To pay or not to pay ransomware attackers? Is it okay to pay? And if I do pay up, will the problem go away?

These have been some truly pressing questions not only for ransomware victims and, as the recommended reading section at the end of this article shows, we too have spilled quite some digital ink on answering them. (The short answer to the questions is ‘no’ but, for better insight as well as for reasons why they may not be the right questions to ask in the first place, you may want to navigate to the articles.)

But why bring this up now, anyway?

In recent weeks, two cities in Florida have found themselves in a similar quandary after their computer systems were struck by ransomware. As it turns out, they both decided to cough up some hefty money to the cyber-extortionists.

The first to fall victim, on May 29th, was the small city of Riviera Beach, where a police department employee opened a malicious email attachment, unwittingly unleashing mayhem on the city’s computer systems and effectively forcing its staff to turn to pen and paper.

Fast forward three weeks and, heeding advice from external consultants, the municipality’s officials authorized its insurance carrier to pay 65 bitcoins (close to US$600,000 at the time) to the cybercriminals in hopes of retrieving access to its computer systems, reads the New York Times report.

Barely a few days flew by before another municipality in the Sunshine State gave in to extortionists’ demands. Lake City – which has been reeling from a ransomware attack going back to June 10th – authorized the payment of 42 bitcoins (some US$460,000) on Monday, with the actual ‘transaction’ to follow on the next day, reads the report by the local WCJB-TV.

All but US$10,000 was covered from what city officials described as “a good comprehensive insurance plan in place that does cover this type of an incident”. The city is said to have made multiple attempts to get its systems unlocked and up and running again after the incident disabled all of its online systems. In fact, the city’s police department said two days after the attack that recovery was going well, but apparently the efforts came to nothing.

In either incident, there is no word on what kind of prevention or business continuity measures, if any (and notably backups), were in place or why they weren’t successful. Nor is it immediately clear if the post-payment recovery efforts have been successful.

According to a recent report by threat intelligence provider Recorded Future, state and local governments in the US reported 169 ransomware incidents between 2013 and April 2019.

Recommended reading

Ransomware: To pay or not to pay?
Ransomware: To pay or not to pay? (another article of the same name)
Ransomware: Should you pay the cybercriminals?
FBI: No, you shouldn’t pay ransomware extortionists
The cyber insurance question
The economics of ransomware recovery
Ransomware: Expert advice on how to keep safe and secure