A Ransomware Tale: Mayor Describes City's DecisionsMayor of New Bedford, Massachusetts, Details Response to Ryuk Attack
The mayor of New Bedford, Massachusetts, took the unusual step this week of holding a press conference to describe a recent ransomware attack and explain why the city decided not to pay the $5.3 million ransom that was demanded.
See Also: The Evolution of Email Security
Mayor Jon Mitchell described how the attackers first demanded $5.3 million in ransom, and the city countered with a $400,000 payment that its insurer had agreed to pay. When attackers did not respond to that offer, the city decided to continue moving forward with restoring systems and data through backups, the mayor said.
Mitchell said the city decided to negotiate with the attackers to give its IT department enough time to see if it could restore systems on its own.
Mitchell revealed that New Bedford was hit with a variation of the Ryuk ransomware strain, which has appeared in other attacks, including some of those that have targeted local and state governments (see: Second Florida City Pays Up Following Ransomware Attack).
"Ryuk has been implicated in attacks on government, education and private-sector networks across the globe, and these attacks have been escalating in their frequency, technical sophistication and the size of the ransom demands," Mitchell said at the press conference.
Since New Bedford first detected the ransomware attack on July 5, its management information systems department has completely rebuilt its server network, restored most software applications and replaced all of the computer workstations that were affected, the mayor said on Wednesday.
A total of 158 computers were affected by the Ryuk ransomware attack, or roughly 4 percent of the 3,500 desktops and laptops used by city employees, Mitchell said. New Bedford has a population of about 95,000.
Quick Detection and Response
Mitchell said several factors helped the city keep the ransomware from spreading further within its network.
For example, the mayor noted that because the attack happened over the July 4 holiday, many city employees were not working, which helped contain the attack. In addition, the city's infrastructure is compartmentalized, which also helped keep the ransomware from spreading.
"The city's computer network was compartmentalized to a certain degree, so key departments were either spared from being identified and targeted by the virus or were quickly protected by being disconnected from the network," the mayor said, according to a transcript of the conference provided by the South Coast Today website.
The mayor explained that after the IT staff returned from the holiday break, they noticed unusual network activity, which prompted the IT director to shut down systems to keep the ransomware from spreading further.
During the attack, Mitchell noted, none of the city's emergency services were disrupted. The city's financial management system, however, was unavailable for some time.
Demand for Ransom
As IT staff worked to restore systems, Mitchell and city officials were engaged in discussions with the attackers.
"The attacker responded with a ransom demand, specifically that it would provide a 'decryption key' to unlock the encrypted files in return for a bitcoin payment equal to $5.3 million," Mitchell said.
When the city made the counter offer of $400,000, which was what New Bedford's cyber insurance would cover and was in-line with ransoms paid after attacks in Florida and Georgia, the attackers stopped communicating, which meant the IT department was left to recover and rebuild its systems through back-ups, Mitchell notes.
As New Bedford continues to recover from the attack, Mitchell noted, the city has started to add more security around its endpoints to help mitigate the impact of another incident.
The city is also providing legal notices to local residents in the event that any personal data was exposed, although it's not clear at this time if any data leaked due to the ransomware attack, the mayor said.
"While the city remains unaware of any theft of data by the attackers, the encryption of certain log data prevents us from completely ruling out access to any specific personal data," Mitchell said.
Should Cities Pay Ransom?
Cities across the U.S. have struggled with the decision of whether to pay a ransom to recover their data and IT infrastructure after an attack.
The FBI discourages the payments of ransoms because it could encourage additional attacks.
In July, the U.S. Conference of Mayors adopted a resolution encouraging local elected officials not to pay out ransom during these types of attacks.
Earlier this year, the city of Baltimore refused to pay a ransom after an attack, but it faced hefty recovery costs (see: Baltimore Ransomware Attack Costing City $18 Million).
But a number of other cities have chosen to pay a ransom in hopes of speeding up restoration of their systems.
For example, in June, Riviera Beach, Florida, agreed to pay hackers about $600,000 in bitcoin to end a ransomware attack that crippled the city's IT infrastructure for nearly a month (see: Florida City Paying $600,000 to End Ransomware Attack).
That same month, Lake City, Florida, voted to authorize the municipality's insurance carrier to pay 42 bitcoins, or about $530,000, to ransomware attackers.
Sam Curry, the chief security officer at security vendor Cybereason, tells Information Security Media Group that New Bedford appears to have followed best practices for limiting the impact of a ransomware attack.
"The key capabilities should be to identify ransomware early, to limit its spread, to recover data from backups, to resume operation, and to prevent re-infection," Curry says. "If we can reduce the recovery time to zero, we won't need to pay ransoms; we will be able to ignore them. We aren't there yet. But we can work on getting closer."
(Managing Editor Scott Ferguson contributed to this report.)