster of U.S. cities - including Atlanta, Baltimore, New Orleans and many others - that have seen their systems get hit by extortionists wielding crypto-locking malware and demanding a ransom in return for a decryption tool. Many gangs now also practice double extortion, demanding separate payments in return for a promise from attackers to delete, rather than leak, stolen data, or to not "name and shame" a victim by listing it on a gang's dedicated data leak site.

For attackers, this is all fuzzy math - they typically cite a high ransom demand or demands, with a view to allowing this figure to be negotiated down. Their impetus is to get paid.

Tulsa officials have declined to name the ransomware operation that hit them and have firmly rejected its overtures. "They wanted to talk with us about what it would be for them not to announce it, and we never engaged them," Bynum told reporters on Thursday. "We just announced it ourselves."

No ransomware operation appears to have yet named Tulsa on its data leak site or otherwise taken credit for the attack.

Investigators also don't believe attackers stole any city data. "At this time, there's no evidence of any data breach, where data has left our network," Derringer said.

Phased Recovery

One salient question posed by a reporter at the Thursday press conference: "Any ETA as to when life will get back to normal for y'all?"

IT employees are working 12-hour shifts, around the clock, to get systems running again. Federal law enforcement agencies have been assisting, and are also probing the attack itself. "While some systems may take weeks to restore, mission-critical systems are a priority," Derringer said.

"From a technology perspective, it will go in phases," he said. "We have four different priorities on our systems. We've categorized those, and we'll be working through those. Many systems will come on in the next few weeks. Some systems may take up to a month to get online, and … a lot of that is just there's a number of systems that have to be checked, tested and then business-validated, because we want to make sure that the business validates the system is functioning as it was intended."

Attack on Atlanta: Wake-Up Call

The mayor said that no defenses are foolproof, and that despite the attack getting through, the city has robust systems and disaster recovery plans that it put in place following the 2018 ransomware attack against the city of Atlanta, which led to $2.6 million in cleanup costs. At the time, security experts noted the money would have been better spent on prevention.

Bynum said he - and other mayors - treated the Atlanta attack as a wake-up call. "That's when Michael and I started talking about how do we make sure that never happens to Tulsa," he said, referring to the city CIO sharing the podium with him during the press briefing. "I'll defer to him on specifics as to all the things we did. I know from a budgetary standpoint, we invest significantly in it. I'm super grateful that we have a city council that had enough foresight over the last several years to recognize the importance of this and include it in the budgets that we approved … and then realizing that we needed to up our game."

Tulsa's response stands in sharp contrast to that of many other victims, such as Colonial Pipeline Co., which was hit by the DarkSide cybercrime syndicate. Colonial Pipeline's CEO recently confirmed that his company paid a $4.4 million ransom because "it was the right thing to do for the country."

All the more relevant, then, is the business question Bynum says he's continued to pose since 2018: How do we avoid becoming the next Atlanta? (Insert the name of an organization that's relevant to your industry.)

"A key lesson for us is that we're in a position to not pay a ransom, because we made those investments," Bynum said. "Those investments were good enough to save us this time, but they might not be in the future. You always have to be thinking about how to stay ahead … and make sure that you're making the necessary investments to protect your digital infrastructure and the citizens' data, and we've had a commitment to that."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.